SSL/Let's encrypt not working anymore after update or any other version

[greenfishgit23222]

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug

Recieved an email from let's encrypt I had to update my ssl certiface. Went into nginx proxy manger, cert renewal, got internal error, saw something about cerbot failure. Saw on this forum a lot of users had similar issues. Tried reverting to older versions but still the same error. Have tried to re-install/delete everything from scratch but ssl cert fails everytime. I'm not adapt at all when it comes to ssl/reverse proxy but so far nginx proxy manager was the only solution working for me a few months ago with reverse proxy. Now i'm at a total loss what to do.

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-2" --agree-tos --authenticator webroot --email "[email protected]" --preferred-challenges "dns,http" --domains "phofsddd.duckdns.org" Saving debug log to /var/log/letsencrypt/letsencrypt.log Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

Nginx Proxy Manager Version

2.9.21 2.9.20 2.9.19

[riddertommie]

Same here.

Let me know if i can do/test/provide something.

Working with docker version v2.9.21

[greenfishgit23222]

Same here.

Let me know if i can do/test/provide something.

Working with docker version v2.9.21

After 5 hours of headache I managed to finally get the ssl up and running again!!!

But after 30-60 days when let's encrypt needs renewal i'm afraid this headache will start again because renew ssl doesnt work for me on any of the versions. I have to delete the entire container+config and start from scratch.

What worked for me and it's something I never used before is you go into the category create ssl-certificates, add dns-challenge (new for me) and choose your dns provider and provide your token. Then add your host and point your ssl to your newly created ssl certificate. This only works for me on 2.9.19.

Steps that worked for me

• Using only version 2.9.19, anything newer doesn't work for me (tried the most recent build an hour ago pr-2672 by jc21)
• SSL Certificates - Add SSL-Certificate -> Add Let's Encrypt Certificate
• Use a DNS challenge (never worked before for me)
• DNS provider+token
• Go back into Proxy hosts, choose your newly added ssl certificate, force ssl, HTTP/2 support rest is optional for your setup.

I used this docker-compose-yml

version: '3' services: app: image: 'jc21/nginx-proxy-manager:github-pr-2411' restart: unless-stopped ports: - '80:80' - '81:81' - '443:443' volumes: - ./data:/data - ./letsencrypt:/etc/letsencrypt

[jc21]

I can confirm that using 2.9.21 works perfectly fine when requesting a SSL cert using HTTP method just fine, as long as your DNS settings for the domain requesting point directly to NPM.

I can also confirm that manual renewal of this certificate also works fine, as long as that the proxy host for it still exists.

[riddertommie]

Hi, it's still not working for me.

I'm investigating a bit but can't figure it out, help is appreciated.

I have several certificates running and the existing ones work just fine and follow the same configuration and hardware as the ones that have expired and I can't renew.

But I can't manage to request new ones or redo old ones (i did to many request now so i have to wait until tomorrow i think to check again).

At first I thought it might have to do with pi-hole but my server ignores that and when I turn off pi-hole it doesn't work either. Could it be that the requests are coming through ipv6 and I haven't configured that? I'm using DISABLE_IPV6: 'true'

I just don't understand the necessity of -Use a DNS challenge- I use stator as a provider, is this necessary?

I'm a bit stuck. any help is welcome.

Thanks!

Short update, if i press a still working url within NPM is going fine if i do 'test server reach-ability' i get

Communication with the API failed, is NPM running correctly?

[EDIflyer]

I can confirm that using 2.9.21 works perfectly fine when requesting a SSL cert using HTTP method just fine, as long as your DNS settings for the domain requesting point directly to NPM.

I can also confirm that manual renewal of this certificate also works fine, as long as that the proxy host for it still exists.

Thanks @jc21 - sounds good. Does that mean it should have fixed the issues raised in https://github.com/NginxProxyManager/nginx-proxy-manager/issues/396 too? It's just I'm still seeing those renewal errors on some sites...

