Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Renew now on SSL Certificates page gives internal error #1816

Open
gent99 opened this issue Jan 27, 2022 · 21 comments
Open

Renew now on SSL Certificates page gives internal error #1816

gent99 opened this issue Jan 27, 2022 · 21 comments
Labels

Comments

@gent99
Copy link

gent99 commented Jan 27, 2022

I'm on v2.9.15 and have a problem with "renew now" on SSL Certificates tab. I get internal error. Tried with different certs for different proxy hosts. Need more info, then please tell me where to find the needed logs.

@gent99 gent99 added the bug label Jan 27, 2022
@H4nSolo
Copy link

H4nSolo commented Jan 28, 2022

Here ist my Log about the Error:

......
2022-01-28T14:22:01.024729628Z [1/28/2022] [2:22:01 PM] [SSL ] › ℹ info Renewing SSL certs close to expiry...
2022-01-28T14:22:01.029569645Z [1/28/2022] [2:22:01 PM] [IP Ranges] › ℹ info IP Ranges Renewal Timer initialized
2022-01-28T14:22:01.031130541Z [1/28/2022] [2:22:01 PM] [Global ] › ℹ info Backend PID 248 listening on port 3000 ...
2022-01-28T14:22:17.143438076Z QueryBuilder#allowEager method is deprecated. You should use allowGraph instead. allowEager method will be removed in 3.0
2022-01-28T14:22:17.144582592Z QueryBuilder#eager method is deprecated. You should use the withGraphFetched method instead. eager method will be removed in 3.0
2022-01-28T14:22:17.150001473Z QueryBuilder#omit is deprecated. This method will be removed in version 3.0
2022-01-28T14:22:17.151648151Z Model#$omit is deprected and will be removed in 3.0.
2022-01-28T14:22:57.515936923Z [1/28/2022] [2:22:57 PM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates for Cert #10: domain.xx.xy
2022-01-28T14:22:57.515962942Z [1/28/2022] [2:22:57 PM] [SSL ] › ℹ info Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-10" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation
2022-01-28T14:22:57.967649739Z [1/28/2022] [2:22:57 PM] [Express ] › ⚠ warning Command failed: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-10" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation
2022-01-28T14:22:57.967672762Z Another instance of Certbot is already running.
2022-01-28T14:22:57.967676078Z Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/tmp48pefxkd/log or re-run Certbot with -v for more details.
2022-01-28T14:22:57.967678303Z
2022-01-28T14:26:14.243601235Z [1/28/2022] [2:26:14 PM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation
2022-01-28T14:26:14.243627765Z Failed to renew certificate npm-11 with error: Some challenges have failed.
2022-01-28T14:26:14.243631812Z All renewals failed. The following certificates could not be renewed:
2022-01-28T14:26:14.243634167Z /etc/letsencrypt/live/npm-11/fullchain.pem (failure)
2022-01-28T14:26:14.243636241Z 1 renew failure(s), 0 parse failure(s)
2022-01-28T14:26:14.243638555Z
2022-01-28T14:26:14.243640709Z at ChildProcess.exithandler (node:child_process:397:12)
2022-01-28T14:26:14.243642783Z at ChildProcess.emit (node:events:390:28)
2022-01-28T14:26:14.243644787Z at maybeClose (node:internal/child_process:1064:16)
2022-01-28T14:26:14.243646760Z at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5)

@PavelkaDavid
Copy link

Hi, I have been solving this too. I don't know why, but some of my certificates cannot be renewed as it outputs "Connection refused" for acme-challenge as shown on the picture.

image

If this happens, than after each restart of NPM there is stuck processes as shown on the next image, that results in "Another instance of Certbot is already running."

image

If you kill these processes, than you can create new certificate for these domains and it will work as it should (renew will not work). Then go to your host and assign the new certificate to it. Than you can delete the old one.

After these changes is done, you can try to restart your NPM and see if there is still that processes. If not, than you are OK and you can ensure yourself by issuing renew.

Hope this helps and I am looking forward for this to be fixed. I don't know what cause this, but it happends on all of my 4 NPM installs for only some domains.

