[Bug] Certs won't be renewed (not automatically nor manually)

[nephilim75]

Current Behavior

Certs won't be renewed automatically.

Expected Behavior

Certs will be renewed automatically

Steps To Reproduce

Just running NPM as a docker container on unraid server running latest version. I am not so familiar run docker containers, so I might haven't enough information to troubleshoot. Pls guide me to provide all relevant information.

Docker container itself seem sto work fine. Verion should be up to date. I can reach the web UI but I want to have automatic renew of certs in place.

Any idea what I could try to get this fixed?

Environment

• OS: unraid
• OS version: 6.12.4
• CPU: Intel® Core™ i5-6400T CPU @ 2.20GHz
• Docker version: 20.10.24
• Device model:
• Browser/OS:

Container creation

default settings. No changes done

Container log

[10/11/2023] [2:10:59 PM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --preferred-challenges "dns,http" --disable-hook-validation  
Failed to renew certificate npm-1 with error: Some challenges have failed.
Failed to renew certificate npm-2 with error: Some challenges have failed.
Failed to renew certificate npm-21 with error: Some challenges have failed.
Failed to renew certificate npm-22 with error: Some challenges have failed.
Failed to renew certificate npm-4 with error: Some challenges have failed.
Failed to renew certificate npm-7 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/npm-1/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-2/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-21/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-22/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-4/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-7/fullchain.pem (failure)
6 renew failure(s), 0 parse failure(s)

    at ChildProcess.exithandler (node:child_process:402:12)
    at ChildProcess.emit (node:events:513:28)
    at maybeClose (node:internal/child_process:1100:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

