nginx-proxy-manager
nginx-proxy-manager copied to clipboard
NginxProxyManager
SSL Internal Error on request a new SSL certificate
Checklist
- Have you pulled and found the error with
jc21/nginx-proxy-manager:latestdocker image?- Yes
- Are you sure you're not using someone else's docker image?
- Yes
- Have you searched for similar issues (both open and closed)?
- Yes
Describe the bug
When trying to request a a new SSL Certifcate i get internal error
Nginx Proxy Manager Version v2.10.4
To Reproduce Steps to reproduce the behavior:
- Go to Hosts
- Click on Add Proxy Host
- Click on SSL
- SSL Certificate > Request a new SSL Certificate
- Save > Internal Error
Screenshots
Operating System Ubuntu 20.04 - 64bit, running Portainer v2.19.2
Additional context Cloudflare (NO PROXY): A => dayroxy.online => ip CNAMe => * => dayroxy.online
` 2023-11-15 05:51:29,337:DEBUG:acme.client:Storing nonce: GEqhmX18EBYehAoQEeHOv-lemRWL1u8IRLnVc7o6fKR1jTTNhtU 2023-11-15 05:51:29,338:INFO:certbot._internal.auth_handler:Challenge failed for domain portainer.dayroxy.online 2023-11-15 05:51:29,338:INFO:certbot._internal.auth_handler:http-01 challenge for portainer.dayroxy.online 2023-11-15 05:51:29,338:DEBUG:certbot._internal.display.obj:Notifying user: Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: Domain: portainer.dayroxy.online Type: connection Detail: 87.237.52.121: Fetching http://portainer.dayroxy.online/.well-known/acme-challenge/MS4A57_vkBnqeWLmBgQXIt0bxXNSIi88aYDifAQO7dk: Connection reset by peer
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
2023-11-15 05:51:29,339:DEBUG:certbot._internal.error_handler:Encountered exception: Traceback (most recent call last): File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations raise errors.AuthorizationError('Some challenges have failed.') certbot.errors.AuthorizationError: Some challenges have failed.
2023-11-15 05:51:29,339:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-11-15 05:51:29,339:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-11-15 05:51:29,339:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/MS4A57_vkBnqeWLmBgQXIt0bxXNSIi88aYDifAQO7dk
2023-11-15 05:51:29,339:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2023-11-15 05:51:29,340:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 8, in
you can solve this issue by deactivating "Force SSL" OR by adding the following custom location which will catch the letsencrypt requests (basically redirect back to the nginx proxy):
@jc21 this is a common issue with letsencrypt. Could you automatically add the custom location if "Force SSL" is enabled? It seems that a lot of people are bothered by this issue. See for example: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/396
.
you can solve this issue by deactivating "Force SSL" OR by adding the following custom location which will catch the letsencrypt requests (basically redirect back to the nginx proxy):
@jc21 this is a common issue with letsencrypt. Could you automatically add the custom location if "Force SSL" is enabled? It seems that a lot of people are bothered by this issue. See for example: #396
.
Hello! thanks for the answer the error happens with or without force SSL i still get the same error,
also tried what you told me
Helo,
Same error on my site. Last time I registered a certificate was on the 11. Nov. - now it's not working for a new one anymore..
In my case, I wanted to keep ports 80 and 443 open for my private network only, so then I got the same error, "Internal Error." Then I opened the ports to be available on 0.0.0.0/0, and I tried again to generate the SSL certificate with a successful result.
In my case, I wanted to keep ports 80 and 443 open for my private network only, so then I got the same error, "Internal Error."
Then I opened the ports to be available on 0.0.0.0/0, and I tried again to generate the SSL certificate with a successful result.
Hello! Thanks for the replay but sadly i also tried to eve open all available ports but sadly it didnt work
Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.
Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.
thats so weird what can we do tho?
Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.
thats so weird what can we do tho?
I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird!
Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.
thats so weird what can we do tho?
I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird!
The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird
Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.
thats so weird what can we do tho?
I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird!
The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird
Could you check, what reply you get, if you open your public IPv4 with the port 80 (or whatever port you forward to NPM)? At least you should get the "welcome page" or whatever you configured.
Weird, but you are right. I checked my router settings - port 80 open. Used https://portchecker.co/check-it to verity - closed. Removed settings, setup port forwarding once again and verified -> port open.
NPM worked and renewed all my certificates.
Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.
thats so weird what can we do tho?
I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird!
The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird
Could you check, what reply you get, if you open your public IPv4 with the port 80 (or whatever port you forward to NPM)? At least you should get the "welcome page" or whatever you configured.
Yeah i got the hello page, port 80, 81, 443 are open with a few more but no luck according to the error: Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
i think its something with certbot command
Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.
thats so weird what can we do tho?
I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird!
The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird
Could you check, what reply you get, if you open your public IPv4 with the port 80 (or whatever port you forward to NPM)? At least you should get the "welcome page" or whatever you configured.
Yeah i got the hello page, port 80, 81, 443 are open with a few more but no luck according to the error: Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
i think its something with certbot command
Did you always try to create a certificate for the exact same service/container? Maybe just try another one, like a portainer instance, which already wants to listen on a secure ssl connection for example. And another idea: Did you also checked your public domain (or dynDNS address), if also the landing page showed up (regarding the ip updates)?
Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.
thats so weird what can we do tho?
I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird!
The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird
Could you check, what reply you get, if you open your public IPv4 with the port 80 (or whatever port you forward to NPM)? At least you should get the "welcome page" or whatever you configured.
Yeah i got the hello page, port 80, 81, 443 are open with a few more but no luck according to the error: Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet. i think its something with certbot command
Did you always try to create a certificate for the exact same service/container? Maybe just try another one, like a portainer instance, which already wants to listen on a secure ssl connection for example. And another idea: Did you also checked your public domain (or dynDNS address), if also the landing page showed up (regarding the ip updates)?
Hi! i tried for multiple domains such as portainer. jelly. nginx. some https some no or even the main domain nothing worked and for my public domain yeah im using DNS only without proxy its taking me to the correct pages as well as loading the webpages for the correct configuration so its working but only the SSL is not for any domain / subdomain
Very strange... after reading your comments i reset the ports on my firewall with 80, 443 and 81... Afterwards i was able to create two of four certificates. For the rest then the same error appears 😁 I'm very confused now....
But i think it belongs to my specific proxy host configurations.
I will test, but then the solution was: port 81 must be open on your router/firewall...
Very strange... after reading your comments i reset the ports on my firewall with 80, 443 and 81... Afterwards i was able to create two of four certificates. For the rest then the same error appears 😁 I'm very confused now....
But i think it belongs to my specific proxy host configurations.
I will test, but then the solution was: port 81 must be open on your router/firewall...
Glad that a reset helped. However, port 81 does not need to be accessible from outside, as this is only used for the dashboard. The certificate should be validated via port 80.
Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.
thats so weird what can we do tho?
I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird!
The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird
Could you check, what reply you get, if you open your public IPv4 with the port 80 (or whatever port you forward to NPM)? At least you should get the "welcome page" or whatever you configured.
Yeah i got the hello page, port 80, 81, 443 are open with a few more but no luck according to the error: Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet. i think its something with certbot command
Did you always try to create a certificate for the exact same service/container? Maybe just try another one, like a portainer instance, which already wants to listen on a secure ssl connection for example. And another idea: Did you also checked your public domain (or dynDNS address), if also the landing page showed up (regarding the ip updates)?
Hi! i tried for multiple domains such as portainer. jelly. nginx. some https some no or even the main domain nothing worked and for my public domain yeah im using DNS only without proxy its taking me to the correct pages as well as loading the webpages for the correct configuration so its working but only the SSL is not for any domain / subdomain
Are you also sure that the DynDNS updates are working correctly? That would be the only explanation I can think of for it not being accessible after all the configurations.
network_mode: host
Adding
network_mode: hostin thedocker-compose.ymlfixed it for me.
thx, this also fixed for me, but when I try, maybe also need ensure port 80, 81, and 443 are belong to NPM
Very strange... after reading your comments i reset the ports on my firewall with 80, 443 and 81... Afterwards i was able to create two of four certificates. For the rest then the same error appears 😁 I'm very confused now.... But i think it belongs to my specific proxy host configurations. I will test, but then the solution was: port 81 must be open on your router/firewall...
Glad that a reset helped. However, port 81 does not need to be accessible from outside, as this is only used for the dashboard. The certificate should be validated via port 80.
Then it is stranger than strange 🤣 Because this was the only change (open port 81). After that it works. Before only port 80 and 443 where opened and i was able to create the certificates x months before.
