nginx-proxy-manager icon indicating copy to clipboard operation
nginx-proxy-manager copied to clipboard

Published 20 hours ago verified publisher icon NginxProxyManager

NPM HTTPS consistently breaks until configuration is reapplied in the WebUI

Open watn3y opened this issue 2 years ago • 11 comments

Checklist

  • Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
    • Yes
  • Are you sure you're not using someone else's docker image?
    • Yes
  • Have you searched for similar issues (both open and closed)?
    • Yes

Describe the bug Sometimes, and I can't really pin down when, HTTPS sites added in NPM break. This can happen after a container-restart or during normal operation. When this happens, chrome reports either ERR_HTTP2_PROTOCOL_ERROR or NET::ERR_CERT_AUTHORITY_INVALID with a certificate issued to and from localhost. Restarting the container or the host doesn't seem to fix this issue.

Accessing the same URL over HTTP instead of HTTPS works perfectly fine.

The only reliable way to fix this seems to be to click Edit and then Save on each individual Proxy Host.

Nginx Proxy Manager Version v2.9.18

Expected behavior NPM directs the traffic normally

Screenshots image

Operating System debian 11

watn3y avatar Sep 06 '22 16:09 watn3y

I can replicate this if I edit the whitelist which is applied to my sites I get the 'localhost' certificate.

The steps detailed (clicking on each site to edit, the saving without changing anything) fixes it.

qbiecom avatar Sep 11 '22 20:09 qbiecom

I too can replicate this - same steps as above. It is a pain to go through 30+ sites every few weeks.

timothevs avatar Sep 26 '22 13:09 timothevs

Same problem here. Heres a dump of the config before and after reapplying settings through the WebUI.

Take a look at the sections around the "listen 443" settings (line 14-15) and "Let's Encrypt" (line 21-25), it seems that parts of the config is replaced by whitespaces.

image

Before:

# ------------------------------------------------------------
# nginxpm.______.dk
# ------------------------------------------------------------


server {
  set $forward_scheme http;
  set $server         "docker3.______.local";
  set $port           18081;

  listen 80;
#listen [::]:80;

					 
				 


  server_name nginxpm.______.dk;


					 
														 
										  
															
															  




# Asset Caching
  include conf.d/include/assets.conf;


  # Block Exploits
  include conf.d/include/block-exploits.conf;







			   
										  





  access_log /data/logs/proxy-host-1_access.log proxy;
  error_log /data/logs/proxy-host-1_error.log warn;







  location / {




    # Access Rules
    allow 192.168.30.100;
    allow 192.168.30.200;
    allow 192.168.30.0/24;
    deny all;

    # Access checks must...

    satisfy all;









    # Proxy!
    include conf.d/include/proxy.conf;
  }


  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}

After:

# ------------------------------------------------------------
# nginxpm.______.dk
# ------------------------------------------------------------


server {
  set $forward_scheme http;
  set $server         "docker3.______.local";
  set $port           18081;

  listen 80;
#listen [::]:80;

listen 443 ssl http2;
#listen [::]:443;


  server_name nginxpm.______.dk;


  # Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-2/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-2/privkey.pem;




# Asset Caching
  include conf.d/include/assets.conf;


  # Block Exploits
  include conf.d/include/block-exploits.conf;







    # Force SSL
    include conf.d/include/force-ssl.conf;





  access_log /data/logs/proxy-host-1_access.log proxy;
  error_log /data/logs/proxy-host-1_error.log warn;







  location / {




    # Access Rules
    allow 192.168.30.100;
    allow 192.168.30.200;
    allow 192.168.30.0/24;
    deny all;

    # Access checks must...

    satisfy all;









    # Proxy!
    include conf.d/include/proxy.conf;
  }


  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}

tsvane avatar Oct 04 '22 19:10 tsvane

same problem here, same solution i did notice that it happened when i saved a modification to my restricted access list and it only affected vhosts set to that access list

rachelf42 avatar Oct 07 '22 03:10 rachelf42

Adding this here as I had opened #2392 for the same issue. A short term, brute force work around is a cronjob to backup any .conf that contains letsencrypt every other minute and put it back every 5 minutes. It's messy, but it's keeping the ssl for now.