Container inspect

root@Tower:~# docker inspect Nginx-Proxy-Manager-Official 
[
    {
        "Id": "43f9d9490cb361dd2c9dee4ab78ee89ae7fed49f220716ccf9951c6c75a24f06",
        "Created": "2023-08-16T10:27:15.572601527Z",
        "Path": "/init",
        "Args": [],
        "State": {
            "Status": "running",
            "Running": true,
            "Paused": false,
            "Restarting": false,
            "OOMKilled": false,
            "Dead": false,
            "Pid": 14383,
            "ExitCode": 0,
            "Error": "",
            "StartedAt": "2023-09-03T07:06:54.717732879Z",
            "FinishedAt": "2023-09-03T06:38:25.985558634Z"
        },
        "Image": "sha256:9c3f57826a5d0a82720533269d1996931d471f8130a0edb58d4a6602a0a13a8c",
        "ResolvConfPath": "/var/lib/docker/containers/43f9d9490cb361dd2c9dee4ab78ee89ae7fed49f220716ccf9951c6c75a24f06/resolv.conf",
        "HostnamePath": "/var/lib/docker/containers/43f9d9490cb361dd2c9dee4ab78ee89ae7fed49f220716ccf9951c6c75a24f06/hostname",
        "HostsPath": "/var/lib/docker/containers/43f9d9490cb361dd2c9dee4ab78ee89ae7fed49f220716ccf9951c6c75a24f06/hosts",
        "LogPath": "/var/lib/docker/containers/43f9d9490cb361dd2c9dee4ab78ee89ae7fed49f220716ccf9951c6c75a24f06/43f9d9490cb361dd2c9dee4ab78ee89ae7fed49f220716ccf9951c6c75a24f06-json.log",
        "Name": "/Nginx-Proxy-Manager-Official",
        "RestartCount": 0,
        "Driver": "btrfs",
        "Platform": "linux",
        "MountLabel": "",
        "ProcessLabel": "",
        "AppArmorProfile": "",
        "ExecIDs": null,
        "HostConfig": {
            "Binds": [
                "/mnt/user/appdata/Nginx-Proxy-Manager-Official/data:/data:rw",
                "/mnt/user/appdata/Nginx-Proxy-Manager-Official/letsencrypt:/etc/letsencrypt:rw",
                "/tmp/Nginx-Proxy-Manager-Official/var/log:/var/log:rw"
            ],
            "ContainerIDFile": "",
            "LogConfig": {
                "Type": "json-file",
                "Config": {}
            },
            "NetworkMode": "br0",
            "PortBindings": {},
            "RestartPolicy": {
                "Name": "no",
                "MaximumRetryCount": 0
            },
            "AutoRemove": false,
            "VolumeDriver": "",
            "VolumesFrom": null,
            "CapAdd": null,
            "CapDrop": null,
            "CgroupnsMode": "private",
            "Dns": [],
            "DnsOptions": [],
            "DnsSearch": [],
            "ExtraHosts": null,
            "GroupAdd": null,
            "IpcMode": "private",
            "Cgroup": "",
            "Links": null,
            "OomScoreAdj": 0,
            "PidMode": "",
            "Privileged": false,
            "PublishAllPorts": false,
            "ReadonlyRootfs": false,
            "SecurityOpt": null,
            "UTSMode": "",
            "UsernsMode": "",
            "ShmSize": 67108864,
            "Runtime": "runc",
            "ConsoleSize": [
                0,
                0
            ],
            "Isolation": "",
            "CpuShares": 0,
            "Memory": 1073741824,
            "NanoCpus": 0,
            "CgroupParent": "",
            "BlkioWeight": 0,
            "BlkioWeightDevice": [],
            "BlkioDeviceReadBps": null,
            "BlkioDeviceWriteBps": null,
            "BlkioDeviceReadIOps": null,
            "BlkioDeviceWriteIOps": null,
            "CpuPeriod": 0,
            "CpuQuota": 0,
            "CpuRealtimePeriod": 0,
            "CpuRealtimeRuntime": 0,
            "CpusetCpus": "",
            "CpusetMems": "",
            "Devices": [],
            "DeviceCgroupRules": null,
            "DeviceRequests": null,
            "KernelMemory": 0,
            "KernelMemoryTCP": 0,
            "MemoryReservation": 0,
            "MemorySwap": -1,
            "MemorySwappiness": null,
            "OomKillDisable": null,
            "PidsLimit": null,
            "Ulimits": null,
            "CpuCount": 0,
            "CpuPercent": 0,
            "IOMaximumIOps": 0,
            "IOMaximumBandwidth": 0,
            "MaskedPaths": [
                "/proc/asound",
                "/proc/acpi",
                "/proc/kcore",
                "/proc/keys",
                "/proc/latency_stats",
                "/proc/timer_list",
                "/proc/timer_stats",
                "/proc/sched_debug",
                "/proc/scsi",
                "/sys/firmware"
            ],
            "ReadonlyPaths": [
                "/proc/bus",
                "/proc/fs",
                "/proc/irq",
                "/proc/sys",
                "/proc/sysrq-trigger"
            ]
        },
        "GraphDriver": {
            "Data": null,
            "Name": "btrfs"
        },
        "Mounts": [
            {
                "Type": "bind",
                "Source": "/mnt/user/appdata/Nginx-Proxy-Manager-Official/data",
                "Destination": "/data",
                "Mode": "rw",
