Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL Internal Error on request a new SSL certificate #3324

Open
DaYroXy opened this issue Nov 15, 2023 · 56 comments
Open

SSL Internal Error on request a new SSL certificate #3324

DaYroXy opened this issue Nov 15, 2023 · 56 comments
Labels

Comments

@DaYroXy
Copy link

DaYroXy commented Nov 15, 2023

Checklist

  • Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
    • Yes
  • Are you sure you're not using someone else's docker image?
    • Yes
  • Have you searched for similar issues (both open and closed)?
    • Yes

Describe the bug
When trying to request a a new SSL Certifcate i get internal error
image

Nginx Proxy Manager Version
v2.10.4

To Reproduce
Steps to reproduce the behavior:

  1. Go to Hosts
  2. Click on Add Proxy Host
  3. Click on SSL
  4. SSL Certificate > Request a new SSL Certificate
  5. Save > Internal Error

Screenshots

Operating System
Ubuntu 20.04 - 64bit, running Portainer v2.19.2

Additional context
Cloudflare (NO PROXY):
A => dayroxy.online => ip
CNAMe => * => dayroxy.online

`
2023-11-15 05:51:29,337:DEBUG:acme.client:Storing nonce: GEqhmX18EBYehAoQEeHOv-lemRWL1u8IRLnVc7o6fKR1jTTNhtU
2023-11-15 05:51:29,338:INFO:certbot._internal.auth_handler:Challenge failed for domain portainer.dayroxy.online
2023-11-15 05:51:29,338:INFO:certbot._internal.auth_handler:http-01 challenge for portainer.dayroxy.online
2023-11-15 05:51:29,338:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: portainer.dayroxy.online
Type: connection
Detail: 87.237.52.121: Fetching http://portainer.dayroxy.online/.well-known/acme-challenge/MS4A57_vkBnqeWLmBgQXIt0bxXNSIi88aYDifAQO7dk: Connection reset by peer

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2023-11-15 05:51:29,339:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-11-15 05:51:29,339:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-11-15 05:51:29,339:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-11-15 05:51:29,339:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/MS4A57_vkBnqeWLmBgQXIt0bxXNSIi88aYDifAQO7dk
2023-11-15 05:51:29,339:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2023-11-15 05:51:29,340:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 8, in
sys.exit(main())
File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1864, in main
return config.func(config, plugins)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1597, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 516, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2023-11-15 05:51:29,341:ERROR:certbot._internal.log:Some challenges have failed.
`

@DaYroXy DaYroXy added the bug label Nov 15, 2023
@jucajuca
Copy link

you can solve this issue by deactivating "Force SSL" OR by adding the following custom location which will catch the letsencrypt requests (basically redirect back to the nginx proxy):

@jc21 this is a common issue with letsencrypt. Could you automatically add the custom location if "Force SSL" is enabled? It seems that a lot of people are bothered by this issue. See for example: #396

image

.

@DaYroXy
Copy link
Author

DaYroXy commented Nov 15, 2023

you can solve this issue by deactivating "Force SSL" OR by adding the following custom location which will catch the letsencrypt requests (basically redirect back to the nginx proxy):

@jc21 this is a common issue with letsencrypt. Could you automatically add the custom location if "Force SSL" is enabled? It seems that a lot of people are bothered by this issue. See for example: #396

image

.

Hello! thanks for the answer the error happens with or without force SSL i still get the same error,
also tried what you told me
image

Helo,

@Gh0stExp10it
Copy link

Same error on my site. Last time I registered a certificate was on the 11. Nov. - now it's not working for a new one anymore..

@PaulNdrei
Copy link

In my case, I wanted to keep ports 80 and 443 open for my private network only, so then I got the same error, "Internal Error."
Then I opened the ports to be available on 0.0.0.0/0, and I tried again to generate the SSL certificate with a successful result.

@DaYroXy
Copy link
Author

DaYroXy commented Nov 18, 2023

In my case, I wanted to keep ports 80 and 443 open for my private network only, so then I got the same error, "Internal Error."

