-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL Internal Error on request a new SSL certificate #3324
Comments
you can solve this issue by deactivating "Force SSL" OR by adding the following custom location which will catch the letsencrypt requests (basically redirect back to the nginx proxy): @jc21 this is a common issue with letsencrypt. Could you automatically add the custom location if "Force SSL" is enabled? It seems that a lot of people are bothered by this issue. See for example: #396 . |
Hello! thanks for the answer the error happens with or without force SSL i still get the same error, Helo, |
Same error on my site. Last time I registered a certificate was on the 11. Nov. - now it's not working for a new one anymore.. |
In my case, I wanted to keep ports 80 and 443 open for my private network only, so then I got the same error, "Internal Error." |
Hello! Thanks for the replay but sadly i also tried to eve open all available ports but sadly it didnt work |
Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate. |
thats so weird what can we do tho? |
I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird! |
The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird |
Same issue and no of the workarounds worked for me. any suggestions? |
Could you check, what reply you get, if you open your public IPv4 with the port 80 (or whatever port you forward to NPM)? At least you should get the "welcome page" or whatever you configured. |
Weird, but you are right. I checked my router settings - port 80 open. Used https://portchecker.co/check-it to verity - closed. Removed settings, setup port forwarding once again and verified -> port open. NPM worked and renewed all my certificates. |
Yeah i got the hello page, port 80, 81, 443 are open with a few more but no luck according to the error: i think its something with certbot command |
Adding |
Did you always try to create a certificate for the exact same service/container? Maybe just try another one, like a portainer instance, which already wants to listen on a secure ssl connection for example. |
Hi! i tried for multiple domains such as portainer. jelly. nginx. some https some no or even the main domain nothing worked and for my public domain yeah im using DNS only without proxy its taking me to the correct pages as well as loading the webpages for the correct configuration so its working but only the SSL is not for any domain / subdomain |
Very strange... after reading your comments i reset the ports on my firewall with 80, 443 and 81... Afterwards i was able to create two of four certificates. For the rest then the same error appears 😁 I'm very confused now.... But i think it belongs to my specific proxy host configurations. I will test, but then the solution was: port 81 must be open on your router/firewall... |
Glad that a reset helped. However, port 81 does not need to be accessible from outside, as this is only used for the dashboard. The certificate should be validated via port 80. |
Are you also sure that the DynDNS updates are working correctly? That would be the only explanation I can think of for it not being accessible after all the configurations. |
thx, this also fixed for me, but when I try, maybe also need ensure port 80, 81, and 443 are belong to NPM |
Then it is stranger than strange 🤣 Because this was the only change (open port 81). After that it works. Before only port 80 and 443 where opened and i was able to create the certificates x months before. |
I really don't undestand, but I can confirm that exposing port 81 indeed solved the issue.... |
I have tried everything listed above and still having the issue. |
A little bit out of context, but the reason it failed for me was the new software firewall, which had rules based on countries (everything worked from my devices). I didn't notice since renewal is only every 60 days (I guess). Maybe check access from different hosts and packet captures, this is how I got further. |
I have been struggleing with this for weeks now and this fixed it for me. In Portainer go to Containers -> on the Container -> click Exec Console (looks like this >_ ) -> Connect -> Paste "curl -vvvv -I -L -k --tlsv1.2 https://google.com/" and Enter in the console. If you get a failure your DNS is not resolving and this is your problem, add "network_mode: host`" to your compose file. See a copy of my compose below. A little side note, my certs now auto renew for the first time ;-) `version: "3.8" db:
|
Still got this issue. Kind of annoying you're just... Stuck... SSL so easy ! (no)
|
I also have this issue and all my certs are running out in some days. Will this be fixed by the devs or is this NPM project dead? Need to know this urgently. |
Your issue you have request to many certs for the domain already, you must read the Letrs Encrypt terms, there is a limit of certs you can request per month/day I guess. Your issue has nothing to do with ssl renewals. |
Well I tried that and now I cannot login anymore!!!! |
Just wanted to add that my fix was to allow port 80 to NPM on my router. I must have blocked it at some point. |
I found a fix for my issue: allocating more storage space. Running NPM in a Proxmox CT (no docker at all), and happened to catch that it was at 96% of its storage. I gave it some extra, and boom. Worked! |
i have sam issue, than i trace the couse, so i found my provider block my IP for incoming connection from another country to my server, connections allowed only from my country (that because my server IP coming from my Goverment) so when i opening the ticket to allowed incoming connection for All, and the "Internal Error" is fixed, |
Same issue here. I realized that this works with DuckDNS domains, but not with the one configured in my router. I grew tired of DuckDNS not working often, so I bought an official Strato domain, which I configured with DynDNS in my Fritz.Box. I could successfully create a proxy and request a certificate for the main domain, but not for the subdomains. |
Same issue. Stupid me. I disabled NAT-Rule for Port 80 farwarding to my nginx, for what evert reason .... |
this resource helped me solve the problem: |
i opened the port 80 to my NPM temporarily to request the new certificate, it worked and then I closed the port again. |
This is not an option. Using network_mode set to host will expose all ports to the open world. It also forces you to do the same with any other related containers or they can no longer communicate. |
I have the same problem. Is there any progress on this issue? |
I have come to realise that 99% of certificate renewal issues are firewall blocking ports. I would check and recheck that ports are open. I did have my ports being blocked. My working docker compose file, good luck!
