Cannot generate SSL certificate

[stefanorossiti]

I managed to configure NPM as a reverse proxy for 2 internal services, but i don't know why i cant generate the certificate. It gives no real error i could work with...

I'am using the DNS from namecheap that is not in the list, is it necessary to get a certificate?

[henkisdabro]

I've also started getting the Internal Error messages when creating new Proxy Hosts. I'm using Cloudflare and follow the same procedure as always when issuing. It might be related to the new 2.8.0 version as I did not have the issues before that.

I tried reverting to 2.7.3 but now experience the same error on this version too. I also tried removing the XX.conf files associated with old entries, but it seems something old is trailing too (database seems empty when checking with adminer?)

[Ducatel]

Same issue for me with the 2.8.0 or 2.7.3 version in SQLite mode running into docker container.
I have error when create a new cert or in renewal.

I have this king of log:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for xxxx.eu
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Challenge failed for domain xxxx.eu
http-01 challenge for xxxx.eu
Cleaning up challenges
Some challenges have failed.

[henkisdabro]

Update from my end – it seems to be automatically resolved. I went back to use the :latest image (2.8.0) and booted up NPM and now it seems all is working again. Issuing certs and attaching existing SSL certs to new hosts all seem to work. The issues I had removing proxy hosts is also gone. Phew. Hope it works for you guys too/

[Ducatel]

Same for me, yesterday I tryed to renew all my certificates and all was done with success...

[talondnb]

I'm not having much luck:

Error: Command failed: /usr/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-5" --agree-tos --email "[email protected]" --preferred-challenges "dns,http" --domains "xxxx.org" 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
An unexpected error occurred:
OSError: [Errno 95] Not supported: '../../archive/npm-5/cert1.pem' -> '/etc/letsencrypt/live/npm-5/cert.pem'
Please see the logfiles in /var/log/letsencrypt for more details.

    at ChildProcess.exithandler (child_process.js:308:12)
    at ChildProcess.emit (events.js:314:20)
    at maybeClose (internal/child_process.js:1051:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:287:5)

and log shows:

2021-02-15 09:13:34,388:DEBUG:acme.client:Storing nonce: 0104_bjSxVzICRApFzrqN44NJ8AeBZA8zCYedY177UJn5bs
2021-02-15 09:13:34,415:DEBUG:certbot._internal.storage:Archive directory /etc/letsencrypt/archive/npm-5 and live directory /etc/letsencrypt/live/npm-5 created.
2021-02-15 09:13:34,419:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==1.4.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3.8/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1347, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1233, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 423, in obtain_and_enroll_certificate
    return storage.RenewableCert.new_lineage(
  File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 1027, in new_lineage
    os.symlink(_relpath_from_file(archive_target[kind], target[kind]), target[kind])
OSError: [Errno 95] Not supported: '../../archive/npm-5/cert1.pem' -> '/etc/letsencrypt/live/npm-5/cert.pem'
2021-02-15 09:13:34,424:ERROR:certbot._internal.log:An unexpected error occurred:
[root@docker-1fb5b1cfcddd:/app]# 

Any ideas?

edit: more logs at startup of container:

2/15/2021] [9:44:45 AM] [SSL      ] › ✖  error     Error: Command failed: /usr/bin/certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  

Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 63, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 466, in __init__
    self._check_symlinks()
  File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 532, in _check_symlinks
    raise errors.CertStorageError(
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/npm-1/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/npm-1.conf is broken. Skipping.

Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 63, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 466, in __init__
    self._check_symlinks()
  File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 532, in _check_symlinks
    raise errors.CertStorageError(
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/npm-2/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/npm-2.conf is broken. Skipping.

Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 63, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 445, in __init__
    raise errors.CertStorageError(
certbot.errors.CertStorageError: renewal config file {} is missing a required file reference
Renewal configuration file /etc/letsencrypt/renewal/npm-3-0001.conf is broken. Skipping.

Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 63, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 466, in __init__
    self._check_symlinks()
  File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 532, in _check_symlinks
    raise errors.CertStorageError(
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/npm-3/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/npm-3.conf is broken. Skipping.

Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 63, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 445, in __init__
    raise errors.CertStorageError(
certbot.errors.CertStorageError: renewal config file {} is missing a required file reference
Renewal configuration file /etc/letsencrypt/renewal/npm-4.conf is broken. Skipping.

Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 63, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 466, in __init__
    self._check_symlinks()
  File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 532, in _check_symlinks
    raise errors.CertStorageError(
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/npm-5/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/npm-5.conf is broken. Skipping.
0 renew failure(s), 6 parse failure(s)

    at ChildProcess.exithandler (child_process.js:308:12)
    at ChildProcess.emit (events.js:314:20)
    at maybeClose (internal/child_process.js:1051:16)
    at Socket.<anonymous> (internal/child_process.js:442:11)
    at Socket.emit (events.js:314:20)
    at Pipe.<anonymous> (net.js:673:12)

[ragaimeena]

I am having the same issue. I can't even get to the HTTP request at all. I uninstalled and reinstalled many time:
addon on HASSIO
duckdns for the DNS service and subdomain
I get the same internal error please help

[talondnb]

Bump? I've temporarily moved to the addon in home assistant which seems to be working fine for me (but now I'm at my limit for renews, so i have to wait a week).

[koshia]

I'm having the same issue, kept thinking it's me and how i'm registering via Cloudflare but i'm thinking something' up with Cloudflare.

I'm on Unraid with docker version:
v1.13.0 (2021-02-09)

• Updated Nginx Proxy Manager to version 2.8.0.
• Updated OpenResty to version 1.19.3.1.
• Replaced the depricated GeoIP module by GeoIP2.

Namecheap is where i have my DNS hosted and use Cloudflare to proxy. CF uses the zone edit API now instead of global api to do the acme-challenge. The last time I did this, it was with the global api and worked fine. Made sure this time around after I figured it out to use the Zone API.

We can see the acme-challenge with the TXT records being temporarily created and then removed but for some reason, it still failed.

