NginxProxyManager
SSL Certs Expiry Date Does Not Update with Each Renewal.
In admin page SSL Certificates when you create first cert the date is correct in future, but after a while the cert bot renew the cert automatically it does not update expiry date on that page. When renew the cert manually in logs it will say basically no need to renew yet, but then it updates the expiry date in admin panel. See screenshot of domains which looks like they are expired according to the admin panel, but the certs are actually ok.
https://snipboard.io/ysdMXG.jpg
This can sometimes happen if certbot fails to renew one of the many certs. Does the docker logs indicate that any of them failed? You can also manually check for failures by running
/usr/bin/certbot renew --non-interactive --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation
inside the docker container.
Thanks @jc21
Can't see any certs that say they have an error via the web page
Ran the command you suggested, but get an error. Appears there is a folder "/etc/letsencrypt", but no .ini file inside, just futher folders, "accounts", "archive", "csr" etc
docker exec nginxproxymanager_app_1 /usr/bin/certbot renew --non-interactive --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: File not found: /etc/letsencrypt.ini
The manual should mention that a manual crontask is required. For me autorenewal did not work automatically running the docker-container.
Hope this helps anyone searching for the same issue.
What I discovered is that some old certs I had deleted from the web interface still resided on disk. NPM was still trying to renew them and throwing an error. As mentioned by @jc21 renewal errors can prevent the UI from updating.
I carefully deleted the zombie certs from:
/etc/letsencrypt/live/
and their corresponding .conf files from:
/etc/letsencrypt/renewal/
Restarted my container and the problem was resolved.
This raises another valid question: why doesn't deleting from the UI remove the cert from disk? But I don't plan to add/remove any certs in the near term so I'll save that rabbit hole for another day.
/etc/letsencrypt/live/
Thank you. Same problem for me. But how do you see which one is which?
I deleted any except the last 2 (the only ones i use now) but then nginx crashes and wants to load the other certs
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-37/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/npm-37/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
Stumbled upon this while evaluating other reverse proxies. It does indeed seem like the issue with the certificate not showing as renewed in the GUI (despite it renewing successfully) is when some other renewal error occurs. I switched domains, but when deleting the certificate in the GUI it does not actually delete the cert on disk, as mentioned above. Here is an easy way to fix it:
This will list all certificates, even if deleted in NPM GUI. Make note of the certificate name
certbot certificates
Then delete the certificate. This option will give you a list of certificates to choose from. Simply choose the certificate that you want deleted, from the number you took a note of above
certbot delete
Confirm you chose the right certificate. Restart the container. Expiration date updated successfully in GUI.
Issue is now considered stale. If you want to keep it open, please comment :+1:
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}