Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Does not renew certificate and does not appear proxy when clicking #1270

Open
talesam opened this issue Jul 28, 2021 · 16 comments
Open

Does not renew certificate and does not appear proxy when clicking #1270

talesam opened this issue Jul 28, 2021 · 16 comments

Comments

@talesam
Copy link

talesam commented Jul 28, 2021

Version 2.9.6

1- After logging in, if I click on the 13 Proxy Hosts link, nothing happens.
2 - When I try to renew any certificate, I get an error.
3 - Ports 80 and 443 are open on my firewall
4 - When I run some function, delete an SSL, disable a proxy, it doesn't update, I have to press F5 to see the change.
5 - It's very buggy, after I delete an SSL, it doesn't update, if I update (F5), add everything and when I click on the SSL Certificates link, nothing opens, I have to log off and log in again to appear.

This version is well buggy.

Which versions are available? how do i use a previous version?

Captura de tela de 2021-07-28 12-51-42
Captura de tela de 2021-07-28 13-02-50
Captura de tela de 2021-07-28 13-18-39

Logs
Attaching to nginxproxymanager_app_1, nginxproxymanager_db_1
db_1   | [i] pre-init.d - processing /scripts/pre-init.d/01_secret-init.sh
db_1   | [i] mysqld not found, creating....
db_1   | [i] MySQL directory already present, skipping creation
db_1   | 2021-07-28 16:06:22 0 [Note] /usr/bin/mysqld (mysqld 10.4.15-MariaDB) starting as process 1 ...
db_1   | 2021-07-28 16:06:22 0 [Note] Plugin 'InnoDB' is disabled.
db_1   | 2021-07-28 16:06:22 0 [Note] Plugin 'FEEDBACK' is disabled.
db_1   | 2021-07-28 16:06:22 0 [Note] Server socket created on IP: '::'.
db_1   | 2021-07-28 16:06:22 0 [Warning] 'user' entry '@5e0f82917f27' ignored in --skip-name-resolve mode.
db_1   | 2021-07-28 16:06:22 0 [Warning] 'proxies_priv' entry '@% root@5e0f82917f27' ignored in --skip-name-resolve mode.
db_1   | 2021-07-28 16:06:22 0 [Note] Reading of all Master_info entries succeeded
db_1   | 2021-07-28 16:06:22 0 [Note] Added new Master_info '' to hash table
db_1   | 2021-07-28 16:06:22 0 [Note] /usr/bin/mysqld: ready for connections.
db_1   | Version: '10.4.15-MariaDB'  socket: '/run/mysqld/mysqld.sock'  port: 3306  MariaDB Server
app_1  | [s6-init] making user provided files available at /var/run/s6/etc...exited 0.
app_1  | [s6-init] ensuring user provided files have correct perms...exited 0.
app_1  | [fix-attrs.d] applying ownership & permissions fixes...
app_1  | [fix-attrs.d] done.
app_1  | [cont-init.d] executing container initialization scripts...
app_1  | [cont-init.d] 01_perms.sh: executing... 
app_1  | Changing ownership of /data/logs to 0:0
app_1  | [cont-init.d] 01_perms.sh: exited 0.
app_1  | [cont-init.d] 01_s6-secret-init.sh: executing... 
app_1  | [cont-init.d] 01_s6-secret-init.sh: exited 0.
app_1  | [cont-init.d] done.
app_1  | [services.d] starting services
app_1  | [services.d] done.
app_1  | ❯ Enabling IPV6 in hosts: /etc/nginx/conf.d
app_1  |   ❯ /etc/nginx/conf.d/include/block-exploits.conf
app_1  |   ❯ /etc/nginx/conf.d/include/ip_ranges.conf
app_1  |   ❯ /etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf
app_1  |   ❯ /etc/nginx/conf.d/include/force-ssl.conf
app_1  |   ❯ /etc/nginx/conf.d/include/assets.conf
app_1  |   ❯ /etc/nginx/conf.d/include/proxy.conf
app_1  |   ❯ /etc/nginx/conf.d/include/ssl-ciphers.conf
app_1  |   ❯ /etc/nginx/conf.d/include/resolvers.conf
app_1  |   ❯ /etc/nginx/conf.d/default.conf
app_1  |   ❯ /etc/nginx/conf.d/production.conf
app_1  | ❯ Enabling IPV6 in hosts: /data/nginx
app_1  |   ❯ /data/nginx/proxy_host/14.conf
app_1  |   ❯ /data/nginx/proxy_host/27.conf
app_1  |   ❯ /data/nginx/proxy_host/26.conf
app_1  |   ❯ /data/nginx/proxy_host/19.conf
app_1  |   ❯ /data/nginx/proxy_host/17.conf
app_1  |   ❯ /data/nginx/proxy_host/25.conf
app_1  |   ❯ /data/nginx/proxy_host/15.conf
app_1  |   ❯ /data/nginx/proxy_host/20.conf
app_1  | [7/28/2021] [4:06:23 PM] [Global   ] › ℹ  info      Generating MySQL db configuration from environment variables
app_1  | [7/28/2021] [4:06:23 PM] [Global   ] › ℹ  info      Wrote db configuration to config file: ./config/production.json
app_1  | [7/28/2021] [4:06:23 PM] [Migrate  ] › ℹ  info      Current database version: 20210210154703
app_1  | [7/28/2021] [4:06:24 PM] [Setup    ] › ℹ  info      Creating a new JWT key pair...
app_1  | [7/28/2021] [4:06:26 PM] [Setup    ] › ℹ  info      Wrote JWT key pair to config file: /app/config/production.json
app_1  | [7/28/2021] [4:06:26 PM] [Setup    ] › ℹ  info      Logrotate Timer initialized
app_1  | [7/28/2021] [4:06:26 PM] [Setup    ] › ℹ  info      Logrotate completed.
app_1  | [7/28/2021] [4:06:26 PM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
app_1  | [7/28/2021] [4:06:26 PM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
app_1  | [7/28/2021] [4:06:26 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4
app_1  | [7/28/2021] [4:06:26 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6
app_1  | [7/28/2021] [4:06:27 PM] [SSL      ] › ℹ  info      Let's Encrypt Renewal Timer initialized
app_1  | [7/28/2021] [4:06:27 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
app_1  | [7/28/2021] [4:06:27 PM] [IP Ranges] › ℹ  info      IP Ranges Renewal Timer initialized
app_1  | [7/28/2021] [4:06:27 PM] [Global   ] › ℹ  info      Backend PID 229 listening on port 3000 ...
app_1  | `QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0
app_1  | `QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` method will be removed in 3.0
app_1  | QueryBuilder#omit is deprecated. This method will be removed in version 3.0
app_1  | [7/28/2021] [4:06:50 PM] [Express  ] › ⚠  warning   invalid signature
app_1  | [7/28/2021] [4:07:03 PM] [Express  ] › ⚠  warning   invalid signature
app_1  | Duplicate relation "access_list" in a relation expression. You should use "a.[b, c]" instead of "[a.b, a.c]". This will cause an error in objection 2.0
app_1  | [7/28/2021] [4:07:46 PM] [Nginx    ] › ℹ  info      Reloading Nginx
app_1  | [7/28/2021] [4:08:05 PM] [Nginx    ] › ℹ  info      Reloading Nginx
app_1  | [7/28/2021] [4:09:25 PM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
app_1  | Failed to renew certificate npm-11 with error: Some challenges have failed.
app_1  | Failed to renew certificate npm-18 with error: Some challenges have failed.
app_1  | Failed to renew certificate npm-37 with error: Some challenges have failed.
app_1  | Failed to renew certificate npm-38 with error: Some challenges have failed.
app_1  | All renewals failed. The following certificates could not be renewed:
app_1  |   /etc/letsencrypt/live/npm-11/fullchain.pem (failure)
app_1  |   /etc/letsencrypt/live/npm-18/fullchain.pem (failure)
app_1  |   /etc/letsencrypt/live/npm-37/fullchain.pem (failure)
app_1  |   /etc/letsencrypt/live/npm-38/fullchain.pem (failure)
app_1  | 4 renew failure(s), 0 parse failure(s)
app_1  | 
app_1  |     at ChildProcess.exithandler (node:child_process:326:12)
app_1  |     at ChildProcess.emit (node:events:369:20)
app_1  |     at maybeClose (node:internal/child_process:1067:16)
app_1  |     at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5)
app_1  | [7/28/2021] [4:10:49 PM] [Nginx    ] › ℹ  info      Reloading Nginx
app_1  | [7/28/2021] [4:10:49 PM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates for Cert #45: domain-redacted.com
app_1  | [7/28/2021] [4:10:49 PM] [SSL      ] › ℹ  info      Command: certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-45" --agree-tos --email "[email protected]" --preferred-challenges "dns,http" --domains "domain-redacted.com" 
app_1  | [7/28/2021] [4:10:53 PM] [SSL      ] › ✔  success   Requesting a certificate for domain-redacted.com
app_1  | 
app_1  | Successfully received certificate.
app_1  | Certificate is saved at: /etc/letsencrypt/live/npm-45/fullchain.pem
app_1  | Key is saved at:         /etc/letsencrypt/live/npm-45/privkey.pem
app_1  | This certificate expires on 2021-10-26.
app_1  | These files will be updated when the certificate renews.
app_1  | 
app_1  | NEXT STEPS:
app_1  | - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
app_1  | 
app_1  | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
app_1  | If you like Certbot, please consider supporting our work by:
app_1  |  * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
app_1  |  * Donating to EFF:                    https://eff.org/donate-le
app_1  | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
app_1  | [7/28/2021] [4:10:53 PM] [Nginx    ] › ℹ  info      Reloading Nginx
app_1  | [7/28/2021] [4:10:53 PM] [Nginx    ] › ℹ  info      Reloading Nginx
app_1  | [7/28/2021] [4:11:02 PM] [Nginx    ] › ℹ  info      Reloading Nginx
@chaptergy
Copy link
Collaborator

