nginx-proxy-manager: Unable to auto renew certificate using Cloudflare DNS validation

Are you in the right place?

If you are looking for support on how to get your upstream server forwarding, please consider asking the community on Reddit.
If you are writing code changes to contribute and need to ask about the internals of the software, Gitter is the best place to ask.
If you think you found a bug with NPM (not Nginx, or your upstream server or MySql) then you are in the right place.

Checklist

Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image? yes.

REPOSITORY                                 TAG        IMAGE ID       CREATED         SIZE
jc21/nginx-proxy-manager                   latest     5d9d277f28f1   4 days ago      810MB

Are you sure you’re not using someone else’s docker image? yes.
If having problems with Lets Encrypt, have you made absolutely sure your site is accessible from outside of your network? yes.

Describe the bug

I am running NPM in 2 different Ubuntu 18.04 LTS server. I am using Cloudflare DNS validation.
Both NPM docker failed to renew Let’s Encrypt wildcard certificate with auto renewal. But able to renew it when run it manually in SSL Certificate tab.
What version of Nginx Proxy Manager is reported on the login page? 2.8.1

Expected behavior Expect auto certificate renewal when close to expiry.

Screenshots If applicable, add screenshots to help explain your problem.

Operating System

Ubuntu 18.04 LTS Server.

Additional context

Auto renewal

[3/22/2021] [7:57:36 AM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...,
[3/22/2021] [8:01:05 AM] [SSL      ] › ✖  error     Error: Command failed: /usr/bin/certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  ,
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.,
Attempting to renew cert (npm-1) from /etc/letsencrypt/renewal/npm-1.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.. Skipping.,
All renewal attempts failed. The following certs could not be renewed:,
  /etc/letsencrypt/live/npm-1/fullchain.pem (failure),
1 renew failure(s), 0 parse failure(s),
,
    at ChildProcess.exithandler (child_process.js:308:12),
    at ChildProcess.emit (events.js:314:20),
    at maybeClose (internal/child_process.js:1051:16),
    at Process.ChildProcess._handle.onexit (internal/child_process.js:287:5),
Connection Error: Error: read ECONNRESET,
Connection Error: Error: read ECONNRESET,

Renew manually

[3/22/2021] [8:48:21 AM] [SSL      ] › ℹ  info      Renewing Let'sEncrypt certificates via Cloudflare for Cert #1: *.example.com,
[3/22/2021] [8:54:49 AM] [SSL      ] › ℹ  info      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -,
Processing /etc/letsencrypt/renewal/npm-1.conf,
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -,
,
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -,
new certificate deployed without reload, fullchain is,
/etc/letsencrypt/live/npm-1/fullchain.pem,
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -,
,
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -,
,
Congratulations, all renewals succeeded. The following certs have been renewed:,
  /etc/letsencrypt/live/npm-1/fullchain.pem (success),
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -,
[3/22/2021] [8:57:36 AM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...,
[3/22/2021] [8:57:37 AM] [Nginx    ] › ℹ  info      Reloading Nginx,
[3/22/2021] [8:57:37 AM] [SSL      ] › ℹ  info      Renew Complete,

About this issue

Original URL
State: open
Created 3 years ago
Reactions: 4
Comments: 16

Most upvoted comments

@fabiandev thanks for the fix.

I just used the letsencrypt.ini with

dns-cloudflare = True
non-interactive = True
authenticator = dns-cloudflare

And that was enough for it to work.

ikomhoog on Jun 12, 2021

I had the exact same issue, and this is what seems to solve the problem for me, as the default letsencrypt.ini explicitly defines webroot as authenticator:

Thank you very much for sharing your solution. I can happily share that it worked for me as well.

WalterPinkman on Jun 7, 2021

I had the exact same issue, and this is what seems to solve the problem for me, as the default letsencrypt.ini explicitly defines webroot as authenticator:

Create custom letsencrypt.ini and cloudflare.ini files
Overwrite default letsencrypt.ini and mount cloudflare.ini
Add DNS_CLOUDFLARE_CREDENTIALS to environment

Note: a few configs may be redundant (like dns-cloudflare = True in letsencrypt.ini, and DNS_CLOUDFLARE_CREDENTIALS in docker-compose.yml), but I have just tested with this exact setup and not confirmed the minimal required configuration options.

letsencrypt.ini

dns-cloudflare = True
non-interactive = True
authenticator = dns-cloudflare
dns-cloudflare-credentials = /cloudflare.ini

cloudflare.ini

dns_cloudflare_api_token = secret

docker-compose.yml

volumes:
      - ./letsencrypt.ini:/etc/letsencrypt.ini:rw
      - ./cloudflare.ini:/cloudflare.ini:ro

environment:
      - DNS_CLOUDFLARE_CREDENTIALS=/cloudflare.ini

After recreating the container, the certificates renewed automatically and the expiry date is also correct in the UI.

Before:

After:

fabiandev on Jun 7, 2021

I’m experiencing the same issue. I use Cloudflare DNS challenge for several LE certificates. Auto renewing fails. Manual renewing via the web GUI is very slow, but works.

Auto Renewing

[4/8/2021] [8:37:37 AM] [SSL ] › ✖ error Error: Command failed: /usr/bin/certbot renew --non-interactive --quiet --config “/etc/letsencrypt.ini” --preferred-challenges “dns,http” --disable-hook-validation

Challenge failed for domain REDACTED Attempting to renew cert (npm-10) from /etc/letsencrypt/renewal/npm-10.conf produced an unexpected error: Some challenges have failed… Skipping. Challenge failed for domain REDACTED Attempting to renew cert (npm-11) from /etc/letsencrypt/renewal/npm-11.conf produced an unexpected error: Some challenges have failed… Skipping. Challenge failed for domain REDACTED Attempting to renew cert (npm-12) from /etc/letsencrypt/renewal/npm-12.conf produced an unexpected error: Some challenges have failed… Skipping.

All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/npm-10/fullchain.pem (failure) /etc/letsencrypt/live/npm-11/fullchain.pem (failure) /etc/letsencrypt/live/npm-12/fullchain.pem (failure) 3 renew failure(s), 0 parse failure(s) at ChildProcess.exithandler (child_process.js:308:12) at ChildProcess.emit (events.js:314:20) at maybeClose (internal/child_process.js:1051:16) at Process.ChildProcess._handle.onexit (internal/child_process.js:287:5)

Manual Renewing via web GUI

[4/8/2021] [9:42:21 AM] [SSL ] › ℹ info Renewing Let’sEncrypt certificates via Cloudflare for Cert #10: REDACTED [4/8/2021] [9:47:43 AM] [SSL ] › ℹ info - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/npm-10.conf

new certificate deployed without reload, fullchain is /etc/letsencrypt/live/npm-10/fullchain.pem

Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/npm-10/fullchain.pem (success)

WalterPinkman on Apr 8, 2021