Then I opened the ports to be available on 0.0.0.0/0, and I tried again to generate the SSL certificate with a successful result.

Hello! Thanks for the replay but sadly i also tried to eve open all available ports but sadly it didnt work

@wkobiela
Copy link

Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.

@DaYroXy
Copy link
Author

DaYroXy commented Nov 19, 2023

Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.

thats so weird what can we do tho?

@Gh0stExp10it
Copy link

Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.

thats so weird what can we do tho?

I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird!

@DaYroXy
Copy link
Author

DaYroXy commented Nov 19, 2023

Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.

thats so weird what can we do tho?

I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird!

The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird

@kpleines
Copy link

Same issue and no of the workarounds worked for me.

any suggestions?

@Gh0stExp10it
Copy link

Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.

thats so weird what can we do tho?

I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird!

The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird

Could you check, what reply you get, if you open your public IPv4 with the port 80 (or whatever port you forward to NPM)? At least you should get the "welcome page" or whatever you configured.

@wkobiela
Copy link

Weird, but you are right. I checked my router settings - port 80 open. Used https://portchecker.co/check-it to verity - closed. Removed settings, setup port forwarding once again and verified -> port open.

NPM worked and renewed all my certificates.

@DaYroXy
Copy link
Author

DaYroXy commented Nov 20, 2023

Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.

thats so weird what can we do tho?

I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird!

The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird

Could you check, what reply you get, if you open your public IPv4 with the port 80 (or whatever port you forward to NPM)? At least you should get the "welcome page" or whatever you configured.

Yeah i got the hello page, port 80, 81, 443 are open with a few more but no luck according to the error:
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

i think its something with certbot command

@jsbrain
Copy link

jsbrain commented Nov 20, 2023

Adding network_mode: host in the docker-compose.yml fixed it for me.

@Gh0stExp10it
Copy link

Gh0stExp10it commented Nov 22, 2023

Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.

thats so weird what can we do tho?

I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird!

The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird

Could you check, what reply you get, if you open your public IPv4 with the port 80 (or whatever port you forward to NPM)? At least you should get the "welcome page" or whatever you configured.

Yeah i got the hello page, port 80, 81, 443 are open with a few more but no luck according to the error: Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

i think its something with certbot command

Did you always try to create a certificate for the exact same service/container? Maybe just try another one, like a portainer instance, which already wants to listen on a secure ssl connection for example.
And another idea: Did you also checked your public domain (or dynDNS address), if also the landing page showed up (regarding the ip updates)?

@DaYroXy
Copy link
Author

DaYroXy commented Nov 23, 2023

Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.

thats so weird what can we do tho?

I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird!

The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird

Could you check, what reply you get, if you open your public IPv4 with the port 80 (or whatever port you forward to NPM)? At least you should get the "welcome page" or whatever you configured.

Yeah i got the hello page, port 80, 81, 443 are open with a few more but no luck according to the error: Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
i think its something with certbot command

Did you always try to create a certificate for the exact same service/container? Maybe just try another one, like a portainer instance, which already wants to listen on a secure ssl connection for example. And another idea: Did you also checked your public domain (or dynDNS address), if also the landing page showed up (regarding the ip updates)?

Hi! i tried for multiple domains such as portainer. jelly. nginx. some https some no or even the main domain nothing worked and for my public domain yeah im using DNS only without proxy its taking me to the correct pages as well as loading the webpages for the correct configuration so its working but only the SSL is not for any domain / subdomain

@simowNgithub
Copy link

simowNgithub commented Nov 25, 2023

Very strange... after reading your comments i reset the ports on my firewall with 80, 443 and 81... Afterwards i was able to create two of four certificates. For the rest then the same error appears 😁 I'm very confused now....

But i think it belongs to my specific proxy host configurations.

I will test, but then the solution was: port 81 must be open on your router/firewall...

@Gh0stExp10it
Copy link

Very strange... after reading your comments i reset the ports on my firewall with 80, 443 and 81... Afterwards i was able to create two of four certificates. For the rest then the same error appears 😁 I'm very confused now....