2021-02-26 21:23:30,029:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/11175401054 HTTP/1.1" 200 381
2021-02-26 21:23:30,030:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 27 Feb 2021 03:23:30 GMT
Content-Type: application/json
Content-Length: 381
Connection: keep-alive
Boulder-Requester: 114015465
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0103QOg-_3hneOVhuDybUkd2UJJY_HofwLC1s4feWy6zioA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "domain.tld"
  },
  "status": "pending",
  "expires": "2021-03-06T03:23:29Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/11175401054/6XREOw",
      "token": "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZz"
    }
  ],
  "wildcard": true
}
2021-02-26 21:23:30,030:DEBUG:acme.client:Storing nonce: 0103QOg-_3hneOVhuDybUkd2UJJY_HofwLC1s4feWy6zioA
2021-02-26 21:23:30,031:INFO:certbot._internal.auth_handler:Performing the following challenges:
2021-02-26 21:23:30,031:INFO:certbot._internal.auth_handler:dns-01 challenge for domain.tld
2021-02-26 21:23:30,040:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.cloudflare.com:443
2021-02-26 21:23:30,349:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=domain.tld&per_page=1 HTTP/1.1" 200 None
2021-02-26 21:23:30,351:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Found zone_id of a80070038ab3786d13f8e7b7d40bf9bd for domain.tld using name domain.tld
2021-02-26 21:23:30,352:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Attempting to add record to zone a80070038ab3786d13f8e7b7d40bf9bd: {'type': 'TXT', 'name': '_acme-challenge.domain.tld', 'content': '0PGS80GcKuU434KryKNpTSOiKycHdmnJRACiqJ_oRaw', 'ttl': 120}
2021-02-26 21:23:30,498:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "POST /client/v4/zones/a80070038ab3786d13f8e7b7d40bf9bd/dns_records HTTP/1.1" 200 None
2021-02-26 21:23:30,647:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones/a80070038ab3786d13f8e7b7d40bf9bd/dns_records?type=TXT&name=_acme-challenge.domain.tld&content=0PGS80GcKuU434KryKNpTSOiKycHdmnJRACiqJ_oRaw&per_page=1 HTTP/1.1" 200 None
2021-02-26 21:23:30,648:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Successfully added TXT record with record_id: ffe03bc2d9bfcab1df23e6c1a53e53c5
2021-02-26 21:23:30,654:INFO:certbot.plugins.dns_common:Waiting 10 seconds for DNS changes to propagate
2021-02-26 21:23:40,664:INFO:certbot._internal.auth_handler:Waiting for verification...
2021-02-26 21:23:40,665:DEBUG:acme.client:JWS payload:
b'{}'
2021-02-26 21:23:40,670:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/11175401054/6XREOw:
{
  "protected": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
  "signature": "YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY",
  "payload": "e30"
}
2021-02-26 21:23:40,758:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/11175401054/6XREOw HTTP/1.1" 200 185
2021-02-26 21:23:40,759:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 27 Feb 2021 03:23:40 GMT
Content-Type: application/json
Content-Length: 185
Connection: keep-alive
Boulder-Requester: 114015465
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/11175401054>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/11175401054/6XREOw
Replay-Nonce: 0103xnKvAWqIss_twR_hJmW9cJbjhbs_8uyBKdM9gPeOvB8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "dns-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/11175401054/6XREOw",
  "token": "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZz"
}
2021-02-26 21:23:40,759:DEBUG:acme.client:Storing nonce: 0103xnKvAWqIss_twR_hJmW9cJbjhbs_8uyBKdM9gPeOvB8
2021-02-26 21:23:41,760:DEBUG:acme.client:JWS payload:
b''
2021-02-26 21:23:41,764:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/11175401054:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTE0MDE1NDY1IiwgIm5vbmNlIjogIjAxMDN4bkt2QVdxSXNzX3R3Ul9oSm1XOWNKYmpoYnNfOHV5QktkTTlnUGVPdkI4IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xMTE3NTQwMTA1NCJ9",
  "signature": "QsIm-fkrbOceVUuPUyW6uHj9-Dv6LHHFbcoeeTX1G-QNwHwHfGOxnXkG1iNKpEAN5iTs9Gv_Kwpz3S3z9rxWU9KCwqysY1v6MnEY_Z3r1ITjeNszGvI7IuyhssF_nO5i3i958j0NyTihOzJSz1WJyKPxxREgtQK3b7EC_iEj42yZvXeTEBNVcSEMK2Vn6TrR861oRxFA-9aCRRXEdwMfxlRj7ZCTrgE2kVlGKrpavaKfPkbP_A6cwB2YDNfS1jVkF2MQjKL7SjP5TuF4GgO8WP-6VbCex-HF7_Vuq_CHQudMVcr08VBvZ7OYLBefbl4vPqhmmZt9gD87a09nao2OmQ",
  "payload": ""
}
2021-02-26 21:23:41,836:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/11175401054 HTTP/1.1" 200 612
2021-02-26 21:23:41,837:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 27 Feb 2021 03:23:41 GMT
Content-Type: application/json
Content-Length: 612
Connection: keep-alive
Boulder-Requester: 114015465
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0103F7VcPXfmBVWcUVDro1iPn833A1gklzgK-zXDENhTXfc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "domain.tld"
  },
  "status": "invalid",
  "expires": "2021-03-06T03:23:29Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Incorrect TXT record \"gLcdm1_Fu2KVg89N_7tixugRhhTThq6ymzp8k99J-jk\" found at _acme-challenge.domain.tld",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/11175401054/6XREOw",
      "token": "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ"
    }
  ],
  "wildcard": true
}
2021-02-26 21:23:41,837:DEBUG:acme.client:Storing nonce: 0103F7VcPXfmBVWcUVDro1iPn833A1gklzgK-zXDENhTXfc
2021-02-26 21:23:41,838:WARNING:certbot._internal.auth_handler:Challenge failed for domain domain.tld
2021-02-26 21:23:41,838:INFO:certbot._internal.auth_handler:dns-01 challenge for domain.tld
2021-02-26 21:23:41,838:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:

Domain: domain.tld
Type:   unauthorized
Detail: Incorrect TXT record "gLcdm1_Fu2KVg89N_7tixugRhhTThq6ymzp8k99J-jk" found at _acme-challenge.domain.tld