Very strange... after reading your comments i reset the ports on my firewall with 80, 443 and 81... Afterwards i was able to create two of four certificates. For the rest then the same error appears 😁 I'm very confused now....
But i think it belongs to my specific proxy host configurations.
I will test, but then the solution was: port 81 must be open on your router/firewall...
I really don't undestand, but I can confirm that exposing port 81 indeed solved the issue.... I normally only have 443 exposed, now I also exposed 80 but that didn't help. After also exposing 81 I was able to renew all certs and create one new cert 😄 All without issues. Afterwards I quickly closed 80 and 81 again and everything is good 👍🏻 Although I really don't understand why exposing 81 fixed that.
A little bit out of context, but the reason it failed for me was the new software firewall, which had rules based on countries (everything worked from my devices). I didn't notice since renewal is only every 60 days (I guess). Maybe check access from different hosts and packet captures, this is how I got further.
Adding
network_mode: hostin thedocker-compose.ymlfixed it for me.
I have been struggleing with this for weeks now and this fixed it for me.
In Portainer go to Containers -> on the Container -> click Exec Console (looks like this >_ ) -> Connect -> Paste "curl -vvvv -I -L -k --tlsv1.2 https://google.com/" and Enter in the console. If you get a failure your DNS is not resolving and this is your problem, add "network_mode: host`" to your compose file. See a copy of my compose below.
A little side note, my certs now auto renew for the first time ;-)
`version: "3.8" services: app: image: jc21/nginx-proxy-manager:latest container_name: Nginx_PMA restart: always ports: - '81:80' - '8443:443' - '82:81' volumes: - /home/pi/nginx/data:/data - /home/pi/nginx/letsencrypt:/etc/letsencrypt depends_on: - db
db: image: jc21/mariadb-aria:latest container_name: Nginx_PMDB restart: always environment: MYSQL_ROOT_PASSWORD: 'Password_Here' MYSQL_DATABASE: 'Nginx_DB' MYSQL_USER: 'Nginx_Admin_Here' MYSQL_PASSWORD: 'Admin_Password_Here' volumes: - /home/pi/nginx/data/mysql:/var/lib/mysql
network_mode: host`
Still got this issue. Kind of annoying you're just... Stuck... SSL so easy ! (no)
CommandError: Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
An unexpected error occurred:
Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: alchimia.ink, retry after 2024-03-12T17:30:31Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.
at /app/lib/utils.js:16:13
at ChildProcess.exithandler (node:child_process:430:5)
at ChildProcess.emit (node:events:518:28)
at maybeClose (node:internal/child_process:1105:16)
at Socket. (node:internal/child_process:457:11)
at Socket.emit (node:events:518:28)
at Pipe. (node:net:337:12)
I also have this issue and all my certs are running out in some days. Will this be fixed by the devs or is this NPM project dead? Need to know this urgently.
I also have this issue and all my certs are running out in some days. Will this be fixed by the devs or is this NPM project dead? Need to know this urgently.
If you read my reply, simply adding "network_mode: host`" to the bottom of the stack, allows auto renew of the certs in the last 30 days.
Still got this issue. Kind of annoying you're just... Stuck... SSL so easy ! (no)
CommandError: Saving debug log to /tmp/letsencrypt-log/letsencrypt.log An unexpected error occurred: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: alchimia.ink, retry after 2024-03-12T17:30:31Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/ Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details. at /app/lib/utils.js:16:13 at ChildProcess.exithandler (node:child_process:430:5) at ChildProcess.emit (node:events:518:28) at maybeClose (node:internal/child_process:1105:16) at Socket. (node:internal/child_process:457:11) at Socket.emit (node:events:518:28) at Pipe. (node:net:337:12)
Your issue you have request to many certs for the domain already, you must read the Letrs Encrypt terms, there is a limit of certs you can request per month/day I guess.
Your issue has nothing to do with ssl renewals.
I also have this issue and all my certs are running out in some days. Will this be fixed by the devs or is this NPM project dead? Need to know this urgently.
If you read my reply, simply adding "network_mode: host`" to the bottom of the stack, allows auto renew of the certs in the last 30 days.
Well I tried that and now I cannot login anymore!!!! Bad Gateway error message. What in the world.... Does no one test this stuff before releasing? Looking up it seems that dozends of other also have the same issue with "bad gateway" when trying to login. So, now I'm stuck and can revert back everything. This is so annoying.....