@gent99
Copy link
Author

gent99 commented Jan 31, 2022

where can i find those logs?

in npm/data/logs i find
letsencrypt-requests_access.log
letsencrypt-requests_error.log
letsencrypt-requests.log

but they don't show me any errors like in your posts

@PavelkaDavid
Copy link

where can i find those logs?

in npm/data/logs i find letsencrypt-requests_access.log letsencrypt-requests_error.log letsencrypt-requests.log

but they don't show me any errors like in your posts

I have found this log here: /var/log/letsencrypt/letsencrypt.log

@Gh0stRocket
Copy link

Gh0stRocket commented Feb 6, 2022

Hi,
I have created a bash script which will fix the error. It creates symbolic links for all required files and optionally deletes the old *.pem files. For me it fixed the problem:

Just go to your /etc/letsencrypt/live directory, create a script and paste the content below.

touch /etc/letsencrypt/live/fix.sh

Make it exectuable:

chmod +x /etc/letsencrypt/live/fix.sh

And run it:

cd /etc/letsencrypt/live/ && ./fix.sh

At the end of the script you will be asked if you want to delete the old files which are no longer needed.

After running the script restart your nginxproxymanager instance.

#!/usr/bin/env bash

DELETE_ME=()

for i in $(find . -name "npm-*" -type d); do
	pushd "${i}" &>/dev/null
	RELATIVE_PATH=$(echo "${i}" | sed 's/\.\///g')
	# find all regular (non symbolic link) files
	for t in $(find . -name "*.pem" -type f); do
		# remove ./ path prefix
		FILE_TO_LINK=$(echo "${t}" | sed 's/\.\///g')
		NEW_FILE_NAME=$(echo "${FILE_TO_LINK}" | sed 's/\./1\./g')
		echo "${RELATIVE_PATH}/${FILE_TO_LINK} needs to be linked"
		echo "Moving ${RELATIVE_PATH}/${FILE_TO_LINK} to ${RELATIVE_PATH}/${FILE_TO_LINK}.bak"
		mv "${FILE_TO_LINK}" "${FILE_TO_LINK}".bak
		DELETE_ME+=("${RELATIVE_PATH}/${FILE_TO_LINK}.bak")
		echo "linking ../../archive/${RELATIVE_PATH}/${NEW_FILE_NAME} to ${RELATIVE_PATH}/${FILE_TO_LINK}"
		ln -s ../../archive/"${RELATIVE_PATH}"/"${NEW_FILE_NAME}" "${FILE_TO_LINK}"
		if [[ "$?" == 0 ]]; then
			echo "success"
		else
			echo "failure"
		fi
	done
	popd &>/dev/null
done

if [[ -n ${DELETE_ME} ]]; then
	echo -e "\nOld *.pem files:\n"
	echo "${DELETE_ME[*]}"
	echo "Do you want to delete the old *.pem files? (y/n) "
	read delete

	if [[ "${delete}" == "y" || "${delete}" == "yes" ]]; then
		for y in "${DELETE_ME[@]}"; do
			rm "${y}"
		done
	fi
else
	echo "Nothing to be done."
fi

@cptskippy
Copy link

For anyone experiencing this issue, I was able to fix my setup using the following steps:

  1. Navigate to Proxy Hosts
  2. Edit a Host entry with a bad SSL Cert
  3. Navigate to the SSL Tab
  4. Click on the SSL Certificate field and in the drop down select "Request a new SSL Certificate"
  5. Click Save
  6. Navigate to SSL Certificates
  7. Delete the old Certificate

After doing the above steps for each of my Proxy Hosts, they can be renewed from the GUI. I'm not sure if Auto-renew will work but I guess I'll find out in a couple months.

I don't know what caused the problem or if it will come back but at least for now it appears to be working.

@Waldorf3
Copy link

For anyone experiencing this issue, I was able to fix my setup using the following steps:

  1. Navigate to Proxy Hosts
  2. Edit a Host entry with a bad SSL Cert
  3. Navigate to the SSL Tab
  4. Click on the SSL Certificate field and in the drop down select "Request a new SSL Certificate"
  5. Click Save
  6. Navigate to SSL Certificates
  7. Delete the old Certificate

After doing the above steps for each of my Proxy Hosts, they can be renewed from the GUI. I'm not sure if Auto-renew will work but I guess I'll find out in a couple months.

