addon-nginx-proxy-manager
addon-nginx-proxy-manager copied to clipboard
hassio-addons
SSL cert not updating
Problem/Motivation
SSL Certs not getting update from lets encrypt
Expected behavior
Lets encrypt ssl cert being automatically updated
Actual behavior
ssl certs not being updated. Is you press renew get this error
Steps to reproduce
Proposed changes
I had the same issue today. It turned out, that my Pi got a new IP address and my port forwarding pointed to the wrong one.
I had to login to the Pi via SSH and open "/data/logs/letsencrypt/letsencrypt.log" inside the proxymanager docker container to find the exact issue was:
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
This error I got
Some of certs are renewing some are not it is odd
Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-2" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation
[08/Feb/2023:21:15:18 +0100] - 200 200 - GET https aaa.bbb.com "/api/config" [Client 10.0.0.153] [Length 6152] [Gzip -] [Sent-to 192.168.1.75] "-" "-"
[2/8/2023] [9:15:19 PM] [Express ] › ⚠ warning Command failed: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-2" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation
Another instance of Certbot is already running.
Things I tried. Resetting the database Uninstalling and restoring from backup.
Deleting the certificate and asking for it again from the UI worked
I'm getting the same "Internal Error" simply when trying to create a brand new SSL cert. I was also getting the error "Another instance of Certbot is already running". I just rebooted my system to get it to shut down all processes... as obviously there was a stuck Certbot instance. After a restart, I wasn't getting the same error... Now I am just getting "Some challenges have failed" from Let's Encrypt and it's unable to generate a new certificate for me. I'm at a loss. If I use Let's Encrypt via the DuckDNS add on, it generates the SSL certs for me just fine and I am then able to reference them via NPM by adding them as "Custom" SSL certs. This works, but it's obviously not ideal because I then have to manually renew the certs anytime they come up for renewal.
DuckDNS add on, it generates the SSL certs for me just fine and I am then able to reference them via NPM by adding them as "Custom" SSL certs. This works, but it's obviously not ideal because I then have to manually renew the certs anytime they come up for renewal.
Would you mind sharing your process? I have the DuckDNS add on but I don't know where it stores the certs so I can add them as custom. My cert expired and I want to keep it going until it hopefully gets patched.
I may be digging myself into a bigger hole tried to add homeassistant.something.duckdns.org ended up with ["error"] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"Incorrect TXT record "dns-01" found at _acme-challenge.homeassistant.something.duckdns.org","status":403}
I noticed in duckdns documentation the folder \ssl\ is supposed to contain the certificates but they are dated December and I tried to just install those anyways and got an error about using those certificates so I don't think those are the right ones.
EDIT Problem in chair. Still not 100% sure what fixed it, but I opened up my firewall and reverted the port number for port 80 to port 80.
Also experiencing this issue.
Addon Version: 0.12.3
Upon attempting to create or renew a cert:
[4/10/2023] [3:23:18 AM] [SSL ] › ℹ info Testing http challenge for DOMAIN.REDACTED
Uncaught SyntaxError: Unexpected end of JSON input
FROM
2023/04/10 03:23:19 [error] 298#298: *3 upstream prematurely closed connection while reading response header from upstream, client: 10.10.0.4, server: nginxproxymanager, request: "GET /api/nginx/certificates/test-http?domains=%5B%22DOMAIN.REDACTED%22%5D HTTP/1.1", upstream: "http://127.0.0.1:3000/nginx/certificates/test-http?domains=%5B%22DOMAIN.REDACTED%22%5D", host: "10.10.0.200:81", referrer: "http://10.10.0.200:81/nginx/certificates"
[03:23:20] INFO: Nginx Proxy Manager stopped, restarting...
[03:23:20] INFO: Starting the Manager...
Following this crash and restart…
[4/10/2023] [3:23:34 AM] [Nginx ] › ℹ info Reloading Nginx
[4/10/2023] [3:23:39 AM] [SSL ] › ℹ info Requesting Let'sEncrypt certificates for Cert #2: DOMAIN.REDACTED
[4/10/2023] [3:23:39 AM] [SSL ] › ℹ info Command: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-2" --agree-tos --authenticator webroot --email "EMAIL@REDACTED" --preferred-challenges "dns,http" --domains "DOMAIN.REDACTED"
[4/10/2023] [3:23:44 AM] [Nginx ] › ℹ info Reloading Nginx
[4/10/2023] [3:23:44 AM] [Express ] › ⚠ warning Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-2" --agree-tos --authenticator webroot --email "EMAIL@REDACTED" --preferred-challenges "dns,http" --domains "DOMAIN.REDACTED"
Another instance of Certbot is already running.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-j7u3fnai/log or re-run Certbot with -v for more details.
