NginxProxyManager
Failing to request new Certificate
I'm using v2.13.5 and once I try to request a new certificate, it fails as Internal Error as we can see in screenshot below.
Diging the logs I was able to find the following:
`2025-11-27 13:45:30,811:INFO:certbot._internal.auth_handler:Challenge failed for domain XXXXXXXXX.XXX 2025-11-27 13:45:30,811:INFO:certbot._internal.auth_handler:http-01 challenge for XXXXXXXXX.XXX 2025-11-27 13:45:30,812:DEBUG:certbot._internal.display.obj:Notifying user: Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: Domain: XXXXXXXXX.XXX Type: unauthorized Detail: 2606:4700:3031::6815:4fb: Invalid response from http://XXXXXXXXX.XXX/.well-known/acme-challenge/LWfTTjOgYmN2t0YMySRAeACf16n7SNn__qKoyTrWFaU: 522
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the >
2025-11-27 13:45:30,813:DEBUG:certbot._internal.error_handler:Encountered exception: Traceback (most recent call last): File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 104, in handle_authorizations self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort) File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 208, in _poll_authorizations raise errors.AuthorizationError('Some challenges have failed.') certbot.errors.AuthorizationError: Some challenges have failed.
2025-11-27 13:45:30,813:DEBUG:certbot._internal.error_handler:Calling registered functions
2025-11-27 13:45:30,814:INFO:certbot._internal.auth_handler:Cleaning up challenges
2025-11-27 13:45:30,814:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/LWfTTjOgYmN2t0YMySRAeACf16n7SNn__qKoyTrWFaU
2025-11-27 13:45:30,814:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2025-11-27 13:45:30,815:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/opt/certbot/bin/certbot", line 7, in
Anyone else facing the same problem?
Detail: 2606:4700:3031::6815:4fb: Invalid response from http://xxxxxxxxx.xxx/.well-known/acme-challenge/LWfTTjOgYmN2t0YMySRAeACf16n7SNn__qKoyTrWFaU: 522
when you go to your external ip on port 80.. Does that work?
assuming you never changed the default site you should see.
If you can't see that, then it's never going to be able to hit the well known endpoint.
I am getting the same exact error , I am also noticing the following error in the logs: info Reloading Nginx [11/28/2025] [3:02:15 PM] [Express ] › ⚠ warning Saving debug log to /data/logs/letsencrypt.log Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /data/logs/letsencrypt.log or re-run Certbot with -v for more details
The certificate appears then gets deleted after a few seconds; I have already other certificates setup but this is happening lately. Any help is appreciated !
out of curiosity are you all getting the errors when using duckdns or are you using different providers?
im getting errors with freedns cloudflare and duckdns
out of curiosity are you all getting the errors when using duckdns or are you using different providers?
im getting errors with freedns cloudflare and duckdns
out of curiosity are you all getting the errors when using duckdns or are you using different providers?
Yes I'm using Duckdns, for Jellyfin but i can't create a new ssl certificate, im getting the same error
I seem to be unable to create an ssl cert using duckdns, using cloudflare works just fine
I get this error when trying to renew my cloudflare wildcard cert that was added via API. This is happening on both of my npm installs.
For shits and giggles, I spun up a brand new npm install and added a new api key for the cloudflare cert - it grabbed it without the internal error.
So this is basically only happening on my older installs that have been upgraded multiple times via docker compose. The brand new install seemed to renew just fine...
Just tried creating a test cert using duckdns again and still the same problem, using cloudflare works straight away. I am starting to think if it is the provider that might be the issue. Was also thinking of starting to migrate all the certs to cloudflare, duckdns is not that reliable at times either.
Can somebody try reproducing it from scratch (a new instance) and share the results and steps taken? Thanks.
Detail: 2606:4700:3031::6815:4fb: Invalid response from http://xxxxxxxxx.xxx/.well-known/acme-challenge/LWfTTjOgYmN2t0YMySRAeACf16n7SNn__qKoyTrWFaU: 522
when you go to your external ip on port 80.. Does that work?
assuming you never changed the default site you should see.
If you can't see that, then it's never going to be able to hit the well known endpoint.
Not when you're using the DNS API to work around the lack of port 80 being open from most ISPs.
Can somebody try reproducing it from scratch (a new instance) and share the results and steps taken? Thanks.
will try tomorow if time allows it
After setting up a new instance, I now get an error that too many certificates (5) in the last 160ish hours. So now I have to wait until tomorrow to try again, but the reality is it looks like it might be fixed by installing a fresh instance, and that the issued certs were from trying to update the expiring cert (actual expiration was tonight), not likely as I previously got an auth error. this is the 2nd major issue with an update in the last 3-4 months, however the last one allowed me to roll back, this one didn't. It seems more testing or less AI is needed before this gets pushed out. FWIW, TrueNAS Scale 24.10, official app store.
Detail: 2606:4700:3031::6815:4fb: Invalid response from http://xxxxxxxxx.xxx/.well-known/acme-challenge/LWfTTjOgYmN2t0YMySRAeACf16n7SNn__qKoyTrWFaU: 522
when you go to your external ip on port 80.. Does that work?
assuming you never changed the default site you should see.
If you can't see that, then it's never going to be able to hit the well known endpoint.
For me this is working, however I cannot request a ssl certificate anymore
I had same UI error. General error saying "Internal Error" when creating new Let's Encrypt SSL using Cloudflare
I noticed the latest version v2.13.4 are using the user email. while on version 2.10.4 (older instance I have) was asking for the domain email in the same form. it seems latest updates just used the user email without mentioning that on the form
These logs showing a dummy email from my user which is invalid. but the UI message does not indicate the exact error reason. instead it shows "Internal Error" I thought there was
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/bin/certbot", line 7, in <module>
sys.exit(main())
^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/main.py", line 18, in main
return internal_main.main(cli_args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1850, in main
return config.func(config, plugins)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1544, in certonly
le_client = _init_le_client(config, auth, installer)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 836, in _init_le_client
acc, acme = _determine_account(config)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 757, in _determine_account
raise errors.Error(
certbot.errors.Error: Unable to register an account with ACME server. The ACME server believes [email protected] is an invalid email address. Please ensure it is a valid email and attempt registration again.
2025-12-01 23:51:46,203:ERROR:certbot._internal.log:Unable to register an account with ACME server. The ACME server believes [email protected] is an invalid email address. Please ensure it is a valid email and attempt registration again.
While certainly not optimal, deleting the container and it's files and re-deploying NPM allowed me to pull a cert once the timeout from Lets Encrypt ended (too many completed cert requests that didn't get completed on the NPM side inside 7 days). Again, more testing for upgrades would be beneficial to all. Being without a valid cert is no bueno.
For me the autorenew also didn´t work but when I disbale the "Force SSL" button on the certificates section, the renewal works.
For me the autorenew also didn´t work but when I disbale the "Force SSL" button on the certificates section, the renewal works.
Wow, works here, too. Don't know why but at least I have enough time til 8th March for the next renewal.
- Disable "Force SSL" on the Proxy Host Section
- Renew Certificate on the Certificate Section
- Re-enable "Force SSL" on the Proxy Host
- Repeat this for each Host
Beware, remember all other SSL settings, because they may not keep their original state.
For me the autorenew also didn´t work but when I disbale the "Force SSL" button on the certificates section, the renewal works.
This also worked for me. None of the certs that were previously renewing worked until I disabled the Force SSL option.