                "RW": true,
                "Propagation": "rprivate"
            },
            {
                "Type": "bind",
                "Source": "/mnt/user/appdata/Nginx-Proxy-Manager-Official/letsencrypt",
                "Destination": "/etc/letsencrypt",
                "Mode": "rw",
                "RW": true,
                "Propagation": "rprivate"
            },
            {
                "Type": "bind",
                "Source": "/tmp/Nginx-Proxy-Manager-Official/var/log",
                "Destination": "/var/log",
                "Mode": "rw",
                "RW": true,
                "Propagation": "rprivate"
            }
        ],
        "Config": {
            "Hostname": "43f9d9490cb3",
            "Domainname": "",
            "User": "",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "ExposedPorts": {
                "443/tcp": {},
                "80/tcp": {},
                "81/tcp": {}
            },
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": [
                "TZ=Europe/Berlin",
                "HOST_CONTAINERNAME=Nginx-Proxy-Manager-Official",
                "TCP_PORT_443=443",
                "TCP_PORT_3000=3000",
                "HOST_OS=Unraid",
                "HOST_HOSTNAME=Tower",
                "TCP_PORT_81=81",
                "TCP_PORT_80=80",
                "DB_SQLITE_FILE=/data/database.sqlite",
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt",
                "OPENRESTY_VERSION=1.21.4.2",
                "CROWDSEC_OPENRESTY_BOUNCER_VERSION=0.1.7",
                "CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt",
                "SUPPRESS_NO_CONFIG_WARNING=1",
                "S6_BEHAVIOUR_IF_STAGE2_FAILS=1",
                "S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0",
                "S6_FIX_ATTRS_HIDDEN=1",
                "S6_KILL_FINISH_MAXTIME=10000",
                "S6_VERBOSITY=1",
                "NODE_ENV=production",
                "NPM_BUILD_VERSION=2.10.4",
                "NPM_BUILD_COMMIT=fe93cb3",
                "NPM_BUILD_DATE=2023-08-14 23:19:12 UTC"
            ],
            "Cmd": null,
            "Healthcheck": {
                "Test": [
                    "NONE"
                ]
            },
            "Image": "jc21/nginx-proxy-manager",
            "Volumes": {
                "/data": {},
                "/etc/letsencrypt": {}
            },
            "WorkingDir": "/app",
            "Entrypoint": [
                "/init"
            ],
            "OnBuild": null,
            "Labels": {
                "maintainer": "Jamie Curnow <jc@jc21.com>",
                "net.unraid.docker.icon": "https://nginxproxymanager.com/icon.png",
                "net.unraid.docker.managed": "dockerman",
                "net.unraid.docker.webui": "http://[IP]:[PORT:81]",
                "org.label-schema.cmd": "docker run --rm -ti jc21/nginx-proxy-manager:latest",
                "org.label-schema.description": "Docker container for managing Nginx proxy hosts with a simple, powerful interface ",
                "org.label-schema.license": "MIT",
                "org.label-schema.name": "nginx-proxy-manager",
                "org.label-schema.schema-version": "1.0",
                "org.label-schema.url": "https://github.com/jc21/nginx-proxy-manager",
                "org.label-schema.vcs-url": "https://github.com/jc21/nginx-proxy-manager.git"
            }
        },
        "NetworkSettings": {
            "Bridge": "",
            "SandboxID": "f56be7b623d1185adefb5652e34b4e6949c9019afaa9fa98c5b559aa6fb40bac",
            "HairpinMode": false,
            "LinkLocalIPv6Address": "",
            "LinkLocalIPv6PrefixLen": 0,
            "Ports": {},
            "SandboxKey": "/var/run/docker/netns/f56be7b623d1",
            "SecondaryIPAddresses": null,
            "SecondaryIPv6Addresses": null,
            "EndpointID": "",
            "Gateway": "",
            "GlobalIPv6Address": "",
            "GlobalIPv6PrefixLen": 0,
            "IPAddress": "",
            "IPPrefixLen": 0,
            "IPv6Gateway": "",
            "MacAddress": "",
            "Networks": {
                "br0": {
                    "IPAMConfig": {},
                    "Links": null,
                    "Aliases": [
                        "43f9d9490cb3"
                    ],
                    "NetworkID": "7b6f4f51755cda4cb201e22faf948ce81fcf41ab45af4889ec29efff3fd7ca76",
                    "EndpointID": "619f1699fd979c9ea84d5283b00e39bdfab7299909d6004c5d24c636700214b1",
                    "Gateway": "192.168.178.1",
                    "IPAddress": "192.168.178.2",
                    "IPPrefixLen": 24,
                    "IPv6Gateway": "",
                    "GlobalIPv6Address": "",
                    "GlobalIPv6PrefixLen": 0,
                    "MacAddress": "",
                    "DriverOpts": {}
                }
            }
        }
    }
]
root@Tower:~#

Anything else?

No response

[z0rg0n]

I seem to be having a similar issue with a similar OS. The certs maybe seem to be updating automatically now but any time I try to renew them manually or test the site I get an error and NPM crashes.

OS: unraid
OS version: 6.12.3
CPU: AMD Ryzen 7 2700X Eight-Core @ 3700 MHz

│ Application:           Nginx Proxy Manager                           │
│ Application Version:   2.10.4                                        │
│ Docker Image Version:  23.08.1                                       │
│ Docker Image Platform: linux/amd64 

[z0rg0n]

Container Log:

text error warn system array login

[cont-init ] 55-nginx-proxy-manager.sh: - /config/nginx/proxy_host/9.conf [cont-init ] 55-nginx-proxy-manager.sh: - /config/nginx/resolvers.conf [cont-init ] 55-nginx-proxy-manager.sh: - /config/nginx/default_host/site.conf [cont-init ] 55-nginx-proxy-manager.sh: terminated successfully. [cont-init ] 85-take-config-ownership.sh: executing... [cont-init ] 85-take-config-ownership.sh: terminated successfully. [cont-init ] 89-info.sh: executing... ╭――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――╮ │ │ │ Application: Nginx Proxy Manager │ │ Application Version: 2.10.4 │ │ Docker Image Version: 23.08.1 │ │ Docker Image Platform: linux/amd64 │ │ │ ╰――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――╯ [cont-init ] 89-info.sh: terminated successfully. [cont-init ] all container initialization scripts executed. [init ] giving control to process supervisor. [supervisor ] loading services... [supervisor ] loading service 'default'... [supervisor ] loading service 'app'... [supervisor ] loading service 'nginx'... [supervisor ] loading service 'logmonitor'... [supervisor ] service 'logmonitor' is disabled. [supervisor ] loading service 'logrotate'... [supervisor ] service 'logrotate' is disabled. [supervisor ] loading service 'cert_cleanup'... [supervisor ] all services loaded. [supervisor ] starting services... [supervisor ] starting service 'nginx'... [supervisor ] starting service 'app'... [app ] [12/5/2023] [9:20:14 PM] [Global ] › ℹ info Using Sqlite: /data/database.sqlite [cert_cleanup] ---------------------------------------------------------- [cert_cleanup] Let's Encrypt certificates cleanup - 2023/12/05 21:20:14 [cert_cleanup] ---------------------------------------------------------- [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-6/privkey2.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-6/fullchain2.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-6/cert2.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-6/chain2.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-1/cert2.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-1/privkey2.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-1/chain2.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-1/fullchain2.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-5/privkey2.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-5/fullchain2.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-5/chain2.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-5/cert2.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-8/fullchain1.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-8/privkey1.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-8/chain1.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-8/cert1.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-2/chain2.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-2/privkey2.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-2/cert2.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-2/fullchain2.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-10/fullchain1.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-10/cert1.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-10/privkey1.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-10/chain1.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-7/fullchain2.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-7/chain2.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-7/cert2.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-7/privkey2.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-3/chain2.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-3/fullchain2.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-3/privkey2.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-3/cert2.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-9/privkey1.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-9/chain1.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-9/cert1.pem. [cert_cleanup] Keeping /etc/letsencrypt/archive/npm-9/fullchain1.pem. [cert_cleanup] 36 file(s) kept. [cert_cleanup] 0 file(s) deleted. [app ] [12/5/2023] [9:20:15 PM] [Migrate ] › ℹ info Current database version: none [app ] [12/5/2023] [9:20:15 PM] [Setup ] › ℹ info Logrotate Timer initialized [app ] [12/5/2023] [9:20:15 PM] [Setup ] › ℹ info Logrotate completed. [app ] [12/5/2023] [9:20:15 PM] [IP Ranges] › ℹ info Fetching IP Ranges from online services... [app ] [12/5/2023] [9:20:15 PM] [IP Ranges] › ℹ info Fetching https://ip-ranges.amazonaws.com/ip-ranges.json [supervisor ] all services started. [app ] [12/5/2023] [9:20:15 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v4 [app ] [12/5/2023] [9:20:15 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v6 [app ] [12/5/2023] [9:20:15 PM] [SSL ] › ℹ info Let's Encrypt Renewal Timer initialized [app ] [12/5/2023] [9:20:15 PM] [SSL ] › ℹ info Renewing SSL certs close to expiry... [app ] [12/5/2023] [9:20:15 PM] [IP Ranges] › ℹ info IP Ranges Renewal Timer initialized [app ] [12/5/2023] [9:20:15 PM] [Global ] › ℹ info Backend PID 434 listening on port 3000 ... [app ] [12/5/2023] [9:20:17 PM] [Nginx ] › ℹ info Reloading Nginx [app ] [12/5/2023] [9:20:17 PM] [SSL ] › ℹ info Renew Complete [app ] [12/5/2023] [10:20:15 PM] [SSL ] › ℹ info Renewing SSL certs close to expiry... [app ] [12/5/2023] [10:20:18 PM] [Nginx ] › ℹ info Reloading Nginx [app ] [12/5/2023] [10:20:18 PM] [SSL ] › ℹ info Renew Complete