But i think it belongs to my specific proxy host configurations.

I will test, but then the solution was: port 81 must be open on your router/firewall...

Glad that a reset helped. However, port 81 does not need to be accessible from outside, as this is only used for the dashboard. The certificate should be validated via port 80.

@Gh0stExp10it
Copy link

Same issue - worked some time ago, didn't change anything in any configuration since then, and now getting Internal Error. Cannot renew or create any new certificate.

thats so weird what can we do tho?

I don't know what causes the problems after all, but a complete cleanup of the npm setup and port forwarding it works again... further investigations are still open from my side. Pretty weird!

The weird thing is that i even tried to reinstall the whole os, portainer, older version nothing worked at all which is really weird

Could you check, what reply you get, if you open your public IPv4 with the port 80 (or whatever port you forward to NPM)? At least you should get the "welcome page" or whatever you configured.

Yeah i got the hello page, port 80, 81, 443 are open with a few more but no luck according to the error: Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
i think its something with certbot command

Did you always try to create a certificate for the exact same service/container? Maybe just try another one, like a portainer instance, which already wants to listen on a secure ssl connection for example. And another idea: Did you also checked your public domain (or dynDNS address), if also the landing page showed up (regarding the ip updates)?

Hi! i tried for multiple domains such as portainer. jelly. nginx. some https some no or even the main domain nothing worked and for my public domain yeah im using DNS only without proxy its taking me to the correct pages as well as loading the webpages for the correct configuration so its working but only the SSL is not for any domain / subdomain

Are you also sure that the DynDNS updates are working correctly? That would be the only explanation I can think of for it not being accessible after all the configurations.

@zemise
Copy link

zemise commented Nov 27, 2023

network_mode: host

Adding network_mode: host in the docker-compose.yml fixed it for me.

thx, this also fixed for me, but when I try, maybe also need ensure port 80, 81, and 443 are belong to NPM

@simowNgithub
Copy link

Very strange... after reading your comments i reset the ports on my firewall with 80, 443 and 81... Afterwards i was able to create two of four certificates. For the rest then the same error appears 😁 I'm very confused now....
But i think it belongs to my specific proxy host configurations.
I will test, but then the solution was: port 81 must be open on your router/firewall...

Glad that a reset helped. However, port 81 does not need to be accessible from outside, as this is only used for the dashboard. The certificate should be validated via port 80.

Then it is stranger than strange 🤣 Because this was the only change (open port 81). After that it works. Before only port 80 and 443 where opened and i was able to create the certificates x months before.

@EinToni
Copy link

EinToni commented Dec 4, 2023

Very strange... after reading your comments i reset the ports on my firewall with 80, 443 and 81... Afterwards i was able to create two of four certificates. For the rest then the same error appears 😁 I'm very confused now....

But i think it belongs to my specific proxy host configurations.

I will test, but then the solution was: port 81 must be open on your router/firewall...

I really don't undestand, but I can confirm that exposing port 81 indeed solved the issue....
I normally only have 443 exposed, now I also exposed 80 but that didn't help. After also exposing 81 I was able to renew all certs and create one new cert 😄 All without issues.
Afterwards I quickly closed 80 and 81 again and everything is good 👍🏻 Although I really don't understand why exposing 81 fixed that.

@danny3n1tech
Copy link

I have tried everything listed above and still having the issue.

@Beat2er
Copy link

Beat2er commented Jan 27, 2024

A little bit out of context, but the reason it failed for me was the new software firewall, which had rules based on countries (everything worked from my devices). I didn't notice since renewal is only every 60 days (I guess). Maybe check access from different hosts and packet captures, this is how I got further.

@Silversurfer79
Copy link

Silversurfer79 commented Feb 20, 2024

Adding network_mode: host in the docker-compose.yml fixed it for me.

I have been struggleing with this for weeks now and this fixed it for me.

In Portainer go to Containers -> on the Container -> click Exec Console (looks like this >_ ) -> Connect -> Paste "curl -vvvv -I -L -k --tlsv1.2 https://google.com/" and Enter in the console. If you get a failure your DNS is not resolving and this is your problem, add "network_mode: host`" to your compose file. See a copy of my compose below.

A little side note, my certs now auto renew for the first time ;-)
Screen_Capture_-_20_Feb__10_33_am

`version: "3.8"
services:
app:
image: jc21/nginx-proxy-manager:latest
container_name: Nginx_PMA
restart: always
ports:
- '81:80'
- '8443:443'
- '82:81'
volumes:
- /home/pi/nginx/data:/data
- /home/pi/nginx/letsencrypt:/etc/letsencrypt
depends_on:
- db

db:
image: jc21/mariadb-aria:latest
container_name: Nginx_PMDB
restart: always
environment:
MYSQL_ROOT_PASSWORD: 'Password_Here'
MYSQL_DATABASE: 'Nginx_DB'
MYSQL_USER: 'Nginx_Admin_Here'
MYSQL_PASSWORD: 'Admin_Password_Here'
volumes:
- /home/pi/nginx/data/mysql:/var/lib/mysql

network_mode: host`

@tr1p0p
Copy link

tr1p0p commented Mar 11, 2024

Still got this issue. Kind of annoying you're just... Stuck... SSL so easy ! (no)


CommandError: Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
An unexpected error occurred:
Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: alchimia.ink, retry after 2024-03-12T17:30:31Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

    at /app/lib/utils.js:16:13
    at ChildProcess.exithandler (node:child_process:430:5)
    at ChildProcess.emit (node:events:518:28)
    at maybeClose (node:internal/child_process:1105:16)
    at Socket. (node:internal/child_process:457:11)
    at Socket.emit (node:events:518:28)
    at Pipe. (node:net:337:12)

@firefox7518
Copy link

I also have this issue and all my certs are running out in some days. Will this be fixed by the devs or is this NPM project dead? Need to know this urgently.

@Silversurfer79
Copy link

Silversurfer79 commented Mar 22, 2024

I also have this issue and all my certs are running out in some days. Will this be fixed by the devs or is this NPM project dead? Need to know this urgently.

If you read my reply, simply adding "network_mode: host`" to the bottom of the stack, allows auto renew of the certs in the last 30 days.

image

@Silversurfer79
Copy link

Still got this issue. Kind of annoying you're just... Stuck... SSL so easy ! (no)


CommandError: Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
An unexpected error occurred:
Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: alchimia.ink, retry after 2024-03-12T17:30:31Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

    at /app/lib/utils.js:16:13
    at ChildProcess.exithandler (node:child_process:430:5)
    at ChildProcess.emit (node:events:518:28)
    at maybeClose (node:internal/child_process:1105:16)
    at Socket. (node:internal/child_process:457:11)
    at Socket.emit (node:events:518:28)
    at Pipe. (node:net:337:12)

Your issue you have request to many certs for the domain already, you must read the Letrs Encrypt terms, there is a limit of certs you can request per month/day I guess.

Your issue has nothing to do with ssl renewals.

@firefox7518
Copy link

I also have this issue and all my certs are running out in some days. Will this be fixed by the devs or is this NPM project dead? Need to know this urgently.

If you read my reply, simply adding "network_mode: host`" to the bottom of the stack, allows auto renew of the certs in the last 30 days.

image

Well I tried that and now I cannot login anymore!!!!
Bad Gateway error message. What in the world.... Does no one test this stuff before releasing? Looking up it seems that dozends of other also have the same issue with "bad gateway" when trying to login. So, now I'm stuck and can revert back everything. This is so annoying.....

@Gh0stExp10it
Copy link

Gh0stExp10it commented Mar 22, 2024

I also have this issue and all my certs are running out in some days. Will this be fixed by the devs or is this NPM project dead? Need to know this urgently.

If you read my reply, simply adding "network_mode: host`" to the bottom of the stack, allows auto renew of the certs in the last 30 days.
image

Well I tried that and now I cannot login anymore!!!! Bad Gateway error message. What in the world.... Does no one test this stuff before releasing? Looking up it seems that dozends of other also have the same issue with "bad gateway" when trying to login. So, now I'm stuck and can revert back everything. This is so annoying.....

