certbot since last update broken

[lanet-technik]

Using NPM 2.12.6

Certbot seems to have issues with the recent Container update. I am using the vanilla docker image, no modifications and tried both acme-challenge on a regular hostname and DNS method, both show the following Error in the logs:

Logfile: [8/18/2025] [8:55:16 AM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates via ClouDNS for Cert #16: *.MYDOMAIN

[8/18/2025] [8:55:16 AM] [SSL ] › ℹ info Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name 'npm-16' --disable-hook-validation --no-random-sleep-on-renew

[8/18/2025] [8:55:16 AM] [Global ] › ⬤ debug CMD: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name 'npm-16' --disable-hook-validation --no-random-sleep-on-renew

[8/18/2025] [8:55:19 AM] [Express ] › ⚠ warning Traceback (most recent call last):

File "/opt/certbot/bin/certbot", line 5, in

from certbot.main import main

File "/opt/certbot/lib/python3.11/site-packages/certbot/main.py", line 6, in

from certbot._internal import main as internal_main

File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 24, in

from acme import client as acme_client

File "/opt/certbot/lib/python3.11/site-packages/acme/client.py", line 25, in

from acme import challenges

File "/opt/certbot/lib/python3.11/site-packages/acme/challenges.py", line 24, in

from acme import crypto_util

File "/opt/certbot/lib/python3.11/site-packages/acme/crypto_util.py", line 435, in

def dump_pyopenssl_chain(chain: Union[List[jose.ComparableX509], List[crypto.X509]],

                                           ^^^^^^^^^^^^^^^^^^^

AttributeError: module 'josepy' has no attribute 'ComparableX509'. Did you mean: 'ComparableKey'?

[lanet-technik]

can be reprocessed with a fresh installation on a new docker host.

Error Message:

CommandError: Traceback (most recent call last): File "/opt/certbot/bin/certbot", line 5, in from certbot.main import main File "/opt/certbot/lib/python3.11/site-packages/certbot/main.py", line 6, in from certbot._internal import main as internal_main File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 24, in from acme import client as acme_client File "/opt/certbot/lib/python3.11/site-packages/acme/client.py", line 25, in from acme import challenges File "/opt/certbot/lib/python3.11/site-packages/acme/challenges.py", line 24, in from acme import crypto_util File "/opt/certbot/lib/python3.11/site-packages/acme/crypto_util.py", line 435, in def dump_pyopenssl_chain(chain: Union[List[jose.ComparableX509], List[crypto.X509]], ^^^^^^^^^^^^^^^^^^^ AttributeError: module 'josepy' has no attribute 'ComparableX509'. Did you mean: 'ComparableKey'?

at /app/lib/utils.js:16:13
at ChildProcess.exithandler (node:child_process:430:5)
at ChildProcess.emit (node:events:524:28)
at maybeClose (node:internal/child_process:1104:16)
at ChildProcess._handle.onexit (node:internal/child_process:304:5)

[gabrielecabrini]

I also have the same issue, I've deleted and requested new certificates to bypass this

[lanet-technik]

Didn't make any difference. I even installed a fresh host with docker and npm package, same issue and looks like certbot has an issue during build process so even rolling back doesn't fix it. Josepy 2.0 seems to be the issue, I try to manually build certbot to replicate the issue.

[noismaster]

downgrading to 2.12.5 solved it for me for now.

proxy manager seems to use a quite an old version of certbot v2.7.4, current version is v4.3.0

Seems there is a closed bug on certbot https://github.com/certbot/certbot/issues/10185

[bschuele]

A quick fix for me was to pin josepy to a version <2.0

docker exec -it <npm-container> /opt/certbot/bin/pip install "josepy<2.0.0"

Hopefully, they will fix it in the next version.

[frazell]

A quick fix for me was to pin josepy to a version <2.0

docker exec -it <npm-container> /opt/certbot/bin/pip install "josepy<2.0.0"

Hopefully, they will fix it in the next version.