03/20/2023 6:23:02 PM
[3/20/2023] [6:23:02 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
03/20/2023 6:23:02 PM
[3/20/2023] [6:23:02 PM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
03/20/2023 6:23:02 PM
[3/20/2023] [6:23:02 PM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
03/20/2023 6:23:02 PM
[3/20/2023] [6:23:02 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4
03/20/2023 6:23:02 PM
[3/20/2023] [6:23:02 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6
03/20/2023 6:23:02 PM
[3/20/2023] [6:23:02 PM] [Nginx    ] › ℹ  info      Reloading Nginx
03/20/2023 6:29:14 PM
[3/20/2023] [6:29:14 PM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
03/20/2023 6:29:14 PM
Failed to renew certificate npm-4 with error: Some challenges have failed.
03/20/2023 6:29:14 PM
Failed to renew certificate npm-6 with error: Some challenges have failed.
03/20/2023 6:29:14 PM
All renewals failed. The following certificates could not be renewed:
03/20/2023 6:29:14 PM
  /etc/letsencrypt/live/npm-4/fullchain.pem (failure)
03/20/2023 6:29:14 PM
  /etc/letsencrypt/live/npm-6/fullchain.pem (failure)
03/20/2023 6:29:14 PM
2 renew failure(s), 0 parse failure(s)

[renan-infonacci]

I'm having the same problem to revalidate the certificate, I already went back to the version mentioned above and I still couldn't validate it.

What I'm not getting is the DNS + Token to place and generate the certificate, where do I find this within Cloudflare?

[themegabyte]

@EDIflyer Worth checking /var/log/letsencrypt.log by doing:

less /var/log/letsencrypt/letsencrypt.log

inside the docker container.

[EDIflyer]

Thanks @themegabyte - had a look and it seems to have a few attempts that show as pending before it returns an invalid:

2023-03-25 22:23:48,996:INFO:certbot._internal.auth_handler:Challenge failed for domain [mysubdomain.tld]
2023-03-25 22:23:48,996:INFO:certbot._internal.auth_handler:http-01 challenge for [mysubdomain.tld]
2023-03-25 22:23:48,996:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: [mysubdomain.tld]
  Type:   connection
  Detail: 85.159.208.227: Fetching https://[mysubdomain.tld]/.well-known/acme-challenge/bbYQWve03QzcXqE8BT8ATSt-CuvNJ2kiWhFdCv5KjAI: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2023-03-25 22:23:49,004:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-03-25 22:23:49,005:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-03-25 22:23:49,005:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-03-25 22:23:49,005:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/bbYQSve03QzcXqE5BT8ATSt-CuvNJ2kiWhFdCv5KjAI
2023-03-25 22:23:49,006:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2023-03-25 22:23:49,007:ERROR:certbot._internal.renewal:Failed to renew certificate npm-12 with error: Some challenges have failed.
2023-03-25 22:23:49,016:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 525, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1547, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 129, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/renewal.py", line 387, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

The weird thing is if I delete and recreate it then it seems to work OK, at least until it is due for renewal. I can provide more log file info if helpful (not sure if there are any other more relevant bits I've missed).

UPDATE: From searching open issues I see lots of others with similar problems: https://github.com/NginxProxyManager/nginx-proxy-manager/issues?q=%22The+Certificate+Authority+failed+to+download+the+temporary+challenge+files+created+by+Certbot%22+

In particular #2258 #1625 #2565 seem to confirm an issue with 'force SSL' not letting the LetsEncrypt SSL renewal through on port 80. PR #2038 seems to be a fix but hasn't been merged - @jc21 not sure if you would be able to consider that?

I've now manually gone through each of the 8 proxy hosts (thankfully not as many on this server!) and switched off 'force SSL'. When I tried to renew I got the 'another instance of certbot is already running' error (see #918), despite nothing obviously being in progress. I then ran find / -type f -name ".certbot.lock" -exec rm {} \; and then finally managed to manually renew each certificate via the SSL page on the NPM frontend. So it's great that it has worked for another 3 months, but clearly quite a hassle to have to keep doing it this way and I'd prefer to be able to leave 'force SSL' set to on.

[themegabyte]

Thank you for posting @EDIflyer. I had the exact same issue, Timeout during connect. I had to disable my hosts to get the auto renew to work. It worked smoothly but manually.

I manually tried to access /.well-known/acme-challenge/, and I saw that it was redirecting towards my drone CI container instead of whatever it was supposed to go to (this could be wrong way to test, however, as certbot doesn't place the files for that long to test I think...).

However, I had another version working on a separate production server and I saw no issues there... I will report back with more data if I have.

[sanderlv]

I may not swear! But FFS, I have this issue.

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-39" --agree-tos --authenticator webroot --email "[email protected]" --preferred-challenges "dns,http" --domains "mail.domain.com" Saving debug log to /tmp/letsencrypt-log/letsencrypt.log Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

I had this with 2.9.19 and still when I pulled 2.10.2

Now I cannot renew any domain anymore!

