nginx-proxy-manager icon indicating copy to clipboard operation
nginx-proxy-manager copied to clipboard

Published 20 hours ago verified publisher icon NginxProxyManager

Internal error on renewing SSL certificate when all requests of proxy host are redirected

Open davhae opened this issue 2 years ago • 6 comments

Checklist

  • Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
    • No
  • Are you sure you're not using someone else's docker image?
    • Yes
  • Have you searched for similar issues (both open and closed)?
    • Yes

Describe the bug When using the Advanced NGINX Configuration of a proxy host to redirect all requests, renewal of certificates returns an internal error.

The configuration may look like this:

rewrite ^(/.*)$ https://another-domain.com/ permanent;

Nginx Proxy Manager Version v2.9.18

Expected behavior I don't really know if it is expected, but requests to .well-known should be handled by the reverse proxy.

Operating System Ubuntu Jammy

davhae avatar Nov 22 '22 10:11 davhae

Just asking, but does the problem domain have force-ssl enabled? There is a bug with this config, remove the force-ssl, manually renew and turn back on until the fixed is merged and released. The bug is because the current config forces the redirect to https before letsencrypt exception is processed so letsencrypt fails since it doesn't work over https. So check if its this bug or your rewrite that is causing the letsencrypt breakage.

the1ts avatar Nov 23 '22 17:11 the1ts

Just asking, but does the problem domain have force-ssl enabled? There is a bug with this config, remove the force-ssl, manually renew and turn back on until the fixed is merged and released. The bug is because the current config forces the redirect to https before letsencrypt exception is processed so letsencrypt fails since it doesn't work over https. So check if its this bug or your rewrite that is causing the letsencrypt breakage.

Is there an issue about the bug that I can subscribe to in order to get an info when it is fixed? I could not find one with the search.

gnilebein avatar Dec 12 '22 10:12 gnilebein

Disabling force-ssl for the only Redirection-Host using the certificate does not make it renewable. On the other hand, temporarily removing the rewrite while force-ssl is activate results in a successful renew.

davhae avatar Dec 12 '22 17:12 davhae

Disabling force-ssl for the only Redirection-Host using the certificate does not make it renewable. On the other hand, temporarily removing the rewrite while force-ssl is activate results in a successful renew.

There is an fix for the issue... Just need to be merged... i added the change to my docker container (FIX: https://github.com/NginxProxyManager/nginx-proxy-manager/pull/2038)

gnilebein avatar Dec 12 '22 19:12 gnilebein

Disabling force-ssl for the only Redirection-Host using the certificate does not make it renewable. On the other hand, temporarily removing the rewrite while force-ssl is activate results in a successful renew.

There is an fix for the issue... Just need to be merged... i added the change to my docker container (FIX: #2038)

Like i said it has nothing to do with force-ssl

davhae avatar Dec 13 '22 08:12 davhae

@davhae Maybe the issue is that rewrite redirects before the NPM has a chance to respond to Let's Encrypt. What if you try wrapping your rewrite in a location block?

Custom Nginx Configuration - Redirects ACME challenge (Before)

rewrite ^(/.*)$ https://another-domain.com/ permanent;

Custom Nginx Configuration - Responds to ACME challenge (After)

location / {
  rewrite ^(/.*)$ https://another-domain.com/ permanent;
}

evelynhathaway avatar Dec 26 '22 20:12 evelynhathaway

Issue is now considered stale. If you want to keep it open, please comment :+1:

github-actions[bot] avatar Feb 04 '24 01:02 github-actions[bot]