Cannot create new SSL Certificates

I am using Nginx Proxy Manager in a Docker Container, which worked perfectly fine up until this point.

Whenever I try to create a new SSL for a new Host, I get this error:

CommandError: Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
An unexpected error occurred:
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NameResolutionError(": Failed to resolve 'acme-v02.api.letsencrypt.org' ([Errno -3] Temporary failure in name resolution)"))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

    at /app/lib/utils.js:16:13
    at ChildProcess.exithandler (node:child_process:430:5)
    at ChildProcess.emit (node:events:519:28)
    at maybeClose (node:internal/child_process:1105:16)
    at ChildProcess._handle.onexit (node:internal/child_process:305:5)

And I dont really know what to do? Not sure what other info to state here. But creating hosts and getting SSL certificates has always worked.
I even recreated the Nginx Docker Container with their docker compose, and now I unfortunately have no hosts running anymore, which is not ideal haha.

Please fix the DNS resolving capabilities of the container that's running your NPM. Or somewhere else within the NPM environment or perhaps your server.

This is not a Let's Encrypt or ACME specific issue, but a generic "I can't resolve hostnames using DNS" problem.

They were never broken, and I never changed anything. It worked fine until recently. Nothing of my DNS setting changes, and the server that runs the docker containers is able to do a dnslookup on the letsencrypt server.

x@portainer-proxmox-vm:~$ nslookup acme-v02.api.letsencrypt.org
Server:         ::1
Address:        ::1#53

Non-authoritative answer:
acme-v02.api.letsencrypt.org    canonical name = prod.api.letsencrypt.org.
prod.api.letsencrypt.org        canonical name = ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
Name:   ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com
Address: 172.65.32.248
Name:   ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com
Address: 2606:4700:60:0:f53d:5624:85c7:3a2c

Well, but NPM can't. So you'd need to fix that. Maybe ask a NPM support channel for that

If the host has internet connectivity, it doesn't mean the container does too. You need to check inside the container itself to see if it has internet access or if DNS is working.

Based on my experience with Docker, most likely your container is in bridge mode, and that mode needs specific NAT firewall rules to allow internet access. So it might happen that those NAT rules are gone on the host — the host still has internet, but not your container.

So, bottom line: check inside the container that it can resolve acme-v02.api.letsencrypt.org

You can tell the container which resolver to use, in docker-compose.yml or on the command line.

The docker daemon does occasionally forget to automatically config that, restarting it or setting up the resolver manually might fix it.

Doesn't NPM config and manage the containers? Do you need to work through it for that?

I don't know all the operational elements of NPM. Curious for more background. Thanks

Never used NPM, it's an issue I saw with other containers. The docker daemon can be fragile. (when interacting with resolvers)

FWIW, there are 2 NPM repos of note:

Most people interact with the following repo - which is what their doc point to:

That's just the integration file that end-users implement though.

The actual repo/docker unit is here:

Oh, sorry, not general info I know where that is.

Often with configurators like NPM you also need to work through them to control the parts they configured (containers and such in this case).

Otherwise manual changes get lost next time you touch the configurator.

9peppe was suggesting manual actions so I was asking if he knew that be friendly inside NPM. Perhaps I should have asked it that way instead

I assumed you probably did, but I also like to assume the simplest and dumbest interpretation possible for everything. A lot of people never realize there are 2 repos, and all the relevant docs and configs are in that second "hidden" repo. Just wanted to make sure you knew about it.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.