chaptergy commented Jul 28, 2021

Please try what is in section NPM admin page is staying blank or behaving weirdly in issue #1271 and see if anything changes. It would also be useful to see if any error show up in the logs of npm. How to get them is also described in the previously mentioned issue.

If you would just like to go back to an older verison of NPM this is possible by utilizing the docker image tags. Just change jc21/nginx-proxy-manager:latest to jc21/nginx-proxy-manager:2.9.5 or any other previous version you would like to use. The availabe releases are listed on GitHub and on DockerHub, though the latter also contains lots of versions for a specific pull request, which should not be used for production.

Edit: I have transferred your logs from the other issue to here. Could you tell me if you use the DNS challenge for any of your certificates? Or are they all just http challenge?

@talesam
Copy link
Author

talesam commented Jul 28, 2021

I noticed something. If I use IP:81 NPM works fine, but I can't renew the certificate, but if I was using it as I was using it, an npm.mydomin domain doesn't work correctly.

I didn't quite understand what you meant by that...
"Edit: I have transferred your logs from the other issue to here. Could you tell me if you use the DNS challenge for any of your certificates? Or are they all just http challenge?"

app_1  | [7/28/2021] [5:50:55 PM] [Global   ] › ℹ  info      Generating MySQL db configuration from environment variables
app_1  | [7/28/2021] [5:50:55 PM] [Global   ] › ℹ  info      Wrote db configuration to config file: ./config/production.json
app_1  | [7/28/2021] [5:50:56 PM] [Migrate  ] › ℹ  info      Current database version: 20210210154703
app_1  | [7/28/2021] [5:50:56 PM] [Setup    ] › ℹ  info      Creating a new JWT key pair...
app_1  | [7/28/2021] [5:51:02 PM] [Setup    ] › ℹ  info      Wrote JWT key pair to config file: /app/config/production.json
app_1  | [7/28/2021] [5:51:02 PM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
app_1  | [7/28/2021] [5:51:02 PM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
app_1  | [7/28/2021] [5:51:02 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4
app_1  | [7/28/2021] [5:51:02 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6
app_1  | [7/28/2021] [5:51:02 PM] [SSL      ] › ℹ  info      Let's Encrypt Renewal Timer initialized
app_1  | [7/28/2021] [5:51:02 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
app_1  | [7/28/2021] [5:51:02 PM] [IP Ranges] › ℹ  info      IP Ranges Renewal Timer initialized
app_1  | [7/28/2021] [5:51:02 PM] [Global   ] › ℹ  info      Backend PID 224 listening on port 3000 ...
app_1  | [7/28/2021] [5:51:03 PM] [Express  ] › ⚠  warning   invalid signature
app_1  | [7/28/2021] [5:51:08 PM] [Express  ] › ⚠  warning   invalid signature
app_1  | [7/28/2021] [5:51:10 PM] [Express  ] › ⚠  warning   invalid signature
app_1  | [7/28/2021] [5:51:40 PM] [Express  ] › ⚠  warning   invalid signature
app_1  | `QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0
app_1  | `QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` method will be removed in 3.0
app_1  | QueryBuilder#omit is deprecated. This method will be removed in version 3.0
app_1  | [7/28/2021] [5:52:11 PM] [SSL      ] › ℹ  info      Renewing Let'sEncrypt certificates for Cert #18: mautic.t4l35.site
app_1  | [7/28/2021] [5:52:11 PM] [Express  ] › ⚠  warning   Command failed: /opt/certbot/bin/certbot renew --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-18" --preferred-challenges "dns,http" --disable-hook-validation 
