NPM not renewing certs automatically. Running certbot renew manually inside container however works. #1389
Description
Hi I'm using current docker image: jc21/nginx-proxy-manager:latest
Version v2.7.2 is reported on the npm login page (after I worked around the problem)
I initially obtained my LE certs in Jan 2021, however they never automatically renewed. I couldn't reach the npm web interface b/c of the hsts error when trying to reach the npm website b/c the certs had expired.
The npm docker container kept running however I kept receiving errors in the docker logs like the following:
[9/9/2021] [1:08:06 PM] [SSL ] › ℹ info Renewing SSL certs close to expiry...
[9/9/2021] [1:11:54 PM] [SSL ] › ✖ error Error: Command failed: /usr/bin/certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation
Challenge failed for domain npm.domain.com
Attempting to renew cert (npm-1) from /etc/letsencrypt/renewal/npm-1.conf produced an unexpected error: Some challenges have failed.. Skipping.
Basically the logs were littered with these types of errors.
For background I'm using dns challenge authentication through cloudflare with API (not Global) key.
I've worked with certbot before and manually logged into the container and simply ran:
certbot renew
and just typing this alone -- all the certificates were renewed -- which is super strange since it proves at least my authentication credentials were valid.
So investigating further the command:
usr/bin/certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation
/etc/letsencrypt.ini contains the following:
text = True
non-interactive = True
authenticator = webroot
webroot-path = /data/letsencrypt-acme-challenge
I'm not using a webroot challenge so I'm not sure why this is included in the ini file.
Further more the /data partition is an external mounted volume specified in my docker-compose.yml file:
volumes:
- /data/npm/npm:/data
- /etc/ssl/letsencrypt/npm:/etc/letsencrypt
- /data/npm/ssl-ciphers.conf:/etc/nginx/conf.d/include/ssl-ciphers.conf:ro
Further more --preferred-challenges "dns,http"
Why is http listed as preferred-challenge?
Lastly addressing the other error: Attempting to renew cert (npm-1) from /etc/letsencrypt/renewal/npm-1.conf produced an unexpected error: Some challenges have failed.. Skipping.
The contents of npm-1.conf are the following:
# renew_before_expiry = 30 days
version = 1.4.0
archive_dir = /etc/letsencrypt/archive/npm-1
cert = /etc/letsencrypt/live/npm-1/cert.pem
privkey = /etc/letsencrypt/live/npm-1/privkey.pem
chain = /etc/letsencrypt/live/npm-1/chain.pem
fullchain = /etc/letsencrypt/live/npm-1/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = <REDACTED>
authenticator = dns-cloudflare
dns_cloudflare_credentials = /etc/letsencrypt/credentials/credentials-1
server = https://acme-v02.api.letsencrypt.org/directory
npm run as docker container within a Virtualized Ubuntu 20.04 host within FreeNAS bhyve hypervisor.
Ideally I'd like certs to be renewed automatically without any manual intervention.