SSL certificate error

[ahmedelemamn]

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug
i have a fresh NPM image running and tried to generate SSL certificate for my domain
i tried both http/dns challenges
for http challenge i get this error:

Communication with the API failed, is NPM running correctly?

or this one:

example.example.com: There is no server available at this domain. Please make sure your domain exists and points to the IP where your NPM instance is running and if necessary port 80 is forwarded in your router.

for the second error i made sure my DNS record is configured as DNS only and not proxied on cloudflare and i have both port 80 and 443 forwarded on my WAN router

if i opted for DNS challenge i get this error

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-3" --agree-tos --email "xxxx@gmail.com" --domains "example.com" --authenticator dns-cloudflare --dns-cloudflare-credentials "/etc/letsencrypt/credentials/credentials-3" --dns-cloudflare-propagation-seconds 240
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Encountered CloudFlareAPIError adding TXT record: 10000 Authentication error
Error communicating with the Cloudflare API: Authentication error
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

    at ChildProcess.exithandler (node:child_process:397:12)
    at ChildProcess.emit (node:events:390:28)
    at maybeClose (node:internal/child_process:1064:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5) 

although the API key is working fine

curl -X GET "https://api.cloudflare.com/client/v4/user/tokens/verify" \
     -H "Authorization: Bearer xxxx" \
     -H "Content-Type:application/json"
{"result":{"id":"96ec8dc212843213fb16d363732e6b34","status":"active"},"success":true,"errors":[],"messages":[{"code":10000,"message":"This API Token is valid and active","type":null}]}

Nginx Proxy Manager Version
v2.9.14
i tried the latest as well but i had the same issue and i saw a post here recommending downgrading helped but unfortunately it didn't help me ref. #1862

To Reproduce
Steps to reproduce the behavior:

• Go to the tab "SSL Certificates"
• Click on "Add SSL Certificate"
• Enter the domains "*.example.com, example.com"
• Select "Use DNS Challenge", Cloudflare, and set API Key
• Set Propagation Seconds (450 Seconds) (Optional)

Expected behavior
wildcard SSL certificate to be created

Operating System
ubuntu server 21.10

[Lzyct]

Any update about this issue?

[evlo]

can you do *.example.com or just example.com?

Anyways i have same error with just example.com after clicking on test, but not when domain is unavailable, maybe this happens if domain points to different location. I'm using cloud flare dns without proxy do i need to use dns challenge?

With token I get
Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.9.12)
(yes i'm sure, i'm used same one in traefik, but i wanted to switch to something with web ui management)

Without dns challenge i get

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

UPDATE: weirdly after 3 attempts (no change in token) it did succeeded even with wildcard, i dunno what it does say about trying same thing expecting different result

[vm75]

I am facing the same issue. Have enabled port forwarding for both 80 & 443. keep getting the same errors outlined in the original post

[Evilernie2001]

Same Problem here. Can`t renew the or create SSL via Letsencrypt

[BL3CKM00N]

guessing im not the only one here today xD

[Yannic-reust]

same here

[g4xx]

Same here

[CameronMacG]

+1

[msawyer91]

I'm seeing the same "Communication with the API failed, is NPM running correctly?" on NPM 2.9.19 on a Raspberry Pi using Docker. The error occurs when I test connectivity, but ultimately succeeded in requesting the certificate from Let's Encrypt.

[HostLabs-LLC]

I'm also getting Communication with the API failed, is NPM running correctly?" after pulling :latest this morning. I'm glad its not just me, hopefully we get this fixed. Thanks!!!

[BL3CKM00N]

Well... u can request a certificate but only the check does currently not work. Requesting and renewing does work just fine ;)

[Barzoo7]

+1 hope solve it

[rohankm]

same here

[DomBrownInOz]

Yep. same here?

[xnrbdev]

Anyone had any luck with a older version ?

[OfficialMuffin]

Same issue here

[Srcodesalittle]

Same here, please advise

[MarkoS046]

Same here :/

[AzSaSiN]

Uncaught SyntaxError: Unexpected end of JSON input

FROM
./run: line 19:  1287 Trace/breakpoint trap   (core dumped) node --abort_on_uncaught_exception --max_old_space_size=250 index.js

whenever you try to see if the server reachable, docker logs will display this error.