I've got some problems like this back in the days. Try to backup your proxy_host configs (your-local-npm-data/nginx/proxy_host/), for example 1.conf 2.conf. After backup/copying your files, delete them and restart your npm container. It will rebuild these configs. Hope that helps.

@Silversurfer79
Copy link

I also have this issue and all my certs are running out in some days. Will this be fixed by the devs or is this NPM project dead? Need to know this urgently.

If you read my reply, simply adding "network_mode: host`" to the bottom of the stack, allows auto renew of the certs in the last 30 days.
image

Well I tried that and now I cannot login anymore!!!! Bad Gateway error message. What in the world.... Does no one test this stuff before releasing? Looking up it seems that dozends of other also have the same issue with "bad gateway" when trying to login. So, now I'm stuck and can revert back everything. This is so annoying.....

What do your logs show?

@firefox7518
Copy link

I also have this issue and all my certs are running out in some days. Will this be fixed by the devs or is this NPM project dead? Need to know this urgently.

If you read my reply, simply adding "network_mode: host`" to the bottom of the stack, allows auto renew of the certs in the last 30 days.
image

Well I tried that and now I cannot login anymore!!!! Bad Gateway error message. What in the world.... Does no one test this stuff before releasing? Looking up it seems that dozends of other also have the same issue with "bad gateway" when trying to login. So, now I'm stuck and can revert back everything. This is so annoying.....

I've got some problems like this back in the days. Try to backup your proxy_host configs (your-local-npm-data/nginx/proxy_host/), for example 1.conf 2.conf. After backup/copying your files, delete them and restart your npm container. It will rebuild these configs. Hope that helps.

I tried your way. Deleted the conf files, restarted the container. It did NOT recreate the files. I had to go into each config and click save and it created a new file. However, this did not solve anything. Still not able to renew certificate. I reverted also back to my last running version so that I can login.
I've added so far "network_mode:host" to the container, did not resolve it. I also do not have any issues pinging outside world like google.com or dns servers. 31 Websites with multiple domains and subdomains are running fine and certs were renewing flawlessly for more than a year without an issue. And now suddenly it stopped and shows constantly "internal error". I tried to find anything in the log files but to be honest in all lets encrypt related log files they are 0bytes, emtpy. Where can I activate a more verbose log?

So many people have issues with that, not good, really not good

@istoppedcaringat30
Copy link

Just wanted to add that my fix was to allow port 80 to NPM on my router. I must have blocked it at some point.

@smibrandon
Copy link

I found a fix for my issue: allocating more storage space.

Running NPM in a Proxmox CT (no docker at all), and happened to catch that it was at 96% of its storage. I gave it some extra, and boom. Worked!

@kautsaridris
Copy link

i have sam issue, than i trace the couse, so i found my provider block my IP for incoming connection from another country to my server, connections allowed only from my country (that because my server IP coming from my Goverment) so when i opening the ticket to allowed incoming connection for All, and the "Internal Error" is fixed,
so mybe this is the one from another thing to fix your problem

@jclsn
Copy link

jclsn commented Apr 10, 2024

Same issue here. I realized that this works with DuckDNS domains, but not with the one configured in my router. I grew tired of DuckDNS not working often, so I bought an official Strato domain, which I configured with DynDNS in my Fritz.Box. I could successfully create a proxy and request a certificate for the main domain, but not for the subdomains.

@TasteOfChaoZ
Copy link

Same issue. Stupid me. I disabled NAT-Rule for Port 80 farwarding to my nginx, for what evert reason ....

@ryuzaki09
Copy link

i opened the port 80 to my NPM temporarily to request the new certificate, it worked and then I closed the port again.

@TailoredITRob
Copy link

Adding network_mode: host in the docker-compose.yml fixed it for me.

This is not an option. Using network_mode set to host will expose all ports to the open world. It also forces you to do the same with any other related containers or they can no longer communicate.

@JoeZUM
Copy link

JoeZUM commented Jul 6, 2024

I have the same problem. Is there any progress on this issue?

