Can not generate certificates in NGINX Proxy Manager

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: dsu-home.com

I ran this command:

It produced this output: "Internal Error", Thats it......
while following a YouTube video I got the following while trying to setup a Cloudflare DDNS Cert.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

    at /app/lib/utils.js:16:13
    at ChildProcess.exithandler (node:child_process:410:5)
    at ChildProcess.emit (node:events:513:28)
    at maybeClose (node:internal/child_process:1100:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)```


My web server is (include version): ??? NGINX Proxy Manager v2.12.1

The operating system my web server runs on is (include version):??? Proxmox 8.2.2

My hosting provider, if applicable, is: Tried Duckdns, now trying to setup Cloudflare

I can login to a root shell on my machine (yes or no, or I don't know): ??? I don't know what your refering to, The Proxmox, The NGINX container,Something else?

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): ???

The version of my client is (e.g. output of `certbot --version` or `certbot-auto --version` if you're using Certbot): No Idea.

Details:
I've had a docker of NGINX Proxy Manager setup on my unraid for several months and when I set it up I was able to generate and get working the certs and most links all using DuckDNS for DynDNS Provider. My unraid cashed the last week so I tried re-making everything on a proxmox container (Using ttech's helper script to install the container) but I am unable to create ANY certificates all entries say "HTTP only", I am now following (or trying to) a video on Youtube (https://www.youtube.com/79e6KBYcVmQ) on a guy doing all kinds of NGINX, and Cloudflare DDNS, and such and I get to where i'm supposed to create the cert, but I get the above error titled the same "Internal Error" that I've been getting trying to do them through duckdns. Both Cloudflare and DuckDNS are getting my external IP. I really don't know any of this stuff so the best I can do is try to follow video tutorials to get stuff working, When I get issues like this I'm lost so, please, be patient with me.

I just tried the same procedure but to Duckdns (dsu-home.duckdns.org) and got the following error (also "Internal Error"

Internal Error

CommandError: usage: 
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. 
certbot: error: unrecognized arguments: --dns-duckdns-credentials /etc/letsencrypt/credentials/credentials-21 --dns-duckdns-no-txt-restore

    at /app/lib/utils.js:16:13
    at ChildProcess.exithandler (node:child_process:410:5)
    at ChildProcess.emit (node:events:513:28)
    at maybeClose (node:internal/child_process:1100:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

I went to "add certificate" in NGINX Proxy Manager then added my "domains" clicked on DNS Challenge, added my token then clicked accept terms and submit, got the error in return.

Looks like you need to install the duckdns certbot plugin. Reddit - Dive into anything

1 Like

For some reason it just started working maybe 10 minutes after posting above for the duckdns version, the Cloudflare version still gave me an error though.

by "Duckdns Plugin" do you mean the program that tells them My IP (I have this on my unnraid and in portainer on my proxmox)? or is that something else entirely?

I went to that reddit page and put the line in the NGINX terminal screen on my proxmox (just in case) and got this, No idea if the "warning" really means anything or not since it says it was successful.

root@nginxproxymanager:~# pip install certbot_dns_duckdns
Collecting certbot_dns_duckdns
  Downloading certbot_dns_duckdns-1.3-py3-none-any.whl (12 kB)
Requirement already satisfied: certbot<3.0,>=1.18.0 in /usr/lib/python3/dist-packages (from certbot_dns_duckdns) (2.1.0)
Requirement already satisfied: requests<3.0,>=2.20.0 in /usr/lib/python3/dist-packages (from certbot_dns_duckdns) (2.28.1)
Collecting dnspython<3.0,>=2.0.0
  Downloading dnspython-2.7.0-py3-none-any.whl (313 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 313.6/313.6 kB 4.0 MB/s eta 0:00:00
Installing collected packages: dnspython, certbot_dns_duckdns
Successfully installed certbot_dns_duckdns-1.3 dnspython-2.7.0
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
root@nginxproxymanager:~# 

No it's a plugin for certbot (the tool which requests your certificate from Let's Encrypt) and it's used to populate a TXT record in your domain's DNS as a challenge response to prove you control that domain (an alternative to DNS domain validation is HTTP domain validation).