*/5 * * * * rsync -az /root/npm/ /root/docker/nginx-proxy-manager/data/nginx/proxy_host/ >/dev/null 2>&1 1-59/2 * * * * find . -type f -exec grep -lr "letsencrypt-acme-challenge" {} ; -exec cp -r {} /root/npm/ ; >/dev/null 2>&1

outerregion avatar Nov 12 '22 22:11 outerregion

Just wanted to add a 'me too' to this - same problem, same workaround. Annoying when you have lots of proxy hosts that you manually have to edit and save (or disable/enable).

derekoharrow avatar Nov 21 '22 10:11 derekoharrow

Automation of Edit+Save work around with Powershell

$Username = ""
$Password = ""
$NginxPMServer = "http://<ip>:<port>"

# Do login returning Bearer token
$LoginResponse = Invoke-WebRequest -UseBasicParsing -Uri "$($NginxPMServer)/api/tokens" -Method "POST" -ContentType "application/json; charset=UTF-8" -Body "{`"identity`":`"$($Username)`",`"secret`":`"$($Password)`"}"
$Bearer = ($LoginResponse.content | ConvertFrom-Json).token

# Request current config from Nginx Proxy Manager
$CurrentConfigResponse = Invoke-WebRequest -UseBasicParsing -Uri "$($NginxPMServer)/api/nginx/proxy-hosts?expand=owner,access_list,certificate" `
    -Headers @{
    "method"        = "GET"
    "authorization" = "Bearer $($Bearer)"
} -ContentType "application/json; charset=UTF-8"
$CurrentConfig = $CurrentConfigResponse.Content | ConvertFrom-Json;

# Loop current config to re-apply and trigger re-write of conf-files
for ($i = 0; $i -lt $CurrentConfig.Count; $i++) {
    $Config = $CurrentConfig[$i]

    $HostID = $Config.id
    $PutObject = $Config | Where-Object { $_.id -eq $HostID } | Select-Object domain_names, forward_scheme, forward_host, forward_port, caching_enabled, block_exploits, allow_websocket_upgrade, access_list_id, certificate_id, ssl_forced, http2_support, meta, advanced_config, locations, hsts_enabled, hsts_subdomains | ConvertTo-Json

    Write-Host "[$(($i+1).ToString().PadLeft(3," ")) of $($CurrentConfig.Count) ] Updating config for Proxy Host #$($HostID)"
    Write-Host "`tDomain:  $($Config.domain_names[0])"

    $PutStatistics = Measure-Command -Expression {
        Invoke-WebRequest -UseBasicParsing -Uri "$($NginxPMServer)/api/nginx/proxy-hosts/$($HostID)" `
            -Method "PUT" -Headers @{
            "method"        = "PUT"
            "authorization" = "Bearer $($Bearer)"
        } -ContentType "application/json; charset=UTF-8" -Body $PutObject
    }

    Write-Host "`tCompleted in $([math]::Round($PutStatistics.TotalMilliseconds)) ms"
}

tsvane avatar Nov 23 '22 14:11 tsvane

I'm having same problem.

tayfunyasar avatar Dec 03 '22 08:12 tayfunyasar

When I set everything up a month ago, everything was working fine. Today my site just shows this when accessing through firefox: image

peterge1998 avatar Dec 18 '22 17:12 peterge1998

I am also experiencing this issue on v2.9.19, every time I add a new user to an Access List. The workaround by @tsvane works, but I'm really looking forward to the day this is fixed.

qwrtty avatar Dec 27 '22 09:12 qwrtty

can confirm I'm experiencing this consistently whenever there's a restarting of a backend service container that's being proxied to through npm

adrichman avatar Dec 29 '22 06:12 adrichman