@Silversurfer79
Copy link

I have the same problem. Is there any progress on this issue?

I have come to realise that 99% of certificate renewal issues are firewall blocking ports. I would check and recheck that ports are open. I did have my ports being blocked.

My working docker compose file, good luck!

version: "3"
services:
  app:
    image: jc21/nginx-proxy-manager:latest
    container_name: Nginx_Proxy_Manager
    restart: always
    ports:
      - '82:80'           # Public HTTP Port:
      - '4433:443'        # Public HTTPS Port:
      - '81:81'           # Admin Web Port:
    networks:
      default:
        ipv4_address: 10.10.10.3
    volumes:
      - /URPATH/docker/nginxmanager/config.json:/app/config/production.json
      - /URPATH/docker/nginxmanager/data:/data
      - /URPATH/docker/nginxmanager/letsencrypt:/etc/letsencrypt
    depends_on:
      - db
  db:
    image: jc21/mariadb-aria:latest
    container_name: Nginx_Proxy_Manager_DB
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: 'xxxxxxxxxxxxxxxxx'
      MYSQL_DATABASE: 'Nginx_DB'
      MYSQL_USER: 'xxxxxxxxxxxxxxxxxx'
      MYSQL_PASSWORD: 'xxxxxxxxxxxxxxxxx'
    networks:
      default:
        ipv4_address: 10.10.10.2
    volumes:
      - /URPATH/docker/nginxmanager/sql:/var/lib/mysql

networks:
  default:
    external:
      name: dockernet default

I can renew my certs at any point now, though they auto renew 30 days before expiring.

@Wav3y
Copy link

Wav3y commented Jul 15, 2024

NPM is not particularly helpful in telling you what the specific issue is other than "Internal Error" which could mean a magnitude of things so everyone should start by inspecting their container logs.

First of all, if you're using Namecheap, make sure your IP is whitelisted.

My issue probably stemmed from a manual move of my container from one host to another (I think) as it related to some broken symlinks.

I use Portainer so used that to inspect my logs but obviously there are other ways to inspect logs.

The logs showed a parse failure 0 renew failure(s), 1 parse failure(s)

I SSH'd into the container docker exec -it <container_id_or_name> /bin/bash

Double checked Certbot logs

cd /tmp/letsencrypt-log
cat letsencrypt.log

Double checked letsencrypt config.

cat /etc/letsencrypt.ini

Manually ran the renewal inside the container

certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-2" --disable-hook-validation --no-random-sleep-on-renew -v

Terminal showed this error:

Renewal configuration file /etc/letsencrypt/renewal/npm-2.conf is broken.
The error was: expected /etc/letsencrypt/live/npm-2/cert.pem to be a symlink
Skipping.

So I went in and repaired the sym links as config files were not pointing to any symlinks as it should've been. Here's what I ran to repair:

cd /etc/letsencrypt/live/npm-2
rm cert.pem chain.pem fullchain.pem privkey.pem
ln -s /etc/letsencrypt/archive/npm-2/cert1.pem cert.pem
ln -s /etc/letsencrypt/archive/npm-2/chain1.pem chain.pem
ln -s /etc/letsencrypt/archive/npm-2/fullchain1.pem fullchain.pem
ln -s /etc/letsencrypt/archive/npm-2/privkey1.pem privkey.pem

Then either run renewal on NPM GUI or directly on terminal:

certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-2" --disable-hook-validation --no-random-sleep-on-renew -v

Stuck? Use ChatGPT. That's how I fixed my problem because I'm not in IT.

@flow96
Copy link

flow96 commented Jul 27, 2024

It seems that certbot mostly uses IPv6 to verify domains, therefore maybe recheck your DNS settings.