HELP is very much appreciated and needed!

I tried normal challenge and (new?) dns challenge (but not sure if I did that right since I use a *.domain.com dyn dns with Joker)

It always worked well and I also managed to create around 30 certs succesfully

HELP

Some more logging:

[4/1/2023] [5:41:06 PM] [SSL      ] › ℹ  info      Testing http challenge for mail.domain.com

Uncaught SyntaxError: Unexpected end of JSON input

FROM

bash: line 1:   146 Trace/breakpoint trap   (core dumped) node --abort_on_uncaught_exception --max_old_space_size=250 index.js

❯ Starting backend ...

[4/1/2023] [5:41:08 PM] [Global   ] › ℹ  info      Using Sqlite: /data/database.sqlite

[4/1/2023] [5:41:09 PM] [Migrate  ] › ℹ  info      Current database version: none

[4/1/2023] [5:41:09 PM] [Setup    ] › ℹ  info      Logrotate Timer initialized

[4/1/2023] [5:41:09 PM] [Setup    ] › ℹ  info      Logrotate completed.

[4/1/2023] [5:41:09 PM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...

[4/1/2023] [5:41:09 PM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json

[4/1/2023] [5:41:09 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4

[4/1/2023] [5:41:09 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6

[4/1/2023] [5:41:09 PM] [SSL      ] › ℹ  info      Let's Encrypt Renewal Timer initialized

[4/1/2023] [5:41:09 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...

[4/1/2023] [5:41:09 PM] [IP Ranges] › ℹ  info      IP Ranges Renewal Timer initialized

[4/1/2023] [5:41:09 PM] [Global   ] › ℹ  info      Backend PID 448 listening on port 3000 ...

[4/1/2023] [5:41:09 PM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --preferred-challenges "dns,http" --disable-hook-validation  

Another instance of Certbot is already running.

    at ChildProcess.exithandler (node:child_process:402:12)

    at ChildProcess.emit (node:events:513:28)

    at maybeClose (node:internal/child_process:1100:16)

    at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

[4/1/2023] [5:43:54 PM] [SSL      ] › ℹ  info      Revoking Let'sEncrypt certificates for Cert #29: mail.domain.com

[4/1/2023] [5:43:54 PM] [SSL      ] › ℹ  info      Command: certbot revoke --config "/etc/letsencrypt.ini" --cert-path "/etc/letsencrypt/live/npm-29/fullchain.pem" --delete-after-revoke ; rm -f '/etc/letsencrypt/credentials/credentials-29' || true

[4/1/2023] [5:43:55 PM] [SSL      ] › ℹ  info      Deleted all files relating to certificate npm-29.

Congratulations! You have successfully revoked the certificate that was located at /etc/letsencrypt/live/npm-29/fullchain.pem.

[4/1/2023] [5:44:13 PM] [Nginx    ] › ℹ  info      Reloading Nginx

[4/1/2023] [5:44:18 PM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates for Cert #39: mail.domain.com

[4/1/2023] [5:44:18 PM] [SSL      ] › ℹ  info      Command: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-39" --agree-tos --authenticator webroot --email "[email protected]" --preferred-challenges "dns,http" --domains "mail.domain.com" 

[4/1/2023] [5:44:30 PM] [Nginx    ] › ⬤  debug     Deleting file: /data/nginx/temp/letsencrypt_39.conf

[4/1/2023] [5:44:30 PM] [Nginx    ] › ℹ  info      Reloading Nginx

[4/1/2023] [5:44:30 PM] [Express  ] › ⚠  warning   Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-39" --agree-tos --authenticator webroot --email "[email protected]" --preferred-challenges "dns,http" --domains "mail.domain.com" 

Saving debug log to /tmp/letsencrypt-log/letsencrypt.log

Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

[4/1/2023] [5:45:18 PM] [SSL      ] › ℹ  info      Testing http challenge for mail.domain.com

Uncaught SyntaxError: Unexpected end of JSON input

FROM

bash: line 1:   448 Trace/breakpoint trap   (core dumped) node --abort_on_uncaught_exception --max_old_space_size=250 index.js

❯ Starting backend ...