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2021-02-26 21:23:41,839:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2021-02-26 21:23:41,839:DEBUG:certbot._internal.error_handler:Calling registered functions
2021-02-26 21:23:41,839:INFO:certbot._internal.auth_handler:Cleaning up challenges
2021-02-26 21:23:41,849:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.cloudflare.com:443
2021-02-26 21:23:42,080:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=domain.tld&per_page=1 HTTP/1.1" 200 None
2021-02-26 21:23:42,083:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Found zone_id of a80070038ab3786d13f8e7b7d40bf9bd for domain.tld using name domain.tld
2021-02-26 21:23:42,227:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones/a80070038ab3786d13f8e7b7d40bf9bd/dns_records?type=TXT&name=_acme-challenge.domain.tld&content=0PGS80GcKuU434KryKNpTSOiKycHdmnJRACiqJ_oRaw&per_page=1 HTTP/1.1" 200 None
2021-02-26 21:23:42,377:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "DELETE /client/v4/zones/a80070038ab3786d13f8e7b7d40bf9bd/dns_records/ffe03bc2d9bfcab1df23e6c1a53e53c5 HTTP/1.1" 200 None
2021-02-26 21:23:42,378:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Successfully deleted TXT record.
2021-02-26 21:23:42,381:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==1.4.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3.8/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1347, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1233, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 409, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 343, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 390, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
/config/log/letsencrypt # 

[JesseRedfield]

This feels like it is some kind of race condition. So I was messing with this in a rather slow staging VM running in 1 CPU core on a 2014 macbook air, and was unable to generate any SSL certificates UNLESS after every internal server error I just immediately spammed a retry.

I think what is happening is that the web server that hosts the challenge file that letsencrypt is looking for is not coming up fast enough for the challenge. So what the NGINX Proxy Manager is doing in the background is it is taking down whatever it is that you have occupying port 80 at that domain name, replacing the config with a new server that will host the challenge file at port https://domain.com/.well-known/acme-challenge/

Before this host is actually up, running, and reachable, it is telling the certbot to go ahead and continue the challenge request, and then of course since it can't reach that destination the cert process fails.

You can see the residual effect of this when it is done, it takes about a minute after a cert request for the Congratulations! default landing page for nginx proxy to come back online on my test setup. Basically certbot is beating the webservice coming up with the challenge file and winning the race condition to your failure.

Hammering on renew before the webservice comes back to the congratulations page did it for me, it also fills up the letsencrypt folder with tons of garbage certs =/ This happens both with this image and the newest image from here: https://github.com/jlesage/docker-nginx-proxy-manager/compare.

I Don't know if this setup is using the nginx instance to host the challenge file, or using the auto host built into certbot, but either port 80 isn't unbinding fast enough or the switch to the certbot challenge file host isn't happening quick enough.

[JesseRedfield]

This is an issue in certbot nginx, see: certbot/certbot#8163

they implemented a feature to wait for nginx to start back up after changing it's configuration, it's a hard timer.

certbot now has a command line parameter --nginx-sleep-seconds for doing it's job on slower machines where nginx may not start up fast enough.

I found this as I was trying to use letsencrypt with a plain nginx system after I could not get a certificate using nginxproxymanager.

[focher]

Any idea when this fix will be implemented in Proxy Manager?

[jc21]

From the documentation, --nginx-sleep-seconds seems only to apply for the certbot nginx plugin. We don't use that as we control nginx reloads manually.

From the code path I can't see how the reloading of nginx wouldn't be completed prior to requesting a cert via certbot however an additional check for nginx being up could be added rather easily.

[TWART016]

Hi,

I have the same error:
"Incorrect TXT record \"MYDOMAIN\" found at _acme-challenge.MYDOMAIN"

is there a solution in the meantime?

[chaptergy]

As failing to create a certificate and the "internal error" is a very generic error, this issue has ended up containing a huge mix off entirely different issues, which are not connected. Hence I will go ahead and close this issue, to prevent it from becoming a graveyard for different problems. You can go ahead an open a new issue with specifics to your issue. #1271 Will help you get started.