I don't know what caused the problem or if it will come back but at least for now it appears to be working.

This just create an "Internal error", no new cert.

@TheFreeman
Copy link

The same on my side.
Any new suggestions?

@abdros
Copy link

abdros commented Apr 10, 2023

I had the same issue and solved it by adding a DNS CAA record for the HOST.MYDOMAIN.TLD and setting letsencrypt.org as an authorized certificate provider (I use EasyDNS).
What made me think of this was an email that letsencrypt had sent some time ago regarding this soon-to-come requirement from DNS providers.
Nginx Proxy Manager v2.7.1
Hope this helps others.

@AlmightyJojo
Copy link

npm 2.10.1. Out of nowhere expired certs + symlink error on npm startup. Internal error in GUI. Godaddy DNS challenge cert
Gh0stRocket script did indeed fix renewal and all existing proxy hosts updated. Whew.
What's not clear is fix symlink creation is permanent fix or not. Believe it is...This renewal issue with either npm / certbot really could use some attention.

Copy link

Issue is now considered stale. If you want to keep it open, please comment 👍

@github-actions github-actions bot added the stale label Feb 25, 2024
@Palmdale95
Copy link

For me the issue is still there:
Failed to renew certificate npm-1 with error: Some challenges have failed.
Failed to renew certificate npm-2 with error: Some challenges have failed.
Failed to renew certificate npm-3 with error: Some challenges have failed.
Failed to renew certificate npm-4 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/npm-1/fullchain.pem (failure)
/etc/letsencrypt/live/npm-2/fullchain.pem (failure)
/etc/letsencrypt/live/npm-3/fullchain.pem (failure)
/etc/letsencrypt/live/npm-4/fullchain.pem (failure)
4 renew failure(s), 0 parse failure(s)

at ChildProcess.exithandler (node:child_process:422:12)
at ChildProcess.emit (node:events:517:28)
at maybeClose (node:internal/child_process:1098:16)
at ChildProcess._handle.onexit (node:internal/child_process:303:5)

@github-actions github-actions bot removed the stale label May 4, 2024
@deMathias
Copy link

I just get internal error in NPM gui when trying to renew wildcard cert (*.domain.ltd)

@Reetryyy
Copy link

I encountered the same issue when trying to renew certificates using the NPM GUI. Removing the certificate that failed to renew and requesting new ones resolved the problem for me.

@timguy99
Copy link

For anyone experiencing this issue, I was able to fix my setup using the following steps:

  1. Navigate to Proxy Hosts
  2. Edit a Host entry with a bad SSL Cert
  3. Navigate to the SSL Tab
  4. Click on the SSL Certificate field and in the drop down select "Request a new SSL Certificate"
  5. Click Save
  6. Navigate to SSL Certificates
  7. Delete the old Certificate

After doing the above steps for each of my Proxy Hosts, they can be renewed from the GUI. I'm not sure if Auto-renew will work but I guess I'll find out in a couple months.
I don't know what caused the problem or if it will come back but at least for now it appears to be working.

This just create an "Internal error", no new cert.

Same issue for me but following these steps seemed to work. Be nice to see this fixed though so we don't have to do things manually.

@justanotherdude48
Copy link

justanotherdude48 commented Nov 19, 2024

For anyone experiencing this issue, I was able to fix my setup using the following steps:

1. Navigate to Proxy Hosts

2. Edit a Host entry with a bad SSL Cert

3. Navigate to the SSL Tab

4. Click on the SSL Certificate field and in the drop down select "Request a new SSL Certificate"

5. Click Save

6. Navigate to SSL Certificates

7. Delete the old Certificate

After doing the above steps for each of my Proxy Hosts, they can be renewed from the GUI. I'm not sure if Auto-renew will work but I guess I'll find out in a couple months.

I don't know what caused the problem or if it will come back but at least for now it appears to be working.

I'm seeing this issue still. I need to pull the logs... which I will do shortly. The suggested fix still produced an 'internal error'. In fact, trying to renew the cert and following these instructions above has made it where I'm not longer able to connect to the site due to 'SSL_ERROR_UNRECOGNIZED_NAME_ALERT'

I had to go back and manually assign the old cert to get it up again.