[4/1/2023] [5:45:19 PM] [Global   ] › ℹ  info      Using Sqlite: /data/database.sqlite

[4/1/2023] [5:45:20 PM] [Migrate  ] › ℹ  info      Current database version: none

[4/1/2023] [5:45:20 PM] [Setup    ] › ℹ  info      Logrotate Timer initialized

[4/1/2023] [5:45:20 PM] [Setup    ] › ℹ  info      Logrotate completed.

[4/1/2023] [5:45:20 PM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...

[4/1/2023] [5:45:20 PM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json

[4/1/2023] [5:45:20 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4

[4/1/2023] [5:45:20 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6

[4/1/2023] [5:45:20 PM] [SSL      ] › ℹ  info      Let's Encrypt Renewal Timer initialized

[4/1/2023] [5:45:20 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...

[4/1/2023] [5:45:21 PM] [IP Ranges] › ℹ  info      IP Ranges Renewal Timer initialized

[4/1/2023] [5:45:21 PM] [Global   ] › ℹ  info      Backend PID 1242 listening on port 3000 ...

[4/1/2023] [5:46:54 PM] [Nginx    ] › ℹ  info      Reloading Nginx

[4/1/2023] [5:46:54 PM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates via Joker for Cert #40: mail.domain.com

[4/1/2023] [5:46:54 PM] [SSL      ] › ℹ  info      Command: mkdir -p /etc/letsencrypt/credentials 2> /dev/null; echo 'dns_joker_username = no

dns_joker_password = no

dns_joker_domain = domain.com' > '/etc/letsencrypt/credentials/credentials-40' && chmod 600 '/etc/letsencrypt/credentials/credentials-40' && . /opt/certbot/bin/activate && pip install --no-cache-dir --user certbot-dns-joker~=1.1.0  && deactivate && certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-40" --agree-tos --email "[email protected]" --domains "mail.domain.com" --authenticator dns-joker --dns-joker-credentials "/etc/letsencrypt/credentials/credentials-40"

[4/1/2023] [5:46:56 PM] [Nginx    ] › ℹ  info      Reloading Nginx

[4/1/2023] [5:46:56 PM] [Express  ] › ⚠  warning   Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-40" --agree-tos --email "[email protected]" --domains "mail.domain.com" --authenticator dns-joker --dns-joker-credentials "/etc/letsencrypt/credentials/credentials-40"

Another instance of Certbot is already running.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-i26wbiq9/log or re-run Certbot with -v for more details.

[4/1/2023] [5:47:07 PM] [Nginx    ] › ℹ  info      Reloading Nginx

[4/1/2023] [5:47:07 PM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates via Joker for Cert #41: mail.domain.com

[4/1/2023] [5:47:07 PM] [SSL      ] › ℹ  info      Command: mkdir -p /etc/letsencrypt/credentials 2> /dev/null; echo 'dns_joker_username = no

dns_joker_password = no

dns_joker_domain = *.domain.com' > '/etc/letsencrypt/credentials/credentials-41' && chmod 600 '/etc/letsencrypt/credentials/credentials-41' && . /opt/certbot/bin/activate && pip install --no-cache-dir --user certbot-dns-joker~=1.1.0  && deactivate && certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-41" --agree-tos --email "[email protected]" --domains "mail.domain.com" --authenticator dns-joker --dns-joker-credentials "/etc/letsencrypt/credentials/credentials-41"

[4/1/2023] [5:47:08 PM] [Nginx    ] › ℹ  info      Reloading Nginx

[4/1/2023] [5:47:08 PM] [Express  ] › ⚠  warning   Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-41" --agree-tos --email "[email protected]" --domains "mail.domain.com" --authenticator dns-joker --dns-joker-credentials "/etc/letsencrypt/credentials/credentials-41"

Another instance of Certbot is already running.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-5s6n3w19/log or re-run Certbot with -v for more details.

[4/1/2023] [5:49:19 PM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --preferred-challenges "dns,http" --disable-hook-validation  

Failed to renew certificate npm-30 with error: Some challenges have failed.