I had the same problem and found the error in my DNS settings.
I originally updated the DNS entries to point to my server on IPv4 but forgot about IPv6.
So after replacing the AAAA entry with the IPv6 of my server it works again 🎉

@pablomujica
Copy link

pablomujica commented Aug 6, 2024

In my case using Cloudflare, updating the package in the server fixed it:

pip install --upgrade cloudflare==2.19.*

@sarequl
Copy link

sarequl commented Aug 29, 2024

In my case using Cloudflare, updating the package in the server fixed it:

pip install --upgrade cloudflare==2.19.*

It worked for me. thanks

@andsim
Copy link

andsim commented Sep 3, 2024

h ere my issues

`2024-09-03 15:21:48,841:DEBUG:certbot._internal.main:certbot version: 2.11.0
2024-09-03 15:21:48,842:DEBUG:certbot._internal.main:Location of certbot entry point: /opt/certbot/bin/certbot
2024-09-03 15:21:48,842:DEBUG:certbot._internal.main:Arguments: ['--config', '/etc/letsencrypt.ini', '--work-dir', '/tmp/letsencrypt-lib', '--logs-dir', '/tmp/letsencrypt-log', '--cert-name', 'npm-4', '--agree-tos', '--authenticator', 'webroot', '--email', '[email protected]', '--preferred-challenges', 'dns,http', '--domains', 'anskygrid.ca,www.anskygrid.ca']
2024-09-03 15:21:48,842:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-09-03 15:21:48,856:DEBUG:certbot._internal.log:Root logging level set at 30
2024-09-03 15:21:48,857:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2024-09-03 15:21:48,857:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Saves the necessary validation files to a .well-known/acme-challenge/ directory within the nominated webroot path. A seperate HTTP server must be running and serving files from the webroot path. HTTP challenge only (wildcards not supported).
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='webroot', value='certbot._internal.plugins.webroot:Authenticator', group='certbot.plugins')
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7165da4951d0>
Prep: True
2024-09-03 15:21:48,857:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7165da4951d0> and installer None
2024-09-03 15:21:48,857:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2024-09-03 15:21:48,908:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2024-09-03 15:21:48,910:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2024-09-03 15:21:48,949:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.11/site-packages/urllib3/connectionpool.py", line 467, in _make_request
    self._validate_conn(conn)
  File "/opt/certbot/lib/python3.11/site-packages/urllib3/connectionpool.py", line 1099, in _validate_conn
    conn.connect()
  File "/opt/certbot/lib/python3.11/site-packages/urllib3/connection.py", line 653, in connect
    sock_and_verified = _ssl_wrap_socket_and_match_hostname(
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/urllib3/connection.py", line 806, in _ssl_wrap_socket_and_match_hostname
    ssl_sock = ssl_wrap_socket(
               ^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/urllib3/util/ssl_.py", line 465, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls, server_hostname)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/urllib3/util/ssl_.py", line 509, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/ssl.py", line 517, in wrap_socket
    return self.sslsocket_class._create(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/ssl.py", line 1075, in _create
    self.do_handshake()
  File "/usr/lib/python3.11/ssl.py", line 1346, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_UNRECOGNIZED_NAME] tlsv1 unrecognized name (_ssl.c:992)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/certbot/lib/python3.11/site-packages/urllib3/connectionpool.py", line 793, in urlopen
    response = self._make_request(
               ^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/urllib3/connectionpool.py", line 491, in _make_request
    raise new_e
urllib3.exceptions.SSLError: [SSL: TLSV1_UNRECOGNIZED_NAME] tlsv1 unrecognized name (_ssl.c:992)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/opt/certbot/lib/python3.11/site-packages/requests/adapters.py", line 667, in send
    resp = conn.urlopen(
           ^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/urllib3/connectionpool.py", line 847, in urlopen
    retries = retries.increment(
              ^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/urllib3/util/retry.py", line 515, in increment
    raise MaxRetryError(_pool, url, reason) from reason  # type: ignore[arg-type]
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(1, '[SSL: TLSV1_UNRECOGNIZED_NAME] tlsv1 unrecognized name (_ssl.c:992)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/certbot/bin/certbot", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1894, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1582, in certonly
    le_client = _init_le_client(config, auth, installer)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 833, in _init_le_client
    acc, acme = _determine_account(config)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 741, in _determine_account
    acc, acme = client.register(
                ^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 207, in register
    acme = acme_from_config_key(config, key)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 72, in acme_from_config_key
    directory = acme_client.ClientV2.get_directory(config.server, net)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/acme/client.py", line 330, in get_directory
    return messages.Directory.from_json(net.get(url).json())
                                        ^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/acme/client.py", line 705, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/acme/client.py", line 647, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/requests/sessions.py", line 589, in request
    resp = self.send(prep, **send_kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/requests/sessions.py", line 703, in send
    r = adapter.send(request, **kwargs)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/requests/adapters.py", line 698, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(1, '[SSL: TLSV1_UNRECOGNIZED_NAME] tlsv1 unrecognized name (_ssl.c:992)')))
2024-09-03 15:21:48,955:ERROR:certbot._internal.log:An unexpected error occurred:
2024-09-03 15:21:48,956:ERROR:certbot._internal.log:requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(1, '[SSL: TLSV1_UNRECOGNIZED_NAME] tlsv1 unrecognized name (_ssl.c:992)')))`