[jlesage]

@nephilim75, since you are using the jc21's image, you should create your issue there instead: https://github.com/NginxProxyManager/nginx-proxy-manager/issues

[jlesage]

@z0rg0n, I don't see any error in what you shared. Can you provide more details about the errors ?

[z0rg0n]

Sure thing @jlesage

The error first occurred in October sometime and it was fine before then. It seems like a few other people were having similar issues around then both here in github and on the unraid form.

I noticed that when I tried to navigate to my page through the URL I get a 502 error:

My set up is cloudflare>duck DNS>nginx PM>various docker containers. It seems like the issue is with nginx PM since I can reach the dockers on the loacl network fine and I haven't changed anything in cloudflare or anywhere else.

At first the logs were giving me a renew cert error of some kind but that seems to be resolved in the logs I shared.

When I open up NGINX PM I can click around fine but when I go to the SSL tab and try to test connections it gives me the error 'Communication with the API failed, is NPM running correctly?' Then the entire docker container stops.

Renewing certificates or creating new certificates give me the error 'Internal Error' but does not shut down the container.

A weird bit is I installed the official NGINX docker container and it gives the same errors.

I'm not great at all this sys admin stuff so I'm sorry if that's too much or too little info. But if you or someone can give me some direction if it's not actually a bug it would be much appreciated. I've exhausted all my knowledge and troubleshooting ability.

[jlesage]

Then the entire docker container stops.

Can you share the container's log when this happens ?

[z0rg0n]

When I navigate to the SSL Certificate page, click the 3 dots, then click 'Renew Now' the log outputs the following:

[app         ] [12/10/2023] [9:57:46 PM] [SSL      ] › ℹ  info      Renewing Let'sEncrypt certificates for Cert #7: nextcloud.jessecloud.club
[app         ] [12/10/2023] [9:57:46 PM] [SSL      ] › ℹ  info      Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-7" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation 
[app         ] [12/10/2023] [9:58:19 PM] [Express  ] › ⚠  warning   Command failed: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-7" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation 
[app         ] Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
[app         ] Failed to renew certificate npm-7 with error: Some challenges have failed.
[app         ] All renewals failed. The following certificates could not be renewed:
[app         ]   /etc/letsencrypt/live/npm-7/fullchain.pem (failure)
[app         ] 1 renew failure(s), 0 parse failure(s)
[app         ] Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

When I test server reach ability on that same page, just before it crashes the log looks like this:

Once it crashes the log closes so I couldn't copy the text.

[jlesage]

Ok so there are 2 different problems.

Clicking Test Server Reachability causes a crash, but this is an isolated issue that doesn't affect normal functionality of NPM.

For the renew issue, did you check at /tmp/letsencrypt-log/letsencrypt.log (inside the container) to see the details about the problem ?

[z0rg0n]

Thank you for the help! It looks like it's not an issue with Nginx.

[jlesage]

Thank you for the help! It looks like it's not an issue with Nginx.

You are talking about the renew failure ?

[z0rg0n]

Yes. I posted in the let's encrypt form and they stated it's an issue with some issue Cloudflare not being configured:

Or maybe it's saying that my server isn't configured correctly 😮‍💨 in which case I'm back to troubleshooting Niginx I guess.

Either way though I think you can close this bug report, thank you.

https://community.letsencrypt.org/t/proxy-manager-worked-for-weeks-then-one-day-stopped-certificates-wont-renew-lets-encrypt-error-111-connection-refused/209935/2