I deleted the working cert and attempted to manually create a new one. Received the following error in the gui.

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-6" --agree-tos --authenticator webroot --email "xxxxxxxxxxx" --preferred-challenges "dns,http" --domains "xxxxxxxxx"
Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

@Palmdale95
Copy link

Every 2-3 month the same procedure for all hosts. It just does not work automatically. I'am really evaluating to give zoraxy a try because this is really annoying.

@justanotherdude48
Copy link

For anyone experiencing this issue, I was able to fix my setup using the following steps:

1. Navigate to Proxy Hosts

2. Edit a Host entry with a bad SSL Cert

3. Navigate to the SSL Tab

4. Click on the SSL Certificate field and in the drop down select "Request a new SSL Certificate"

5. Click Save

6. Navigate to SSL Certificates

7. Delete the old Certificate

After doing the above steps for each of my Proxy Hosts, they can be renewed from the GUI. I'm not sure if Auto-renew will work but I guess I'll find out in a couple months.
I don't know what caused the problem or if it will come back but at least for now it appears to be working.

I'm seeing this issue still. I need to pull the logs... which I will do shortly. The suggested fix still produced an 'internal error'. In fact, trying to renew the cert and following these instructions above has made it where I'm not longer able to connect to the site due to 'SSL_ERROR_UNRECOGNIZED_NAME_ALERT'

I had to go back and manually assign the old cert to get it up again.

I deleted the working cert and attempted to manually create a new one. Received the following error in the gui.

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-6" --agree-tos --authenticator webroot --email "xxxxxxxxxxx" --preferred-challenges "dns,http" --domains "xxxxxxxxx" Saving debug log to /tmp/letsencrypt-log/letsencrypt.log Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

Interestingly enough this started working, but I can't tell you why.

I was running certbot -v renew commands in CLI from the docker container and it was throwing errors like....:

"Certbot failed to authenticate some domains "

"Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet."

So i verified the DNS records again, my port forwarding, etc. Everything seemed good. I basically kept fiddling with nginx until suddenly the renew button from the site settings itself just worked all of a sudden. A previous reboot hadn't helped either. Its a mystery

@joanjgm
Copy link

joanjgm commented Dec 1, 2024

Hi, I have created a bash script which will fix the error. It creates symbolic links for all required files and optionally deletes the old *.pem files. For me it fixed the problem:

Just go to your /etc/letsencrypt/live directory, create a script and paste the content below.

touch /etc/letsencrypt/live/fix.sh

Make it exectuable:

chmod +x /etc/letsencrypt/live/fix.sh

And run it:

cd /etc/letsencrypt/live/ && ./fix.sh

At the end of the script you will be asked if you want to delete the old files which are no longer needed.

After running the script restart your nginxproxymanager instance.

#!/usr/bin/env bash

DELETE_ME=()

for i in $(find . -name "npm-*" -type d); do
	pushd "${i}" &>/dev/null
	RELATIVE_PATH=$(echo "${i}" | sed 's/\.\///g')
	# find all regular (non symbolic link) files
	for t in $(find . -name "*.pem" -type f); do
		# remove ./ path prefix
		FILE_TO_LINK=$(echo "${t}" | sed 's/\.\///g')
		NEW_FILE_NAME=$(echo "${FILE_TO_LINK}" | sed 's/\./1\./g')
		echo "${RELATIVE_PATH}/${FILE_TO_LINK} needs to be linked"
		echo "Moving ${RELATIVE_PATH}/${FILE_TO_LINK} to ${RELATIVE_PATH}/${FILE_TO_LINK}.bak"
		mv "${FILE_TO_LINK}" "${FILE_TO_LINK}".bak
		DELETE_ME+=("${RELATIVE_PATH}/${FILE_TO_LINK}.bak")
		echo "linking ../../archive/${RELATIVE_PATH}/${NEW_FILE_NAME} to ${RELATIVE_PATH}/${FILE_TO_LINK}"
		ln -s ../../archive/"${RELATIVE_PATH}"/"${NEW_FILE_NAME}" "${FILE_TO_LINK}"
		if [[ "$?" == 0 ]]; then
			echo "success"
		else
			echo "failure"
		fi
	done
	popd &>/dev/null
done