[4/10/2023] [3:24:05 AM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation
Failed to renew certificate npm-1 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/npm-1/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
at ChildProcess.exithandler (node:child_process:400:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1093:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:302:5)
After this point all attempted Let's Encrypt operations continue to fail.
There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues. Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
I believe that's more of an upstream issue, cf https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2881
There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues. Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!
Do you run a firewall?
It seems like some zone protection or other filters may block these requests. Strangely they didn't show up on the logs as far as I could tell but running with everything on alert made it work smoothly.
Same issue here but deleting, trying to reissue causes more problems. I should have let them expire on their own, lost a month now...
Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-12" --agree-tos --authenticator webroot --email "[email protected]" --preferred-challenges "dns,http" --domains "rondemealie.duckdns.org"
Another instance of Certbot is already running.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-kuhouk5g/log or re-run Certbot with -v for more details.
at ChildProcess.exithandler (node:child_process:400:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1093:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:302:5)
There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues. Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!
just had the same issue. For me the issue was misconfiguration under router: port 80 was not forwarded/open.
Certmanager uses Port 80 to execute the HTTP check. Make sure it is open and forwarding to the correct machine
just had the same issue. For me the issue was misconfiguration under router: port 80 was not forwarded/open.
Certmanager uses Port 80 to execute the HTTP check. Make sure it is open and forwarding to the correct machine
this issue talks about problems when enabling forcing on https, the problem is that http verification is also being forced on 443 sending the whole thing into error
There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues. Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!
I feel kinda dumb coming back to this after all this time having issues... but I think I figured out my problem... I've been using this with a DuckDNS domain and it appears it needs a DNS challenge... the DuckDNS addon for HA handles the challenge with the supplied token, which is why I never saw any issues with that addon getting a valid cert. Basically, the problem boils down to there being poor documentation for both the DuckDNS addon and this NPM addon. It was never clear to me that I NEEDED to do the DNS challenge... but it seems obvious now. Basically, I stopped using the DuckDNS addon... I no longer use a custom cert in NPM. Just have NPM create and manage the certs and use the appropriate DNS challenge for your DDNS provider. This appears to be working fine for me this way. Time will tell if the certs update properly when needed, but they should now that they have the appropriate token.
I feel kinda dumb coming back to this after all this time having issues... but I think I figured out my problem... I've been using this with a DuckDNS domain and it appears it needs a DNS challenge... the DuckDNS addon for HA handles the challenge with the supplied token, which is why I never saw any issues with that addon getting a valid cert. Basically, the problem boils down to there being poor documentation for both the DuckDNS addon and this NPM addon. It was never clear to me that I NEEDED to do the DNS challenge... but it seems obvious now. Basically, I stopped using the DuckDNS addon... I no longer use a custom cert in NPM. Just have NPM create and manage the certs and use the appropriate DNS challenge for your DDNS provider. This appears to be working fine for me this way. Time will tell if the certs update properly when needed, but they should now that they have the appropriate token.
I just tried this. Disdabled DuckDNS, NPM began working when forcing a challenge and using my DuckDNS token All seems to be ok for the moment!
Thanks for this
this issue talks about problems when enabling forcing on https, the problem is that http verification is also being forced on 443 sending the whole thing into error
Had same Internal Error issue. Turned off the force SSL and renewal worked.
just had the same issue. For me the issue was misconfiguration under router: port 80 was not forwarded/open.
Certmanager uses Port 80 to execute the HTTP check. Make sure it is open and forwarding to the correct machine
This helped me too ... It appears that on the WAN interface it has to be port 80 to work properly.
I came across this while troubleshooting my own certificate issues. A couple things that resolved mine:
-
"Another instance of Certbot is already running" - This probably means you're trying to use something else to update your certs. For me, that was my DuckDNS add-on like mentioned above. Stopping that resolved that specific error for me.
-
If you're trying to do a DNS challenge in order to avoid port forwarding from your firewall, you may need to dig into logs more:
I had to login to the Pi via SSH and open "/data/logs/letsencrypt/letsencrypt.log" inside the proxymanager docker container to find the exact issue
The errors in my log weren't particularly helpful, but it listed the certbot-dns-duckdns plugin being used for my DNS Challenge type. Checking the version of that (installed by pip) showed me that the package was super outdated. Updating that package resolved my issue.
My certbot itself is also outdated, but I didn't need to update it in order to resolve my issue. Should any of these packages be getting updates during the addon updates?
https://github.com/hassio-addons/addon-nginx-proxy-manager/issues/462
For me, I can manually update fine. What does NOT work is auto-update.
There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues. Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!
There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues. Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!