I've tried to pinpoint script that triggers but had no luck so far

[lazyzyf]

npm       | `QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method wil
l be removed in 3.0
npm       | `QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` met
hod will be removed in 3.0
npm       | QueryBuilder#omit is deprecated. This method will be removed in version 3.0
npm       | Model#$omit is deprected and will be removed in 3.0.

[DelScipio]

Same problem in all my servers. Nothing changed, worked fine till it doesnt.

[CristianEduardMihai]

Same here. PM works fine on my Oracle Cloud hosts, but I'm facing this issue on my home server.

[kiennt048]

same here, even install lastest version hardware

[gylove1994]

same here.

[Radiofreqq]

same. no joy. I'm new to all this and I've been beating my head thinking I messed up somewhere.

[bigbeka]

I'm having the same issue.

[tarkh]

Yep, same issue.

[bigbeka]

The only way I was able to get SSL is to Add host and request the SSL through the Host setup process.

[Sebekerga]

The wall of "same here" messages doesn't speed up the process of resolving this issue and it creates an unnecessary spam for those who follow issues via email.

If you want to help, please provide additional information such as logs, your settings, info about your setup or anything else that you think might be helpful.

If you want to show that you also are interested in solving this issue, consider just up-voting initial issue message, so that the counter will go up.

But please, stop spamming "same here"

EDIT: Want to make it clear, that I do not think bad of people who posted "same here" and just wanted to point out that it is not the most helpful approach for participating in issues, with peace and love

[awad0]

Fixed it for me, too. Could it be that the wrong (http) challenge is being checked to start a DNS challenge?

I have found when SSL renewal fails or a challenge fails, restart the container and try again. Been the simplest workaround for me so far.

Unfortunately not. I tried this before. I'm in a LXD container, where I can ssh into. It's not a port or connection issue. Manual "dry run" also worked.

[etymotic]

If anyone wants to give this a try:

My setup is NPM docker running on the same virtual machine as all of my other docker stuff. I use AdGueard Home, with a DNS rewrite of *.mydomain.com - > Local IP of NPM. I figured there was probably some sort of problem of NPM trying to reach stuff but just getting redirected and never leaving my LAN...

So I set up wireguard in the virtual machine that runs all of my docker stuff. I have a subscription to AirVPN and used their config generator. With the VPN connected, I'm able to add/renew certificates.

My guess is that the VPN forces traffic to leave my LAN, which helps things renew properly. Either that, or it just randomly started working while I was messing around with it.

[prom00]

My guess is that the VPN forces traffic to leave my LAN, which helps things renew properly. Either that, or it just randomly started working while I was messing around with it.

I've had this before too, where it suddenly started to work again...

[BartAgterbosch]

I would like to weigh in here and suggest making sure that "Block common exploits" is disabled in the proxyhost settings for the particular domain you're trying to renew (re-enable it afterwards), also wait a while before doing it if you've been spamming the renew button before trying that, it might be rate limited

[EDIflyer]

Just to flag this PR I submitted seems to do the trick - #3121 - I've done renewals on a few servers since and they seem to go through OK. You can test it via the auto-built Docker image in the PR.

[Tschakko1993]

I had exactly the same problem as described above.
I checked my router settings and it seems that port 80/443 was not forwarded.
I opened the ports and it fixed that issue

[baxenko]

I am using ubuntunu+portainer+npm+uptime kuma. I want to get a certificate for uptime kuma. When I click: "Test Server Reachability" I get an error: "Communication with the API failed, is NPM running correctly?". Any help?

80 and 443 ports are available

[EDIflyer]

@baxenko where are you clicking 'Test Server Reachability'? I've got the Portainer/NPM/Uptime Kuma setup too and all are working fine (using my PR above for NPM to ensure SSL certs issued/renewed OK)

[etymotic]

@baxenko I'm pretty certain, at least for me, that it's network related. Probably NAT Loopback. I think NPM sends out a DNS request for your domain, gets pointed at your home network, and your router never lets anything leave. The solution for me was connecting the machine that runs NPM to a VPN. That forced stuff to leave my home network so the certificate stuff could succeed.

[irhiggs]

I found this that seems to help a lot: https://www.reddit.com/r/nginxproxymanager/comments/166fbka/certbot_renew_internal_error/

Looks like we need a different certbot version packaged into this docker container

[misaka00251]

https://old.reddit.com/r/nginxproxymanager/comments/166fbka/certbot_renew_internal_error/k1b9fra/
Yeah this work.