I can renew my certs at any point now, though they auto renew 30 days before expiring. |
NPM is not particularly helpful in telling you what the specific issue is other than "Internal Error" which could mean a magnitude of things so everyone should start by inspecting their container logs. First of all, if you're using Namecheap, make sure your IP is whitelisted. My issue probably stemmed from a manual move of my container from one host to another (I think) as it related to some broken symlinks. I use Portainer so used that to inspect my logs but obviously there are other ways to inspect logs. The logs showed a parse failure I SSH'd into the container Double checked Certbot logs
Double checked letsencrypt config.
Manually ran the renewal inside the container
Terminal showed this error:
So I went in and repaired the sym links as config files were not pointing to any symlinks as it should've been. Here's what I ran to repair:
Then either run renewal on NPM GUI or directly on terminal:
Stuck? Use ChatGPT. That's how I fixed my problem because I'm not in IT. |
It seems that certbot mostly uses IPv6 to verify domains, therefore maybe recheck your DNS settings. I had the same problem and found the error in my DNS settings. |
In my case using Cloudflare, updating the package in the server fixed it: pip install --upgrade cloudflare==2.19.* |
It worked for me. thanks |
h ere my issues
|
i think is web address issues |
i bet everyone have this same issues |
ok what npm ip use? |
How can this possibly work for anyone? It causes |
some of my domain is working but some is broken due of bug |
In case someone else stumbles on this issue later (as I did), my problem and cure was similar. In my case, I was migrating NPM from one computer to another, and while I had edited and saved the entries in my router's port forwarding settings, I had to then "apply settings" at the top of the page. Then I could request the certificate, and it all worked happily ever after! |
Checklist
jc21/nginx-proxy-manager:latest
docker image?Describe the bug
When trying to request a a new SSL Certifcate i get internal error
Nginx Proxy Manager Version
v2.10.4
To Reproduce
Steps to reproduce the behavior:
Screenshots
Operating System
Ubuntu 20.04 - 64bit, running Portainer v2.19.2
Additional context
Cloudflare (NO PROXY):
A => dayroxy.online => ip
CNAMe => * => dayroxy.online
`
2023-11-15 05:51:29,337:DEBUG:acme.client:Storing nonce: GEqhmX18EBYehAoQEeHOv-lemRWL1u8IRLnVc7o6fKR1jTTNhtU
2023-11-15 05:51:29,338:INFO:certbot._internal.auth_handler:Challenge failed for domain portainer.dayroxy.online
2023-11-15 05:51:29,338:INFO:certbot._internal.auth_handler:http-01 challenge for portainer.dayroxy.online
2023-11-15 05:51:29,338:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: portainer.dayroxy.online
Type: connection
Detail: 87.237.52.121: Fetching http://portainer.dayroxy.online/.well-known/acme-challenge/MS4A57_vkBnqeWLmBgQXIt0bxXNSIi88aYDifAQO7dk: Connection reset by peer
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
2023-11-15 05:51:29,339:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2023-11-15 05:51:29,339:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-11-15 05:51:29,339:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-11-15 05:51:29,339:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/MS4A57_vkBnqeWLmBgQXIt0bxXNSIi88aYDifAQO7dk
2023-11-15 05:51:29,339:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2023-11-15 05:51:29,340:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 8, in
sys.exit(main())
File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1864, in main
return config.func(config, plugins)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1597, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 516, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2023-11-15 05:51:29,341:ERROR:certbot._internal.log:Some challenges have failed.
`
The text was updated successfully, but these errors were encountered: