nginx-proxy-manager: Temp workaround (that works for me!) for SSL certificate renewal bug
I know there are already lots of issues on this topic - I’ve tried to link to most of them below. I’ve just had to renew 16 sites on one server (running the latest v.2.10.2) and thought I’d go through the process that seemed to work reliably for me in case it helps others (with thanks to posters in other issues where I’ve gleaned this info from!).
Given how it works I suspect the issue is the the requests to the ACME endpoint not being allowed through when force SSL is enabled (as mentioned in some bug reports) and I’m hopeful @jc21 can merge in #2038 that seems to be an option (but is unfortunately now based off an older base).
Symptom
SSL certificates do not automatically renew and you receive a warning email from LetsEncrypt about an upcoming expiring certificate (typically I seem to get them when <20 days left to go). Attempts to manually review end up just showing an ‘Internal server error’
Workaround
Part 1 - clear any certbot.lock files
I’ve found there is sometime an error caused by a a duplicate instance of CertBot running. You can check whether there are .certbot.lock files in your system:
find / -type f -name ".certbot.lock"
If there are, you can remove them:
find / -type f -name ".certbot.lock" -exec rm {} \;
(from https://community.letsencrypt.org/t/solved-another-instance-of-certbot-is-already-running/44690/2)
Part 2 - turn off Force SSL and then renew
After clearing any certbot lock, I then went through site by site and 1) disabled Force SSL on the proxy host page then 2) requested certificate renewal on the SSL page and then 3) re-enabled SSL and all sub-options back on the proxy host page.
As I say it takes a while and is frustrating but I found it worked reliably and they’re all now renewed for the next 3 months. If you don’t switch off Force SSL then you just end up with an internal error.
Related issues on this topic (in the hope that once this issue is resolved these can all be closed) #1771 #1816 #1856 #2048 #2251 #2258 #2267 #210 #2418 #2499 #2593 #2642 #2713 #2860
About this issue
- Original URL
- State: open
- Created a year ago
- Reactions: 28
- Comments: 29
Commits related to this issue
- LetsEncrypt ACME redirect issue fixes #2881 — committed to EDIflyer/nginx-proxy-manager by EDIflyer a year ago
Thanks to the work from @the1ts in #2038 and the comments from @Whoopsadaisy re regex on that PR https://github.com/NginxProxyManager/nginx-proxy-manager/pull/2038#issuecomment-1372833078 I’ve created a new PR #3121 that combines their comments to stop /.well-known/acme-challenge requests from being redirected to https.
The new PR has been build (you can access it in a docker compose file by commenting out your current image and using
image: 'jc21/nginx-proxy-manager:github-pr-3121'instead). The only change I made was to the oneforce-ssl-.conffile, but it is based off the current develop branch (2.10.4 as of today) so will include any other changes on there.I’ve tried it on two servers that I run - on the first I was now enable to renew OK just by clicking ‘renew now’ on the SSL page (something that previously errored out). On the other one I initially still got the internal error but when I ran the first bit of the code in my OP above I found 3 certbot instances running so once I cleared them it seemed to renew OK. Out of interest I’ve only renewed one certificate on that server to see if the rest renew OK automatically. In both cases everything still seems to redirect to https OK and the regex seems to check out OK - (https://regex101.com/r/H58N25/1)
If you’re happy to do so then please test it out - it is showing as OK to merge so if this merges hopefully it’ll be accepted by @jc21 😃
PS - I checked back 10-15 min later and it seems that all the other certs have autorenewed too so that saved me quite a bit of work switching force SSL off/on for each one!
Hmm, for me, no such files were found, hence, didn’t work for me
PR #3121 worked great for me. Finally my certs are renewed automagically again, thx 😃
Awesome!! Works without a hitch now. Thank you!!!
Neither I found any lock file but the trick disabling force SSL its the important part! Try anyway
+1’ing.
Made the manual change this PR makes in my own setup and can confirm it fixes my issue.
Thank you, @EDIflyer
Deleting the host and adding it again works…
thx for your answer @EDIflyer, but yeah i tried taht. i pulled the docker image with your PR, but i still get “Internal Error”. After recreating the container with the new image i tried looking for locked Certbots again, but i dont have any locked certbot instances. I dont know what or if am doing wrong, but i cant get new ceritificates no matter how often i try what had been suggested here in this thread.
I probably have an unrelated issue. If my certs expire in t he coming days i will retry again.
hmm for me it does not work. received a mail about expiring certs. went and try to renew. didnt work. looked up on the internet and found this workaround. but for me it does not work. there are not certbot.lock files in my docker container. and disabling ssh also does not do anything. tried rebooting the container, the vps and all steps here. its still always: “internal error”. not quite sure where to go from here.
@jhalak1984 did you try part 2? The main bit seems to be force SSL not allowing an ACME exclusion, the first bit is just to ensure no conflicting certbot instances running.
@jc21 any word on when a fix might be coming for this SSL cert renewal issue? That’s me having to manually renew another 10 sites this evening 😔
Just did this, thanks for the workaround writeup.
It really works thanks. Certs were before normally renewed, found out that it stopped working when I updated to the latest version. When it will be fixed?