[baxenko]

I am using ubuntunu+portainer+npm+uptime kuma. I want to get a certificate for uptime kuma. When I click: "Test Server Reachability" I get an error: "Communication with the API failed, is NPM running correctly?". Any help?

80 and 443 ports are available

@EDIflyer , @etymotic
My problem was due to an installed Portainer that would not allow npm to "see" uptime kuma. My friend wrote instructions on how to properly install it and configure Portainer to detect the container. I got everything working. Thanks to all of you for your help.

✅ Instructions: https://gist.github.com/Vladkarok/12ed9c11282d1659ecf369028c3202e6

[yasarza]

Hello everyone

I had the same issue, and it turns out it has something to do with my firewall setting.
I have a pfsense firewall, and when I checked my settings, I found that I allowed only TCP/UDP connection to the web, which I think wasn't enough for nginx to verify the API token.

[liveinaus]

https://old.reddit.com/r/nginxproxymanager/comments/166fbka/certbot_renew_internal_error/k1b9fra/ Yeah this work.

Thanks, it has fixed my issue. Thanks for sharing the fix.

The following commands ran in the container fixed the issue.
cd /opt/certbot
/opt/certbot/bin/pip install certbot==2.6.0
/opt/certbot/bin/pip install -U certbot-dns-godaddy
. /opt/certbot/bin/activate && pip install --upgrade pyopenssl

[RobustMarker]

I had the same issue, and it turns out it has something to do with my firewall setting. I have a pfsense firewall, and when I checked my settings, I found that I allowed only TCP/UDP connection to the web, which I think wasn't enough for nginx to verify the API token.

What did you change? you allowed a different port or something?

[julianjuan77]

In my case, creating a new certificate did not work for me. The problem was not having created the subdomain in cloudflare and pointing it to my server. Once the subdomain was created in cloud fare I was able to create my new certificate without problems.

En mi caso no me funcionaba crear un nuevo certificado. El problema era no haber creado el subdominio en cloudflare y apuntarlo a mi servidor. Una vez creado el subdominio en cloudflare pude crear mi nuevo certificado sin problemas.

[JtMotoX]

The only way I was able to get SSL is to Add host and request the SSL through the Host setup process.

Thank you so much @bigbeka ! Your comment worked for me. 👍

[AlaskaJedi]

Okay, after a few hours of frustration, re-installs, and changing router configs, I kept getting the internal error or the communication with the API NPM running correctly?

I have another subdomain outside of NPM with its own certificate, so I decided to do a force renewal and it worked right away. I was about to add a wildcard to that certificate and import it to NPM, but I decided to try it one more time. I created a new certificate from scratch with a fresh API key from Cloudflare.

That's when I noticed something. When using the DNS Challenge option, the credentials file content had the example below:
(not my actual token btw)

Cloudflare API token
dns_cloudflare_api_token = 0123456789ABCDEF0123456789ABCDEF01234567

I replaced the token with my Cloudflare token, and it failed. I then tried it again, this time using single quotes around my token, like this:
dns_cloudflare_api_token = '0123456789ABCDEF0123456789ABCDEF01234567'

IT WORKED! I checked the credentials file to verify, and it had:

dns_cloudflare_api_token = \0123456789ABCDEF0123456789ABCDEF01234567\

The weird thing was that my credentials file for my previous certificates that I could not renew did not have any quotes or slashes around the token, but they had worked up until now. Anyway, I thought I would share if anyone else was having the same problem.

[yesid-bocanegra]

I had this issue after doing a backup of my folder data and letsencrypt. the problem was that I was not aware of the symlinks on the live folder, so after copying back my backup folders I was not able renew the certificates. to fix this problem I had to update the symlinks for every certificate.

I decided to create a script to fix it, this script can be executed inside the docker container (haven't tested it from the host), it will search for the most recent certificate in the archive folder and create a symlink in the live folder pointing to it.

afterwards you should be able to execute certbot renew

https://gist.github.com/yesid-bocanegra/dfa0cbf0f99a6834340613f43b6610e0

[nsaccente]

First time caller, long time listener.

I noticed that the jc21/nginx-full has been deprecated in favor of using nginxproxymanager/nginx-full, although, I'm not sure when it was marked deprecated. Even more damning is the fact that the develop and master branches of this repo's README's both use example docker-compose files that still use the jc21/nginx-proxy-manager:latest image.

