nginx-proxy-manager: Let's Encrypt HTTP challenge renewal fails with timeout
Describe the bug Since about two months, certbot renewal of letsencypt certificates fails. This is persistent through several versions of NPM now and none of the exisiting issues such as fixing dns inside docker have solved the issue.
Nginx Proxy Manager Version 2.9.10
To Reproduce Steps to reproduce the behavior:
- Start docker
- wait for renewal of soon expiring certificates
- Check docker logs
- Errors out with:
[11/2/2021] [7:07:02 PM] [Migrate ] › ℹ info Current database version: 20210423103500
[11/2/2021] [7:07:02 PM] [Setup ] › ℹ info Logrotate Timer initialized
[11/2/2021] [7:07:02 PM] [Setup ] › ℹ info Logrotate completed.
[11/2/2021] [7:07:02 PM] [IP Ranges] › ℹ info Fetching IP Ranges from online services...
[11/2/2021] [7:07:02 PM] [IP Ranges] › ℹ info Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
[11/2/2021] [7:07:06 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v4
[11/2/2021] [7:07:11 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v6
[11/2/2021] [7:07:15 PM] [SSL ] › ℹ info Let's Encrypt Renewal Timer initialized
[11/2/2021] [7:07:15 PM] [SSL ] › ℹ info Renewing SSL certs close to expiry...
[11/2/2021] [7:07:15 PM] [IP Ranges] › ℹ info IP Ranges Renewal Timer initialized
[11/2/2021] [7:07:15 PM] [Global ] › ℹ info Backend PID 249 listening on port 3000 ...
`QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0
`QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` method will be removed in 3.0
QueryBuilder#omit is deprecated. This method will be removed in version 3.0
Model#$omit is deprected and will be removed in 3.0.
[11/2/2021] [7:09:05 PM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation
Failed to renew certificate npm-4 with error: Some challenges have failed.
Failed to renew certificate npm-5 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/npm-4/fullchain.pem (failure)
/etc/letsencrypt/live/npm-5/fullchain.pem (failure)
2 renew failure(s), 0 parse failure(s)
at ChildProcess.exithandler (node:child_process:397:12)
at ChildProcess.emit (node:events:390:28)
at maybeClose (node:internal/child_process:1064:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5)
Expected behavior Certbot will automatically renew expiring certificates
Operating System Linux 5.13.0-arm64 #1 SMP PREEMPT Debian 5.13.15-202109101456~buster (2021-09-10) aarch64 GNU/Linux
Additional context I use the following ports, as my NPM is installed alongside Nextcloudpi, which by default occupies default HTTP(s) ports 80/443. Externally, ports 443 and 80 point towards 40443 and 8080, respectively. However, this was not a problem earlier (prior to ~August/September 2021).
version: '3'
services:
app:
image: 'jc21/nginx-proxy-manager:latest'
restart: always
ports:
- '8080:80'
- '8081:81'
- '40443:443'
...
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 16
Ok, I why certificates would not be renewed: for the proxy hosts in question, I had the option “Force SSL” active. Once I deactivated this option in the SSL Tab of the respective hosts, I was able to renew all certificates. ✔️
Does leave this issue to be closed for “user error” (that could be totally on me. Sorry for spamming here…), or would that indicate a deeper problem worth keeping this issue around?