nginx-proxy-manager icon indicating copy to clipboard operation
nginx-proxy-manager copied to clipboard
Published 1 month ago verified publisher icon NginxProxyManager

Allow custom ACME servers for certificate generation

Open Nathanwoodburn opened this issue 1 year ago • 19 comments

Is your feature request related to a problem? Please describe.

It would be really nice to be able to add custom ACME servers to the certificate generation. For example I have an acme server that generates internal signed certificates and I currently need to upload them every time I update them.

Describe the solution you'd like

Either allow acme servers added via the web interface or maybe a config file?

Describe alternatives you've considered

Additional context

Nathanwoodburn avatar Feb 01 '24 02:02 Nathanwoodburn

Maybe as an addition : documentation how to do this manually ?

Ro-meo avatar Feb 22 '24 11:02 Ro-meo

I'd love to see this as well. I was able to connect to the console of the npm container and manually create certificates using certbot with my custom ACME server like this:

certbot certonly -d <domain> --agree-tos --no-eff-email \
--server <server_url> \
--eab-kid <kid> \
--eab-hmac-key <hmac>

But actually using them is kind of a nightmare. I have to get the files out of the container and onto my local machine just to then reupload them through the web UI. I had hoped to at least symlink the certs directly from /etc/letsencrypt to /data/custom_ssl but it looks like the web UI stores the certificates in the database and only writes them out to disk so that nginx can access them so I'm not sure that that would survive a restart. (and even if it did it would still require manually uploading a dummy cert for every domain)

demonbane avatar Mar 01 '24 08:03 demonbane

Looking at the code, it looks like npm creates /etc/letsencrypt.ini by default and it turns out you can just add the config in there and it works! I just added:

server = <url>
eab-kid = <kid>
eab-hmac-key = <hmac>

and then tried using the UI to generate a new certificate and it worked perfectly! I'd still love to see an option added to the UI to manage this, but this actually works right now which is great.

demonbane avatar Mar 01 '24 08:03 demonbane

Does that allow multiple? For this case I have internal domains (not on a valid tld), and regular public domains. So can I set 2 acme servers?

Nathanwoodburn avatar Mar 01 '24 08:03 Nathanwoodburn

You would have to modify it each time (or just create two copies and swap them out between invocations). Fortunately, once the certificate is created, there's a cert-specific .conf file created in /etc/letsencrypt/renewal which does store the server name, so renewals should continue to work even if you've changed the server in the config each time.

demonbane avatar Mar 01 '24 08:03 demonbane

See #1054:

I am planning to add configurable CA's to v3.

Originally posted by @jc21 in https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1054#issuecomment-870213956

fbender avatar Mar 12 '24 21:03 fbender

Issue is now considered stale. If you want to keep it open, please comment :+1:

github-actions[bot] avatar Oct 29 '24 02:10 github-actions[bot]

+1

vshaev avatar Oct 29 '24 07:10 vshaev

+1

mikeleord avatar Nov 06 '24 14:11 mikeleord

+1

potatoru avatar Nov 12 '24 01:11 potatoru

+1

68656c6c avatar Dec 15 '24 20:12 68656c6c

+1

littlejackal avatar Jan 07 '25 11:01 littlejackal

+1

reyist avatar Jan 28 '25 11:01 reyist

Looking at the code, it looks like npm creates /etc/letsencrypt.ini by default and it turns out you can just add the config in there and it works! I just added:

server = <url>
eab-kid = <kid>
eab-hmac-key = <hmac>

and then tried using the UI to generate a new certificate and it worked perfectly! I'd still love to see an option added to the UI to manage this, but this actually works right now which is great.

what did you do in the gui? did you use a dns challenge? Which one?

N-Hertstein avatar Jan 31 '25 15:01 N-Hertstein

Would be awesome. Additionaly it would be great to define some bash for post processing to copy the received certificate to an other location (in my case a container volume)

cgfm avatar Mar 01 '25 18:03 cgfm

The workaround for me was to register the provider within the nginx-proxy-manager container (of course you could build this into your deployment processes with env variables). After this, requesting certs via the UI worked just fine with the default options.

Example syntax: certbot register --email [email protected] --server https://acme.provider.com --eab-kid kid --eab-hmac-key key

robinmalik avatar Mar 10 '25 16:03 robinmalik

+1

BulldozerPete avatar Nov 28 '25 22:11 BulldozerPete

+1

Ro-meo avatar Dec 01 '25 22:12 Ro-meo

The workaround for me was to register the provider within the nginx-proxy-manager container (of course you could build this into your deployment processes with env variables). After this, requesting certs via the UI worked just fine with the default options.

Example syntax: certbot register --email [email protected] --server https://acme.provider.com --eab-kid kid --eab-hmac-key key

Can you please share a simple how-to guide please? I still don’t know what to configure in my docket compose file. Afterwards I don’t know where to finde the certificates and how to integrate them into NPM. Thank you

BulldozerPete avatar Dec 02 '25 14:12 BulldozerPete