Strangely enough, it looks like @jc21's account pushed a new image just 12 hours ago, despite this repo not having seen a commit since last month. Even stranger, is that the new image, nginxproxymanager/nginx-full, hasn't seen an update in 9 months!

I have a faint suspicion that most of the issues folks have had in this thread are due to using the deprecated image, IF it truly is deprecated.

I did try spinning up a container with the following docker-compose, but the container exits with code 0 immediately, so I think the ENTRYPOINT may be wrong somewhere.

docker-compose.yaml

version: '3.8'
networks:
  default:
    external: true
    name: outbound
 
services:
  app:
    image: 'nginxproxymanager/nginx-full:latest'
    restart: unless-stopped
    ports:
      # These ports are in format <host-port>:<container-port>
      - '80:80' # Public HTTP Port
      - '443:443' # Public HTTPS Port
      - '81:81' # Admin Web Port
      # Add any other Stream port you want to expose
      # - '21:21' # FTP

    # Uncomment the next line if you uncomment anything in the section
    volumes:
      - ./data/data:/data
      - ./data/letsencrypt:/etc/letsencrypt

networks:
  default:
    external: true

[etymotic]

@nsaccente interesting. I haven't had a chance to play with it, but try nginxproxymanager/nginx-proxy-manager:latest

[nsaccente]

@etymotic , I attached my docker-compose contents as a <details> element; already using nginxproxymanager/nginx-proxy-manager:latest but no cigar.

[nsaccente]

Update, it appears that my ISP has changed my IP, which has been the cause of all my troubles. Updating my domain provider's dns with my new IP did just the trick. I guess I can't put off setting up dyndns any longer 🤷

The error message provided by NPM is... vague at best... misguiding at worst.

Despite this small victory, the following are still true:

1. nginxproxymanager/nginx-proxy-manager:latest still exits immediately.
2. jc21/nginx-proxy-manager:latest is the image I got working (however, I'll be pinning to 2.9.18, and manually updating image versions)
3. The DEPRECATED sentiment on the jc21 image is ... wrong? It's supposed successor crashes on startup and isn't being regularly built

For those having trouble with NPM's SSL certification feature, please make certain that the IP of your server is still valid!

[moviemakr1620]

The only way I was able to get SSL is to Add host and request the SSL through the Host setup process.

Same here but i want to get a wildcard ssl. doing it this way won't let me.

[smibrandon]

I found a fix for my issue: allocating more storage space.

Running NPM in a Proxmox CT (no docker at all), and happened to catch that it was at 96% of its storage. I gave it some extra, and boom. Worked!

[Deses]

Look. This might seem silly, but I was also having this problem.

Turns out my problem is that I enabled basic WAF protection in my Cloudflare to block anything not coming from Spain and to block Bots.

Well, obviously that blocked Let's Encrypt bot not residing on Spain. Duh. I disabled the filters and it's now working nicely.

I thought I'd leave my 5 cents here if anyone else has been having problems with this.

[RobustMarker]

Well, obviously that blocked Let's Encrypt bot not residing on Spain. Duh. I disabled the filters and it's now working nicely.

I had a very similar issue, along with my isp blocking port 80 and not telling me. No wonder i coudnt renew my cert. (im also in spain, maybe isps are renewing security configs?)

Thought id also leave my 5 cents.

[abduroshyd]

https://old.reddit.com/r/nginxproxymanager/comments/166fbka/certbot_renew_internal_error/k1b9fra/ Yeah this work.

Thanks, it has fixed my issue. Thanks for sharing the fix.

The following commands ran in the container fixed the issue. cd /opt/certbot /opt/certbot/bin/pip install certbot==2.6.0 /opt/certbot/bin/pip install -U certbot-dns-godaddy . /opt/certbot/bin/activate && pip install --upgrade pyopenssl

Its not worked for me 🥲

[BartAgterbosch]

https://old.reddit.com/r/nginxproxymanager/comments/166fbka/certbot_renew_internal_error/k1b9fra/ Yeah this work.

Thanks, it has fixed my issue. Thanks for sharing the fix.
The following commands ran in the container fixed the issue. cd /opt/certbot /opt/certbot/bin/pip install certbot==2.6.0 /opt/certbot/bin/pip install -U certbot-dns-godaddy . /opt/certbot/bin/activate && pip install --upgrade pyopenssl

Its not worked for me 🥲

Did you by any chance disable "Block Common Exploits" before renewing the cert? If not then try that (Also wait an hour or so first if you've been spamming the renew button a lot)