app_1  | Another instance of Certbot is already running.
app_1  | Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/tmpmsoqf9ob/log or re-run Certbot with -v for more details.
app_1  | 
app_1  | [7/28/2021] [5:53:39 PM] [SSL      ] › ✖  error     Error: Command failed: /opt/certbot/bin/certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
app_1  | Failed to renew certificate npm-11 with error: Some challenges have failed.
app_1  | Failed to renew certificate npm-18 with error: Some challenges have failed.
app_1  | Failed to renew certificate npm-37 with error: Some challenges have failed.
app_1  | Failed to renew certificate npm-38 with error: Some challenges have failed.
app_1  | All renewals failed. The following certificates could not be renewed:
app_1  |   /etc/letsencrypt/live/npm-11/fullchain.pem (failure)
app_1  |   /etc/letsencrypt/live/npm-18/fullchain.pem (failure)
app_1  |   /etc/letsencrypt/live/npm-37/fullchain.pem (failure)
app_1  |   /etc/letsencrypt/live/npm-38/fullchain.pem (failure)
app_1  | 4 renew failure(s), 0 parse failure(s)
app_1  | 
app_1  |     at ChildProcess.exithandler (node:child_process:326:12)
app_1  |     at ChildProcess.emit (node:events:369:20)
app_1  |     at maybeClose (node:internal/child_process:1067:16)
app_1  |     at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5)
app_1  | [7/28/2021] [5:54:34 PM] [Express  ] › ⚠  warning   invalid signature
app_1  | [7/28/2021] [6:05:17 PM] [SSL      ] › ℹ  info      Renewing Let'sEncrypt certificates for Cert #38: smith.t4l35.pp.ua
app_1  | [7/28/2021] [6:10:35 PM] [Express  ] › ⚠  warning   Command failed: /opt/certbot/bin/certbot renew --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-38" --preferred-challenges "dns,http" --disable-hook-validation 
app_1  | Saving debug log to /var/log/letsencrypt/letsencrypt.log
app_1  | Failed to renew certificate npm-38 with error: Some challenges have failed.
app_1  | All renewals failed. The following certificates could not be renewed:
app_1  |   /etc/letsencrypt/live/npm-38/fullchain.pem (failure)
app_1  | 1 renew failure(s), 0 parse failure(s)
app_1  | Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
app_1  | 
db_1   | [i] pre-init.d - processing /scripts/pre-init.d/01_secret-init.sh
db_1   | [i] mysqld not found, creating....
db_1   | [i] MySQL directory already present, skipping creation
db_1   | 2021-07-28 17:50:55 0 [Note] /usr/bin/mysqld (mysqld 10.4.15-MariaDB) starting as process 1 ...
db_1   | 2021-07-28 17:50:55 0 [Note] Plugin 'InnoDB' is disabled.
db_1   | 2021-07-28 17:50:55 0 [Note] Plugin 'FEEDBACK' is disabled.
db_1   | 2021-07-28 17:50:55 0 [Note] Server socket created on IP: '::'.
db_1   | 2021-07-28 17:50:55 0 [Warning] 'user' entry '@5e0f82917f27' ignored in --skip-name-resolve mode.
db_1   | 2021-07-28 17:50:55 0 [Warning] 'proxies_priv' entry '@% root@5e0f82917f27' ignored in --skip-name-resolve mode.
db_1   | 2021-07-28 17:50:55 0 [Note] Reading of all Master_info entries succeeded
db_1   | 2021-07-28 17:50:55 0 [Note] Added new Master_info '' to hash table
db_1   | 2021-07-28 17:50:55 0 [Note] /usr/bin/mysqld: ready for connections.
db_1   | Version: '10.4.15-MariaDB'  socket: '/run/mysqld/mysqld.sock'  port: 3306  MariaDB Server

I ordered it renewed and it won't.
Get stuck on this screen. I can press closed and it doesn't close, freezes the screen.