2 Likes

Hello @Ace_boy,

I am not finding that the domain name even exists.

https://unboundtest.com/m/CAA/dsu-home.com/J2SJSJMF

Query results for CAA dsu-home.com

Response:
;; opcode: QUERY, status: NXDOMAIN, id: 30555
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 1232

;; QUESTION SECTION:
;dsu-home.com.	IN	 CAA

;; AUTHORITY SECTION:
com.	0	IN	SOA	a.gtld-servers.net. nstld.verisign-grs.com. 1731036103 1800 900 604800 900
com.	0	IN	RRSIG	SOA 13 1 900 20241115032143 20241108021143 29942 com. Dc9Sz0BYWSpff4HyBRvCiudscGxT46GGUbuWP4CxxGdTovVmpD6QWFsQsSIdUXJS5KBw20rAC9r519ccyAcimw==
CK0POJMG874LJREF7EFN8430QVIT8BSM.com.	0	IN	NSEC3	1 1 0 - CK0Q3UDG8CEKKAE7RUKPGCT1DVSSH8LL NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com.	0	IN	RRSIG	NSEC3 13 2 900 20241112002616 20241104231616 29942 com. kXIHv8XDrcMtulUGN5L16QaeYWXyeUSud+TZKzSugT1aNCYD4JQlB2B7N37qcdLMG/2awuNyPkU94lBkwPeQlg==
MCTCL62UKUOCLEOSMFPSCJMKMSQVHN79.com.	0	IN	NSEC3	1 1 0 - MCTD9KB7G5HAMSFOGI113OCPNEV3UDR2 NS DS RRSIG
MCTCL62UKUOCLEOSMFPSCJMKMSQVHN79.com.	0	IN	RRSIG	NSEC3 13 2 900 20241113010605 20241105235605 29942 com. 87blSZv4JOJROAdfde5ZBPShBc+es6wroiVLqM3LT1UZpTJk67wD1YS8K/CClgA5N76nEx2r2+HwAUG6GTZczw==
3RL2Q58205687C8I9KC9MV46DGHCNS45.com.	0	IN	NSEC3	1 1 0 - 3RL2SHVUMC300IUC2TDL4VML2HNF0O7I NS DS RRSIG
3RL2Q58205687C8I9KC9MV46DGHCNS45.com.	0	IN	RRSIG	NSEC3 13 2 900 20241115003657 20241107232657 29942 com. BH8rZ5x2oRdL7kyaIc8dnrHTr6jyq8zNKKFr6QcPT8rz0Psa4ioCIlQ0fy0NslHN+K3xhT+h2tw01Nb6MmkHqA==

----- Unbound logs -----

https://dnsviz.net/d/dsu-home.com/dnssec/

1 Like

Well, I don't know if it has anything to do with NPM or not, but I'm getting "403 Openresty" Errors when I try to go to my sites that I was able to make certs for, I think it may just be the ones I have behind a password, The public ones (I only have 2 of them) seem to work external to my home network.Did I do something wrong setting therm up?

What I did:
Create New
Name ([Service].dsu-home.duckdns.org)
Select Cache, Websocket, and/or Block known threats
Go to SSL tab
select "Get New Cert"
Toggle accept terms button
Click submit

.... wait....
Get Internal error, May or may not create the proxy but it would be "http only"

Note, I wish there was an edit button on this forum....


I tried to make that dsu-home.com name on cloudflare but its saying something about redirecting name servers to them or something, I have no idea where or how to do that since that cloudflare is the only place I put it, and they just show it as " dsu-home.com is not active on Cloudflare yet. Update the nameservers at your registrar to activate Cloudflare services for this domain.". I have not gone to any "domain for sale" sites to purchase any, so I don't think that is gonna be working any time soon. but my dsu-home.duckdns.org ones kinda work.

Do you see a "pencil" icon on the bottom of your posts? There were some restrictions added for new users recently due to spammers abusing that but I think you should be able to use that.

Yes, an openresty server replies to HTTP requests (port 80) but fails HTTPS (port 443) requests from the public internet. That is an NPM config problem best directed to their support forum.

If you have not purchased that name from somewhere you won't be able to use it on the public internet. The public DNS system (and public certs) require a public domain name.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.