nginx-proxy-manager: Auto SSL certificate renewal failing using AWS Route53 DNS

Checklist

  • Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
    • Yes
  • Are you sure you’re not using someone else’s docker image?
    • Yes
  • Have you searched for similar issues (both open and closed)?
    • Yes

Describe the bug Automatic SSL certificate renewal fails when using AWS Route53 DNS challenge, but renewing manually through NPM console works fine.

Based on initial review of the logs, it looks like the automated renewal command is not setting the required “AWS_CONFIG_FILE” environment variable:

[3/8/2022] [6:02:17 AM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
Failed to renew certificate npm-12 with error: Unable to locate credentials

Nginx Proxy Manager Version v2.9.16

To Reproduce Steps to reproduce the behavior:

  1. Creates Let’s Encrypt certificate using AWS Route53 DNS challenge
  2. As certificate expiry date nears, the renewals fail

Expected behavior SSL certificate is renewed as the expiry date approaches

Operating System Unraid 6.10.0-rc2 Docker version 20.10.9, build c2ea9bc

Additional context Logs

[3/8/2022] [5:54:15 AM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[3/8/2022] [6:02:17 AM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
Failed to renew certificate npm-12 with error: Unable to locate credentials
To use certbot-dns-route53, configure credentials as described at https://boto3.readthedocs.io/en/latest/guide/configuration.html#best-practices-for-configuring-credentials and add the necessary permissions for Route53 access.
AMAll renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/npm-12/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

   at ChildProcess.exithandler (node:child_process:399:12)
   at ChildProcess.emit (node:events:520:28)
   at maybeClose (node:internal/child_process:1092:16)
   at Process.ChildProcess._handle.onexit (node:internal/child_process:302:5)

Workaround: Renewing through the console works as expected

[3/8/2022] [9:49:46 AM] [SSL      ] › ℹ  info      Renewing Let'sEncrypt certificates via Route 53 (Amazon) for Cert #12: *.darktower.one, darktower.one
[3/8/2022] [9:49:46 AM] [SSL      ] › ℹ  info      Command: AWS_CONFIG_FILE='/etc/letsencrypt/credentials/credentials-12' certbot renew --config "/etc/letsencrypt.ini" --cert-name "npm-12" --disable-hook-validation --no-random-sleep-on-renew 
[3/8/2022] [9:50:20 AM] [SSL      ] › ℹ  info      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/npm-12.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for *.darktower.one and darktower.one

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded: 
  /etc/letsencrypt/live/npm-12/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

About this issue

  • Original URL
  • State: open
  • Created 2 years ago
  • Reactions: 11
  • Comments: 21 (1 by maintainers)

Most upvoted comments

Still having this issue. I was able to resolve by passing the credentials as an environment variable in docker-compose:

environment: - AWS_CONFIG_FILE=/etc/letsencrypt/credentials/credentials-1

+7
miztertea on Nov 4, 2022

You can also pass the credentials directly to the certbot by setting two environment vars in your docker-compose file: AWS_ACCESS_KEY_ID: "AAAAAAAAAAAAAAAAAAAAA" AWS_SECRET_ACCESS_KEY: "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"

+5
Ich-Eben on Sep 26, 2023

It looks like the code use for auto renewal isnt using the same renewal functions as the UI, but a simple command to certbot

https://github.com/NginxProxyManager/nginx-proxy-manager/blob/14b889a85f2f8af9a13ed6122f5a0a91d64ecc36/backend/internal/certificate.js#L42-L106

It should use this function to renew the certificates https://github.com/NginxProxyManager/nginx-proxy-manager/blob/14b889a85f2f8af9a13ed6122f5a0a91d64ecc36/backend/internal/certificate.js#L999-L1028

I’ve “quick” fixed my installation by hardcoding the aws credentials:

const cmd = certbotCommand + ' renew --non-interactive --quiet ' +
        '--config "' + letsencryptConfig + '" ' +
        '--preferred-challenges "dns,http" ' +
        '--disable-hook-validation ' +
        (letsencryptStaging ? '--staging' : '');

let mainCmd = 'AWS_CONFIG_FILE=\'/etc/letsencrypt/credentials/credentials-3\' '+cmd

return utils.exec(/*cmd*/mainCmd)
        .then((result) => {
+4
emkookmer on Aug 30, 2022

@coreylane renewing via the GUI works fine. Automatic renewals don’t though. Since I have 50+ entries it’s a real pain having to renew manually.

How much effort is required to fix the auto renewals?

Thanks for you help on this.

+3
matthew-larner on Aug 29, 2022

I implemented @emkookmer’s suggestion in #3392

+1
stevecrozz on Dec 15, 2023
Read more comments on GitHub
← nginx-proxy-manager: AttributeError: module 'certbot.interfaces' has no attribute 'IAuthenticator'
nginx-proxy-manager: Bad Gateway - error create table npm.migrations Permission Denied →