This worked for me as well as a quick fix.

[ALIENvsROBOT]

@jc21 please look into it

[jeffshead]

docker exec -it <npm-container> /opt/certbot/bin/pip install "josepy<2.0.0"

Worked for me but when I added a new proxy host to NPM for a new domain, I got the same error again and I had to run that command again. Apparently, the josepy version got updated at some point but I don't know what triggered the update. So I'm assuming auto-update of the certs will fail because the josepy version will probably get updated again.

Is there a way to keep josepy from getting updated until this is fixed in the next version of NPM?

[nathanRamaNoodles]

Temporarily, I'm using version 2.12.2 until fixed, this version has the josepy fixed at 1.14

Requirement already satisfied: josepy<2.0.0 in /opt/certbot/lib/python3.11/site-packages (1.14.0)

[michapixel]

not being able to go back because of db-migration issues, what else could i do?

[lanet-technik]

A quick fix for me was to pin josepy to a version <2.0

docker exec -it <npm-container> /opt/certbot/bin/pip install "josepy<2.0.0"

Hopefully, they will fix it in the next version.

This works with the most current version also confirmed. Just find your container ID from "docker ps" and there you go. @michapixel no need to downgrade with that approach

[michapixel]

this kinda seems to work. i have to delete all expired certificates then add them again :( renewing still not working:

"The error was: expected /etc/letsencrypt/live/npm-{dd}/cert.pem to be a symlink"

[jc21]

proxy manager seems to use a quite an old version of certbot v2.7.4, current version is v4.3.0

The certbot base image, built nightly, currently has certbot v5:

> docker run --rm -ti nginxproxymanager/nginx-full:certbot certbot --version
certbot 5.0.0

Latest / 2 / 2.12.6 has certbot 4.1.1:

> docker run --rm -ti --entrypoint= jc21/nginx-proxy-manager:latest certbot --version
certbot 4.1.1

@noismaster Not sure where you got v2.7.4 from.

I'm using the develop image, which has certbot 4.1.1 and forcing a renewal using my Cloudflare DNS works just fine. Is this problem only limited to ClouDNS?

[jc21]

Develop image, just build has certbot 5 if you're brave enough to test it:

> docker run --rm -ti --entrypoint= nginxproxymanager/nginx-proxy-manager-dev:develop certbot --version
certbot 5.0.0

Jumping certbot versions can be tricky, most certbot plugins install the same version number as the certbot version number. Sometimes the plugins don't update their versions at the same time as certbot does, in which cases errors occur.

In the case of certbot-dns-cloudns it's set to 0.6.0 but the latest is 0.7.0

[gabrielecabrini]

there's an update on this?

[craptec]

I am having the same issue. Tried to (bravely) upgrade to develop but that did not solve the issue for me. I reverted to latest image and used the fix to downgrade josepy to <2.0.0. Renew still does not work but deleting and requesting a new cert helps for now. I am using ClouDNS with DNS acme-challenge, too.

[bschuele]

I also use ClouDNS, and with DNS challenge and the new version v2.13.1, it is still not working, still needed to pin josepy < 2.0.0.

[Beckid]

A quick fix for me was to pin josepy to a version <2.0

docker exec -it <npm-container> /opt/certbot/bin/pip install "josepy<2.0.0"

Hopefully, they will fix it in the next version.

Thank you! This worked for me. I had to do some Googl'ing, but I got it. I'm brand new to NGINX Proxy Manager (I'm switching from Caddy,) and I LOVE it! Thank you @jc21

Hopefully it can be fixed soon. I don't want to have to manually renew certificates manually every 90 days. I too and using ClouDNS, for what it's worth.

Thanks again!

[xJayMorex]

Instead of downgrading josepy using pip install "josepy<2.0.0", try upgrading certbot-dns-cloudns using pip install "certbot-dns-cloudns>=0.7.0".

Fix PR: #5087. Fixed Docker image: nginxproxymanager/nginx-proxy-manager-dev:pr-5087