if [[ -n ${DELETE_ME} ]]; then
	echo -e "\nOld *.pem files:\n"
	echo "${DELETE_ME[*]}"
	echo "Do you want to delete the old *.pem files? (y/n) "
	read delete

	if [[ "${delete}" == "y" || "${delete}" == "yes" ]]; then
		for y in "${DELETE_ME[@]}"; do
			rm "${y}"
		done
	fi
else
	echo "Nothing to be done."
fi

This Fixed it! Thanks!

@FloStar3000
Copy link

Hi, I have created a bash script which will fix the error. It creates symbolic links for all required files and optionally deletes the old *.pem files. For me it fixed the problem:

Just go to your /etc/letsencrypt/live directory, create a script and paste the content below.

touch /etc/letsencrypt/live/fix.sh

Make it exectuable:

chmod +x /etc/letsencrypt/live/fix.sh

And run it:

cd /etc/letsencrypt/live/ && ./fix.sh

At the end of the script you will be asked if you want to delete the old files which are no longer needed.

After running the script restart your nginxproxymanager instance.

#!/usr/bin/env bash

DELETE_ME=()

for i in $(find . -name "npm-*" -type d); do
	pushd "${i}" &>/dev/null
	RELATIVE_PATH=$(echo "${i}" | sed 's/\.\///g')
	# find all regular (non symbolic link) files
	for t in $(find . -name "*.pem" -type f); do
		# remove ./ path prefix
		FILE_TO_LINK=$(echo "${t}" | sed 's/\.\///g')
		NEW_FILE_NAME=$(echo "${FILE_TO_LINK}" | sed 's/\./1\./g')
		echo "${RELATIVE_PATH}/${FILE_TO_LINK} needs to be linked"
		echo "Moving ${RELATIVE_PATH}/${FILE_TO_LINK} to ${RELATIVE_PATH}/${FILE_TO_LINK}.bak"
		mv "${FILE_TO_LINK}" "${FILE_TO_LINK}".bak
		DELETE_ME+=("${RELATIVE_PATH}/${FILE_TO_LINK}.bak")
		echo "linking ../../archive/${RELATIVE_PATH}/${NEW_FILE_NAME} to ${RELATIVE_PATH}/${FILE_TO_LINK}"
		ln -s ../../archive/"${RELATIVE_PATH}"/"${NEW_FILE_NAME}" "${FILE_TO_LINK}"
		if [[ "$?" == 0 ]]; then
			echo "success"
		else
			echo "failure"
		fi
	done
	popd &>/dev/null
done

if [[ -n ${DELETE_ME} ]]; then
	echo -e "\nOld *.pem files:\n"
	echo "${DELETE_ME[*]}"
	echo "Do you want to delete the old *.pem files? (y/n) "
	read delete

	if [[ "${delete}" == "y" || "${delete}" == "yes" ]]; then
		for y in "${DELETE_ME[@]}"; do
			rm "${y}"
		done
	fi
else
	echo "Nothing to be done."
fi

Be careful when running this script! It made my NGINX proxy manager container crash upon restart!
Please read the script and understand what it does before running it.

It did not work for me in the first place and because most of my archive/npm-xx folders did not have chain1.pem, privkey1.pem etc. but for some reason, it started with chain2.pem etc. in most of the folders. You need to update the script so it does not point to the chain1.pem etc. but to one that exists or create the links manually, as i did for one folder. If there are symlinks in the live folder that point to a non existing file, proxy manager refuses to start.
After dealing with that, it fixed my issue, thanks!

@KiddRedd
Copy link

KiddRedd commented Dec 24, 2024

Experienced this last year and just yesterday. I was able to renew OTHER certificates, and request for new certificates (without challenge). But three particular ones kept giving "Internal Error". I figure to look inside the docker container and didn't see anything out of the ordinary...

The problem is resolved by deleting the old certificate and requesting a new one. No changes were made to the docker instance, the DNS of the domain or changes to my network configuration. Just happens out of nowhere, lol.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests