Renew now on SSL Certificates page gives internal error

[gent99]

I'm on v2.9.15 and have a problem with "renew now" on SSL Certificates tab. I get internal error. Tried with different certs for different proxy hosts. Need more info, then please tell me where to find the needed logs.

[H4nSolo]

Here ist my Log about the Error:

......
2022-01-28T14:22:01.024729628Z [1/28/2022] [2:22:01 PM] [SSL ] › ℹ info Renewing SSL certs close to expiry...
2022-01-28T14:22:01.029569645Z [1/28/2022] [2:22:01 PM] [IP Ranges] › ℹ info IP Ranges Renewal Timer initialized
2022-01-28T14:22:01.031130541Z [1/28/2022] [2:22:01 PM] [Global ] › ℹ info Backend PID 248 listening on port 3000 ...
2022-01-28T14:22:17.143438076Z QueryBuilder#allowEager method is deprecated. You should use allowGraph instead. allowEager method will be removed in 3.0
2022-01-28T14:22:17.144582592Z QueryBuilder#eager method is deprecated. You should use the withGraphFetched method instead. eager method will be removed in 3.0
2022-01-28T14:22:17.150001473Z QueryBuilder#omit is deprecated. This method will be removed in version 3.0
2022-01-28T14:22:17.151648151Z Model#$omit is deprected and will be removed in 3.0.
2022-01-28T14:22:57.515936923Z [1/28/2022] [2:22:57 PM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates for Cert #10: domain.xx.xy
2022-01-28T14:22:57.515962942Z [1/28/2022] [2:22:57 PM] [SSL ] › ℹ info Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-10" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation
2022-01-28T14:22:57.967649739Z [1/28/2022] [2:22:57 PM] [Express ] › ⚠ warning Command failed: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-10" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation
2022-01-28T14:22:57.967672762Z Another instance of Certbot is already running.
2022-01-28T14:22:57.967676078Z Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/tmp48pefxkd/log or re-run Certbot with -v for more details.
2022-01-28T14:22:57.967678303Z
2022-01-28T14:26:14.243601235Z [1/28/2022] [2:26:14 PM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation
2022-01-28T14:26:14.243627765Z Failed to renew certificate npm-11 with error: Some challenges have failed.
2022-01-28T14:26:14.243631812Z All renewals failed. The following certificates could not be renewed:
2022-01-28T14:26:14.243634167Z /etc/letsencrypt/live/npm-11/fullchain.pem (failure)
2022-01-28T14:26:14.243636241Z 1 renew failure(s), 0 parse failure(s)
2022-01-28T14:26:14.243638555Z
2022-01-28T14:26:14.243640709Z at ChildProcess.exithandler (node:child_process:397:12)
2022-01-28T14:26:14.243642783Z at ChildProcess.emit (node:events:390:28)
2022-01-28T14:26:14.243644787Z at maybeClose (node:internal/child_process:1064:16)
2022-01-28T14:26:14.243646760Z at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5)

[PavelkaDavid]

Hi, I have been solving this too. I don't know why, but some of my certificates cannot be renewed as it outputs "Connection refused" for acme-challenge as shown on the picture.

If this happens, than after each restart of NPM there is stuck processes as shown on the next image, that results in "Another instance of Certbot is already running."

If you kill these processes, than you can create new certificate for these domains and it will work as it should (renew will not work). Then go to your host and assign the new certificate to it. Than you can delete the old one.

After these changes is done, you can try to restart your NPM and see if there is still that processes. If not, than you are OK and you can ensure yourself by issuing renew.

Hope this helps and I am looking forward for this to be fixed. I don't know what cause this, but it happends on all of my 4 NPM installs for only some domains.

[gent99]

where can i find those logs?

in npm/data/logs i find
letsencrypt-requests_access.log
letsencrypt-requests_error.log
letsencrypt-requests.log

but they don't show me any errors like in your posts

[PavelkaDavid]

where can i find those logs?

in npm/data/logs i find letsencrypt-requests_access.log letsencrypt-requests_error.log letsencrypt-requests.log

but they don't show me any errors like in your posts

I have found this log here: /var/log/letsencrypt/letsencrypt.log

[Gh0stRocket]

Hi,
I have created a bash script which will fix the error. It creates symbolic links for all required files and optionally deletes the old *.pem files. For me it fixed the problem:

Just go to your /etc/letsencrypt/live directory, create a script and paste the content below.

touch /etc/letsencrypt/live/fix.sh

Make it exectuable:

chmod +x /etc/letsencrypt/live/fix.sh

And run it:

cd /etc/letsencrypt/live/ && ./fix.sh

At the end of the script you will be asked if you want to delete the old files which are no longer needed.

After running the script restart your nginxproxymanager instance.

#!/usr/bin/env bash

DELETE_ME=()

for i in $(find . -name "npm-*" -type d); do
	pushd "${i}" &>/dev/null
	RELATIVE_PATH=$(echo "${i}" | sed 's/\.\///g')
	# find all regular (non symbolic link) files
	for t in $(find . -name "*.pem" -type f); do
		# remove ./ path prefix
		FILE_TO_LINK=$(echo "${t}" | sed 's/\.\///g')
		NEW_FILE_NAME=$(echo "${FILE_TO_LINK}" | sed 's/\./1\./g')
		echo "${RELATIVE_PATH}/${FILE_TO_LINK} needs to be linked"
		echo "Moving ${RELATIVE_PATH}/${FILE_TO_LINK} to ${RELATIVE_PATH}/${FILE_TO_LINK}.bak"
		mv "${FILE_TO_LINK}" "${FILE_TO_LINK}".bak
		DELETE_ME+=("${RELATIVE_PATH}/${FILE_TO_LINK}.bak")
		echo "linking ../../archive/${RELATIVE_PATH}/${NEW_FILE_NAME} to ${RELATIVE_PATH}/${FILE_TO_LINK}"
		ln -s ../../archive/"${RELATIVE_PATH}"/"${NEW_FILE_NAME}" "${FILE_TO_LINK}"
		if [[ "$?" == 0 ]]; then
			echo "success"
		else
			echo "failure"
		fi
	done
	popd &>/dev/null
done

if [[ -n ${DELETE_ME} ]]; then
	echo -e "\nOld *.pem files:\n"
	echo "${DELETE_ME[*]}"
	echo "Do you want to delete the old *.pem files? (y/n) "
	read delete

	if [[ "${delete}" == "y" || "${delete}" == "yes" ]]; then
		for y in "${DELETE_ME[@]}"; do
			rm "${y}"
		done
	fi
else
	echo "Nothing to be done."
fi

[cptskippy]

For anyone experiencing this issue, I was able to fix my setup using the following steps:

1. Navigate to Proxy Hosts
2. Edit a Host entry with a bad SSL Cert
3. Navigate to the SSL Tab
4. Click on the SSL Certificate field and in the drop down select "Request a new SSL Certificate"
5. Click Save
6. Navigate to SSL Certificates
7. Delete the old Certificate

After doing the above steps for each of my Proxy Hosts, they can be renewed from the GUI. I'm not sure if Auto-renew will work but I guess I'll find out in a couple months.

I don't know what caused the problem or if it will come back but at least for now it appears to be working.

[Waldorf3]

For anyone experiencing this issue, I was able to fix my setup using the following steps:

1. Navigate to Proxy Hosts
2. Edit a Host entry with a bad SSL Cert
3. Navigate to the SSL Tab
4. Click on the SSL Certificate field and in the drop down select "Request a new SSL Certificate"
5. Click Save
6. Navigate to SSL Certificates
7. Delete the old Certificate

After doing the above steps for each of my Proxy Hosts, they can be renewed from the GUI. I'm not sure if Auto-renew will work but I guess I'll find out in a couple months.

I don't know what caused the problem or if it will come back but at least for now it appears to be working.

This just create an "Internal error", no new cert.

[TheFreeman]

The same on my side.
Any new suggestions?

[abdros]

I had the same issue and solved it by adding a DNS CAA record for the HOST.MYDOMAIN.TLD and setting letsencrypt.org as an authorized certificate provider (I use EasyDNS).
What made me think of this was an email that letsencrypt had sent some time ago regarding this soon-to-come requirement from DNS providers.
Nginx Proxy Manager v2.7.1
Hope this helps others.

[AlmightyJojo]

npm 2.10.1. Out of nowhere expired certs + symlink error on npm startup. Internal error in GUI. Godaddy DNS challenge cert
Gh0stRocket script did indeed fix renewal and all existing proxy hosts updated. Whew.
What's not clear is fix symlink creation is permanent fix or not. Believe it is...This renewal issue with either npm / certbot really could use some attention.

[github-actions]

Issue is now considered stale. If you want to keep it open, please comment 👍

[Palmdale95]

For me the issue is still there:
Failed to renew certificate npm-1 with error: Some challenges have failed.
Failed to renew certificate npm-2 with error: Some challenges have failed.
Failed to renew certificate npm-3 with error: Some challenges have failed.
Failed to renew certificate npm-4 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/npm-1/fullchain.pem (failure)
/etc/letsencrypt/live/npm-2/fullchain.pem (failure)
/etc/letsencrypt/live/npm-3/fullchain.pem (failure)
/etc/letsencrypt/live/npm-4/fullchain.pem (failure)
4 renew failure(s), 0 parse failure(s)

at ChildProcess.exithandler (node:child_process:422:12)
at ChildProcess.emit (node:events:517:28)
at maybeClose (node:internal/child_process:1098:16)
at ChildProcess._handle.onexit (node:internal/child_process:303:5)

[deMathias]

I just get internal error in NPM gui when trying to renew wildcard cert (*.domain.ltd)

[Reetryyy]

I encountered the same issue when trying to renew certificates using the NPM GUI. Removing the certificate that failed to renew and requesting new ones resolved the problem for me.

[timguy99]

For anyone experiencing this issue, I was able to fix my setup using the following steps:

1. Navigate to Proxy Hosts
2. Edit a Host entry with a bad SSL Cert
3. Navigate to the SSL Tab
4. Click on the SSL Certificate field and in the drop down select "Request a new SSL Certificate"
5. Click Save
6. Navigate to SSL Certificates
7. Delete the old Certificate

After doing the above steps for each of my Proxy Hosts, they can be renewed from the GUI. I'm not sure if Auto-renew will work but I guess I'll find out in a couple months.
I don't know what caused the problem or if it will come back but at least for now it appears to be working.

This just create an "Internal error", no new cert.

Same issue for me but following these steps seemed to work. Be nice to see this fixed though so we don't have to do things manually.