Failed to renew certificate npm-31 with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:

  /etc/letsencrypt/live/npm-30/fullchain.pem (failure)

  /etc/letsencrypt/live/npm-31/fullchain.pem (failure)

2 renew failure(s), 0 parse failure(s)

    at ChildProcess.exithandler (node:child_process:402:12)

    at ChildProcess.emit (node:events:513:28)

    at maybeClose (node:internal/child_process:1100:16)

    at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

[4/1/2023] [5:52:45 PM] [Nginx    ] › ℹ  info      Reloading Nginx

[4/1/2023] [5:52:50 PM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates for Cert #42: mail.domain.com

[4/1/2023] [5:52:50 PM] [SSL      ] › ℹ  info      Command: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-42" --agree-tos --authenticator webroot --email "[email protected]" --preferred-challenges "dns,http" --domains "mail.domain.com" 

[4/1/2023] [5:53:05 PM] [Nginx    ] › ⬤  debug     Deleting file: /data/nginx/temp/letsencrypt_42.conf

[4/1/2023] [5:53:05 PM] [Nginx    ] › ℹ  info      Reloading Nginx

[4/1/2023] [5:53:05 PM] [Express  ] › ⚠  warning   Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-42" --agree-tos --authenticator webroot --email "[email protected]" --preferred-challenges "dns,http" --domains "mail.domain.com" 

Saving debug log to /tmp/letsencrypt-log/letsencrypt.log

Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

EDIT: Any renewal gives me:

Any creation gives me above error...

This is a major issue

[EDIflyer]

@sanderlv see my post above - the workaround that did the trick for me was running the command within the container to kill off duplicate certbot instances/locks and then switching off force SSL before trying to renew the certificate. I see @jc21 has made quite a few commits recently so I'm hoping this SSL cert renewal might get fixed soon 🤞

[sanderlv]

I have the certificate not connected to a proxy host, just trying to create it...?

Is it also fine to reboot the container or is it still having duplicate instances?

[sanderlv]

I tried your command:

But no luck either...

But what's even more weird is that the console gives:

And the interface gives:

What's not ok here?

[EDIflyer]

Hmm, getting outside what I understand now I'm afraid! I'd have thought definitely worth a container reboot attempt given that difference in version info. I tend to just automatically make the SSL cert when creating the proxy host.

[sanderlv]

Rebooting does not help in getting the right version "in the container"...

[sanderlv]

I tend to just automatically make the SSL cert when creating the proxy host.

Thats does not work either... So frustrating... all my domains will soon expire...

[sanderlv]

Created a wildcard DNS via joker, that works ....

[andzejsp]

fresh install, 0 domains, add one, tried to add cert, fails as above...

Good thing i still havent updated my stack from 2022 last year, it works there but now on fresh install..

And i thought i messed up something.

Somebody has to look into this. Im not the only one.

If anyone has any solution please @ me.

[greenfishgit22]

Jesus christ.... same crap again... I had to renew ssl certificate and voila "internal error".

[sanderlv]

I know, it s@cks. But luckily the dns one via joker does work.

[EDIflyer]

I know, it s@cks. But luckily the dns one via joker does work.

Do you mean via DNS challenge? - AIUI that's only an option if your DNS provider is one of the ones listed though? (mine isn't)

[sanderlv]

Yes and yes and that's a pity...

[greenfishgit22]

Yeah thanks but i'm using duckdns and noip, not willing to change DNS provider because of this issue.

I really like nginx proxy manager but this happens way to frequently in my opinion.

[sanderlv]

I agree. I am just lucky at this moment...

[smailpouri]

same issue on Docker 4.18 macOS ventura 13.3.1 nginx 2.9.19 and 2.9.20(21,22) and 2.10.2.

Not sure what is going, been looking into Traefik

[plexecutor]

I was having the same issue where 'Test Server Reachability' was saying 'Communication with the API failed, is NPM running correctly?'. I use DuckDNS and verified that I had everything configured correctly. What I ended up doing was just using DNS Challenge and choosing DuckDNS and providing my token. No issues requesting/renewing certs now.

[andzejsp]

I was having the same issue where 'Test Server Reachability' was saying 'Communication with the API failed, is NPM running correctly?'. I use DuckDNS and verified that I had everything configured correctly. What I ended up doing was just using DNS Challenge and choosing DuckDNS and providing my token. No issues requesting/renewing certs now.

But this don't help people who don't have ducks.

[plexecutor]

I was having the same issue where 'Test Server Reachability' was saying 'Communication with the API failed, is NPM running correctly?'. I use DuckDNS and verified that I had everything configured correctly. What I ended up doing was just using DNS Challenge and choosing DuckDNS and providing my token. No issues requesting/renewing certs now.

But this don't help people who don't have ducks.

True, but there is a very large list of DNS provider plugins support by NPM. If yours is supported, I would try that method.

[erzwo]

same problem for me. I can't renew or create a new certificate. probably related to this

[rafalohaki]

same