@andsim
Copy link

andsim commented Sep 3, 2024

i think is web address issues
acme-v02.api.letsencrypt.org
when i try in browser and get
ERR_ADDRESS_INVALID

@andsim
Copy link

andsim commented Sep 4, 2024

image
look at last line

@andsim
Copy link

andsim commented Sep 4, 2024

i bet everyone have this same issues

@andsim
Copy link

andsim commented Sep 4, 2024

ok what npm ip use?
"hostname": "andsimgaming.ca",
"port": "80",
"addressesResolved": [
"192.124.249.15"
],
"addressUsed": "192.124.249.15"
not property resolve

@rulatir
Copy link

rulatir commented Sep 11, 2024

Adding network_mode: host in the docker-compose.yml fixed it for me.

I have been struggleing with this for weeks now and this fixed it for me.

In Portainer go to Containers -> on the Container -> click Exec Console (looks like this >_ ) -> Connect -> Paste "curl -vvvv -I -L -k --tlsv1.2 https://google.com/" and Enter in the console. If you get a failure your DNS is not resolving and this is your problem, add "network_mode: host`" to your compose file. See a copy of my compose below.

A little side note, my certs now auto renew for the first time ;-) Screen_Capture_-_20_Feb__10_33_am

`version: "3.8" services: app: image: jc21/nginx-proxy-manager:latest container_name: Nginx_PMA restart: always ports: - '81:80' - '8443:443' - '82:81' volumes: - /home/pi/nginx/data:/data - /home/pi/nginx/letsencrypt:/etc/letsencrypt depends_on: - db

db: image: jc21/mariadb-aria:latest container_name: Nginx_PMDB restart: always environment: MYSQL_ROOT_PASSWORD: 'Password_Here' MYSQL_DATABASE: 'Nginx_DB' MYSQL_USER: 'Nginx_Admin_Here' MYSQL_PASSWORD: 'Admin_Password_Here' volumes: - /home/pi/nginx/data/mysql:/var/lib/mysql

network_mode: host`

How can this possibly work for anyone? It causes Published ports are discared when using host network mode, and unsurprisingly, the the nginx-proxy-manager app is no longer even reachable from the internet. Instead of fixing the issue, it makes nginx-proxy-manager stop working completely.

@andsim
Copy link

andsim commented Sep 17, 2024

all my domain is link to x.x.137.119
image

@andsim
Copy link

andsim commented Sep 17, 2024

some of my domain is working but some is broken due of bug

@jimclark
Copy link

jimclark commented Dec 1, 2024

Weird, but you are right. I checked my router settings - port 80 open. Used https://portchecker.co/check-it to verity - closed. Removed settings, setup port forwarding once again and verified -> port open.

NPM worked and renewed all my certificates.

In case someone else stumbles on this issue later (as I did), my problem and cure was similar. In my case, I was migrating NPM from one computer to another, and while I had edited and saved the entries in my router's port forwarding settings, I had to then "apply settings" at the top of the page. Then I could request the certificate, and it all worked happily ever after!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests