-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Internal error on SSL certificates when force SSL is active #1625
Comments
Please provide us with the full letsencrypt logs. See #1271 (comment) |
It's not the full, but it contains the proof that it failed to access the file needed todo the verification.
|
Are you using cloudflare? Does the same error occur if you disable cloudflare? |
No there is no cloudflare. |
Hello, i get this if i try to make a new certificate for my nginx proxy manager proxy host Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-14" --agree-tos --authenticator webroot --email "" --preferred-challenges "dns,http" --domains ""
can someone help me? |
Hi, Same here, but not just when force SSL is active but all the time. Can't generate nor renew SSL certificates. Any help will be gratefully thanked.
|
I don''t believe that force SSL is pushing /well-known/acme-challenge to SSL. I'm able to get the configured 404 error when hitting that path on HTTP as is done by the letsencrypt-acme-challenge.conf, any path outside that does redirect to SSL. It may look like its forcing that URL to SSL if HSTS is turned on and your browser caches that first. This would not be the case for letsencrypt hitting your website for the challenge since its not designed for SSL communications but just plain HTTP so would ignore the HSTS header leaving it on the HTTP connection. |
Same for me (at first)...! |
I have the same problem. When turning on
If i connect to the container and try to curl https://XY/well-known/acme-challenge/lqC8CqFhvzDci89waVFP_4-GgUWqqh273mA6Plv5naI I receive a 404 error so there is no firewall issue there. Requesting http will response with a redirect 301. If i turn off force SSL for the specific domain and try to renew the certificate everything works. So i can definitely agree that forcing SSL prevents certbot from cert renewal... Really annoying -.- |
I have the same issue here, exactly as described above. As soon as I disable "Force SSL", renewing my certificates works without issues. The renew mechanism should disable "Force SSL" temporarily or add the /well-known/acme-challange/... path as a default rule where SSL is not forced. |
I did notice one difference in config over time. The include of force-ssl.conf is in the server section for newly created hosts, but in the location / section for older hosts. I can break currently working proxy hosts by moving the force-ssl.conf include into the server section, outside the location / section. So we would have:
Guessing here, but we don't see this issues at first creation since the default_host is hit until the cert is obtained and the proxy_host config is written and nginx HUP'd. |
Same here, if "Force SSL" is enabled, i'm not able to renew the letsencrypt-certificate. |
+1 |
1 similar comment
+1 |
Disabling |
Hi
I can't find the logfile /data/logs/letsencrypt/letsencrypt.log |
Annoying hat this central functionality is still broken :/ |
Any thoughts on this @jc21 or others? All my subdomain certs are now up for renewal including the one to access npm itself and all are failing...
EDIT: eventually managed to get back into the npm website (blocked by Chrome due to invalid cert, but Firefox let me bypass the warning) and switching off Force SSL let me renew OK, but with 12 sites it's quite a pain to toggle off, renew, then toggle back on! |
I am also experiencing this issue, but even disabling Force SSL changes nothing. I'll try to get a log tomorrow. |
So interestingly using :latest I'm still having issues renewing certs but have tried deleting some that wouldn't renew and re-requesting them - they now seem to be renewing OK. Will take a while to re-do them all though! |
Still having this issue, cannot renew my certificates |
I'm now having this issue on another site too. If I delete and recreate they seem to work but renewal has been failing.
@jc21 would really appreciate any help here - I keep on having to delete and recreate certs from scratch which with lots of subdomains can take quite a while! Weirdly the other site where I recreated them still seems to be renewing OK? |
There also seems to be an issue when deleting certificates too (from within the interface!) as end up with these sorts of errors:
I've found copying existing good directories across to the missing ones then allows re-creation but it seems like the nginx config isn't updated when a cert is deleted? Workaround seems to be to create a new certificate and then delete the old one. |
Any update on this @jc21 ? I'm running two servers and one of them seems to be OK...
The other still has errors...
Yet it was the other way round previously. It's like they get stuck renewing at some point and then that's it! |
Issue is now considered stale. If you want to keep it open, please comment 👍 |
Did this ever get addressed?
…On Thu, 29 Feb 2024, 12:48 pm github-actions[bot], ***@***.***> wrote:
Issue is now considered stale. If you want to keep it open, please comment
👍
—
Reply to this email directly, view it on GitHub
<#1625 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A3I7NSSTCLIEX3YKTPE5TU3YV2EFLAVCNFSM5JHQ3PY2U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOJXGAZDINRVGM4Q>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***
com>
|
any news? |
Issue is now considered stale. If you want to keep it open, please comment 👍 |
Not fixed, awaiting #3121 to be merged in to fix. |
When disabling the Force SSL option the renewal went flawless.
So to me it looks like NPM is also trying to forward the http request for cert renewal to SSL and thus it fails to complete the request.
The text was updated successfully, but these errors were encountered: