nginx-proxy-manager: Internal error on SSL certificates when force SSL is active
[12/2/2021] [3:03:23 PM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation
Failed to renew certificate npm-2 with error: Some challenges have failed.
Failed to renew certificate npm-3 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/npm-2/fullchain.pem (failure)
/etc/letsencrypt/live/npm-3/fullchain.pem (failure)
2 renew failure(s), 0 parse failure(s)
at ChildProcess.exithandler (node:child_process:397:12)
at ChildProcess.emit (node:events:390:28)
at maybeClose (node:internal/child_process:1064:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5)
Connection Error: Error: read ECONNRESET
Connection Error: Error: read ECONNRESET
[12/2/2021] [3:54:36 PM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates for Cert #3: <**masked**>
[12/2/2021] [3:54:36 PM] [SSL ] › ℹ info Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-3" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation
[12/2/2021] [3:54:39 PM] [Express ] › ⚠ warning Command failed: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-3" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to renew certificate npm-3 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/npm-3/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Duplicate relation "access_list" in a relation expression. You should use "a.[b, c]" instead of "[a.b, a.c]". This will cause an error in objection 2.0
When disabling the Force SSL option the renewal went flawless.
[12/2/2021] [3:56:34 PM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates for Cert #3: <**masked**>
[12/2/2021] [3:56:34 PM] [SSL ] › ℹ info Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-3" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation
[12/2/2021] [3:56:40 PM] [SSL ] › ℹ info - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/npm-3.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for <**masked**>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded:
/etc/letsencrypt/live/npm-3/fullchain.pem (success)
So to me it looks like NPM is also trying to forward the http request for cert renewal to SSL and thus it fails to complete the request.
About this issue
- Original URL
- State: open
- Created 3 years ago
- Comments: 27 (2 by maintainers)
I did notice one difference in config over time. The include of force-ssl.conf is in the server section for newly created hosts, but in the location / section for older hosts. I can break currently working proxy hosts by moving the force-ssl.conf include into the server section, outside the location / section. This change was in #1017, which fixes the custom locations ignoring the force-ssl.conf but appears to override the specific letsencrypt exception to force-ssl. Therefore, I think the test for redirect needs to test both $scheme = “http” and not contains /.well-known/acme-challenge/ As you can’t do multiple conditions in one if or nest them, I think this can be done with setting a variable on $scheme = http to H and concatenating a D to the same variable if outside /.well-known/acme-challenge/ so only do the return 301 if the variable = HD.
So we would have:
Guessing here, but we don’t see this issues at first creation since the default_host is hit until the cert is obtained and the proxy_host config is written and nginx HUP’d.