Captura de tela de 2021-07-28 15-07-57

Captura de tela de 2021-07-28 15-11-08

@chaptergy
Copy link
Collaborator

When creating an SSL certificate there is a toggle enabling the dns challenge.
image
Was this enabled for the certificate you have or not?

@talesam
Copy link
Author

talesam commented Jul 28, 2021

I never used this option.

@chaptergy
Copy link
Collaborator

Hm, the letsencrypt logs would be useful. Please execute docker exec <container-name> cat /var/log/letsencrypt/letsencrypt.log and post your results.

@talesam
Copy link
Author

talesam commented Jul 28, 2021

2021-07-28 18:21:49,027:DEBUG:certbot._internal.main:certbot version: 1.16.0
2021-07-28 18:21:49,028:DEBUG:certbot._internal.main:Location of certbot entry point: /opt/certbot/bin/certbot
2021-07-28 18:21:49,028:DEBUG:certbot._internal.main:Arguments: ['--non-interactive', '--config', '/etc/letsencrypt.ini', '--cert-name', 'npm-38', '--preferred-challenges', 'dns,http', '--disable-hook-validation']
2021-07-28 18:21:49,028:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-07-28 18:21:49,042:DEBUG:certbot._internal.log:Root logging level set at 30
2021-07-28 18:21:49,044:DEBUG:certbot.display.util:Notifying user: Processing /etc/letsencrypt/renewal/npm-38.conf
2021-07-28 18:21:49,062:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer <certbot._internal.cli.cli_utils._Default object at 0x7fc5aae255c0>
2021-07-28 18:21:49,062:DEBUG:certbot._internal.cli:Var pref_challs=dns,http (set by user).
2021-07-28 18:21:49,062:DEBUG:certbot._internal.cli:Var authenticator=webroot (set by user).
2021-07-28 18:21:49,062:DEBUG:certbot._internal.cli:Var webroot_path=/data/letsencrypt-acme-challenge (set by user).
2021-07-28 18:21:49,062:DEBUG:certbot._internal.cli:Var webroot_map={'webroot_path'} (set by user).
2021-07-28 18:21:49,062:DEBUG:certbot._internal.cli:Var webroot_path=/data/letsencrypt-acme-challenge (set by user).
2021-07-28 18:21:49,160:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2021-07-28 18:21:49,189:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2021-07-28 18:21:49,190:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/npm-38/cert1.pem is signed by the certificate's issuer.
2021-07-28 18:21:49,193:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/npm-38/cert1.pem is: OCSPCertStatus.GOOD
2021-07-28 18:21:49,196:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2021-08-02 00:37:50 UTC.
2021-07-28 18:21:49,196:INFO:certbot._internal.renewal:Certificate is due for renewal, auto-renewing...
2021-07-28 18:21:49,196:INFO:certbot._internal.renewal:Non-interactive renewal: random delay of 72.01332313559588 seconds

@apainter2
Copy link

Renewing wildcard certificate also fail here, issued via the Cloudflare API DNS Challenge fails with a mixture of errors:

Internal Error or timeout.

The docker logs are:

[7/29/2021] [10:31:15 AM] [SSL      ] › ℹ  info      Renewing Let'sEncrypt certificates via Cloudflare for Cert #5: *.sanjiyan.co.uk, sanjiyan.co.uk
[7/29/2021] [10:31:15 AM] [SSL      ] › ℹ  info      Command: certbot renew --non-interactive --cert-name "npm-5" --disable-hook-validation

The letsencrypt logs are:

[root@docker-db38fb7fc84e:/app]# cat /var/log/letsencrypt/letsencrypt.log
2021-07-29 10:31:16,335:DEBUG:certbot._internal.main:certbot version: 1.17.0
2021-07-29 10:31:16,335:DEBUG:certbot._internal.main:Location of certbot entry point: /opt/certbot/bin/certbot
2021-07-29 10:31:16,335:DEBUG:certbot._internal.main:Arguments: ['--non-interactive', '--cert-name', 'npm-5', '--disable-hook-validation']
2021-07-29 10:31:16,335:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#dns-cloudflare,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-07-29 10:31:16,347:DEBUG:certbot._internal.log:Root logging level set at 30
2021-07-29 10:31:16,347:DEBUG:certbot.display.util:Notifying user: Processing /etc/letsencrypt/renewal/npm-5.conf
2021-07-29 10:31:16,362:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7f4f55d37748> and installer <certbot._internal.cli.cli_utils._Default object at 0x7f4f55d37748>
2021-07-29 10:31:16,379:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2021-07-29 10:31:16,396:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2021-07-29 10:31:16,398:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/npm-5/cert1.pem is signed by the certificate's issuer.
2021-07-29 10:31:16,400:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/npm-5/cert1.pem is: OCSPCertStatus.GOOD
2021-07-29 10:31:16,402:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2021-08-13 19:55:46 UTC.
2021-07-29 10:31:16,402:INFO:certbot._internal.renewal:Certificate is due for renewal, auto-renewing...
2021-07-29 10:31:16,403:INFO:certbot._internal.renewal:Non-interactive renewal: random delay of 432.36879853767095 seconds

I have also tried using a normal LE certificate, but when issuring it errors out with the same types of errors, but now includes DNS Challenge errors (error logs below)

[7/29/2021] [10:29:26 AM] [Nginx    ] › ℹ  info      Reloading Nginx
[7/29/2021] [10:29:26 AM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates for Cert #7: npm.sanjiyan.com
[7/29/2021] [10:29:26 AM] [SSL      ] › ℹ  info      Command: certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-7" --agree-tos --email "[email protected]" --preferred-challenges "dns,http" --domains "npm.sanjiyan.com" 
[7/29/2021] [10:29:29 AM] [Nginx    ] › ℹ  info      Reloading Nginx
[7/29/2021] [10:29:29 AM] [Express  ] › ⚠  warning   Command failed: certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-7" --agree-tos --email "[email protected]" --preferred-challenges "dns,http" --domains "npm.sanjiyan.com" 

Saving debug log to /var/log/letsencrypt/letsencrypt.log

I also have to log into the container and kill the certbot process after each attempt to renew, as it never terminates itself.

I am running NPM version 2.9.6

Never had these problems previously, only with 2.9.x

@chaptergy
Copy link
Collaborator

Hm, both of your logs seem to not really show anything unusual, so I'm really not sure what the problem could be. Are there more logs which actually show some error? Maybe the file /var/log/letsencrypt/letsencrypt.log.1 or higher numbers?

@JakeAi
Copy link

JakeAi commented Jul 29, 2021

I went to add a new proxy to my NPM earlier today and found that both of my NPM instances haven't renewed certs in over a month.

@chaptergy
Copy link
Collaborator

chaptergy commented Jul 29, 2021

Certbot only renews the certificate if it expires within 30 days. LetsEncrypt certificates are valid for 90 days, so a certificate should only be renewed every two months. So a certificate having been renewed over a month ago is totally normal.
Additionally the email you entered when issuing the certificate will receive an email if your certificate expires in 2 weeks (I think) and hasn't been renewed yet.

There is also a bug where the displayed renewal date is not updated in the admin panel when one of the certificate renewals failed, while all other certificates are actually renewed correctly. But as v3 is currently the priority and it switches to acme.sh, this will most likely not be fixed in v2.

@bbrendon
Copy link

For me when I click on "renew" on a certificate, it says "Please wait..." and after a few minutes the GUI says "timeout" .

The app log says

app_1  | [8/22/2021] [9:09:37 PM] [SSL      ] › ℹ  info      Renewing Let'sEncrypt certificates for Cert #9: x.x.net
app_1  | [8/22/2021] [9:09:37 PM] [SSL      ] › ℹ  info      Command: certbot renew --force-renewal --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-9" --preferred-challenges "dns,http" --disable-hook-validation

Also, the GUI was broken except for being able to log in but I fixed that by clearing the browser cache.

@centralhardware
Copy link

centralhardware commented Nov 26, 2021

any updates? from the docker image would expect the main functionality to work

@chaptergy
Copy link
Collaborator

No, no updates since there is not enough information on what the problem could be.

@bbrendon
Copy link

The problem magically vanished from my installation. It seems the error provided is too vague to effectively troubleshoot.

@centralhardware
Copy link

centralhardware commented Dec 5, 2021

As it turned out, my problems were related to the closed 80 port, but I noticed that the certificate update process does not exit after the update failed, I think this is due to the fact that the users above received an error cert bot instance already running.

Copy link

github-actions bot commented Mar 7, 2024

Issue is now considered stale. If you want to keep it open, please comment 👍

@github-actions github-actions bot added the stale label Mar 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants