Cannot renew certificates under NGINX Proxy Manager

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: frigate12.themasons.net

Thanks for helping - I am a complete novice at this and eager to learn.

I ran this command: I am running NGINX Proxy Manager under unraid. I noticed that one of my sites was not working today so I checked into it. Apparently it expires today so it should have been auto-renewed by now. So I went into NGINX Proxy Manager and selected renew now.

It produced this output:

[app ] [3/2/2025] [2:20:57 PM] [SSL ] › info Renewing Let'sEncrypt certificates for Cert #11: emby.themasons.net
[app ] [3/2/2025] [2:20:57 PM] [SSL ] › info Command: certbot renew --force-renewal --config '/etc/letsencrypt.ini' --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name 'npm-11' --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation
[app ] [3/2/2025] [2:20:57 PM] [Global ] › ⬤ debug CMD: certbot renew --force-renewal --config '/etc/letsencrypt.ini' --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name 'npm-11' --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation
[app ] [3/2/2025] [2:20:59 PM] [SSL ] › error Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
[app ] Failed to renew certificate npm-11 with error: Some challenges have failed.
[app ] All renewals failed. The following certificates could not be renewed:
[app ] /etc/letsencrypt/live/npm-11/fullchain.pem (failure)
[app ] 1 renew failure(s), 0 parse failure(s)
[app ] Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.
[app ] [3/2/2025] [2:20:59 PM] [SSL ] › info Completed SSL cert renew process
[app ] [3/2/2025] [2:29:01 PM] [Global ] › ⬤ debug CMD: /usr/sbin/nginx -t
[app ] [3/2/2025] [2:29:02 PM] [Nginx ] › ⬤ debug Deleting file: /data/nginx/proxy_host/1.conf
[app ] [3/2/2025] [2:29:02 PM] [Global ] › ⬤ debug CMD: /usr/sbin/nginx -t
[app ] [3/2/2025] [2:29:02 PM] [Global ] › ⬤ debug CMD: /usr/sbin/nginx -t
[app ] [3/2/2025] [2:29:02 PM] [Nginx ] › info Reloading Nginx
[app ] [3/2/2025] [2:29:02 PM] [Global ] › ⬤ debug CMD: /usr/sbin/nginx -s reload
[app ] [3/2/2025] [2:30:22 PM] [SSL ] › info Testing http challenge for frigate12.themasons.net
[app ] [3/2/2025] [2:30:33 PM] [SSL ] › info Renewing Let'sEncrypt certificates for Cert #6: frigate12.themasons.net
[app ] [3/2/2025] [2:30:33 PM] [SSL ] › info Command: certbot renew --force-renewal --config '/etc/letsencrypt.ini' --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name 'npm-6' --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation
[app ] [3/2/2025] [2:30:33 PM] [Global ] › ⬤ debug CMD: certbot renew --force-renewal --config '/etc/letsencrypt.ini' --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name 'npm-6' --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation
[app ] [3/2/2025] [2:30:36 PM] [Express ] › warning Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
[app ] Failed to renew certificate npm-6 with error: Some challenges have failed.
[app ] All renewals failed. The following certificates could not be renewed:
[app ] /etc/letsencrypt/live/npm-6/fullchain.pem (failure)
[app ] 1 renew failure(s), 0 parse failure(s)
[app ] Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

and when I checked the log file it references I see: (note there appears to be one file for each of my domains in that folder and I couldn't tell them apart so I posted the first one.

2025-03-02 14:30:34,308:DEBUG:certbot._internal.main:certbot version: 3.1.0
2025-03-02 14:30:34,309:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2025-03-02 14:30:34,309:DEBUG:certbot._internal.main:Arguments: ['--force-renewal', '--config', '/etc/letsencrypt.ini', '--work-dir', '/tmp/letsencrypt-lib', '--logs-dir', '/tmp/letsencrypt-log', '--cert-name', 'npm-6', '--preferred-challenges', 'dns,http', '--no-random-sleep-on-renew', '--disable-hook-validation']
2025-03-02 14:30:34,309:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2025-03-02 14:30:34,344:DEBUG:certbot._internal.log:Root logging level set at 30
2025-03-02 14:30:34,348:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/npm-6.conf
2025-03-02 14:30:34,360:DEBUG:certbot.configuration:Var pref_challs=['dns-01', 'http-01'] (set by user).
2025-03-02 14:30:34,360:DEBUG:certbot.configuration:Var config_dir=/etc/letsencrypt (set by user).
2025-03-02 14:30:34,361:DEBUG:certbot.configuration:Var logs_dir=/tmp/letsencrypt-log (set by user).
2025-03-02 14:30:34,361:DEBUG:certbot.configuration:Var work_dir=/tmp/letsencrypt-lib (set by user).
2025-03-02 14:30:34,361:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2025-03-02 14:30:34,362:DEBUG:certbot.configuration:Var preferred_chain=ISRG Root X1 (set by user).
2025-03-02 14:30:34,362:DEBUG:certbot.configuration:Var key_type=ecdsa (set by user).
2025-03-02 14:30:34,362:DEBUG:certbot.configuration:Var elliptic_curve=secp384r1 (set by user).
2025-03-02 14:30:34,362:DEBUG:certbot.configuration:Var webroot_path=['/data/letsencrypt-acme-challenge'] (set by user).
2025-03-02 14:30:34,362:DEBUG:certbot.configuration:Var webroot_map={'webroot_path'} (set by user).
2025-03-02 14:30:34,362:DEBUG:certbot.configuration:Var webroot_path=['/data/letsencrypt-acme-challenge'] (set by user).
2025-03-02 14:30:34,393:DEBUG:certbot._internal.renewal:Auto-renewal forced with --force-renewal...
2025-03-02 14:30:34,393:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2025-03-02 14:30:34,393:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Saves the necessary validation files to a .well-known/acme-challenge/ directory within the nominated webroot path. A separate HTTP server must be running and serving files from the webroot path. HTTP challenge only (wildcards not supported).
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='webroot', value='certbot._internal.plugins.webroot:Authenticator', group='certbot.plugins')
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x154424b36da0>
Prep: True
2025-03-02 14:30:34,394:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x154424b36da0> and installer None
2025-03-02 14:30:34,394:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2025-03-02 14:30:34,467:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/2089955277', new_authzr_uri=None, terms_of_service=None), 9fdff809fd74c0d75b72d2d684cbabd0, Meta(creation_dt=datetime.datetime(2024, 12, 2, 14, 16, 33, tzinfo=datetime.timezone.utc), creation_host='d8c38cf8bc4b', register_to_eff=None))>
2025-03-02 14:30:34,468:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2025-03-02 14:30:34,471:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2025-03-02 14:30:34,677:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 1042
2025-03-02 14:30:34,678:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 02 Mar 2025 19:30:34 GMT
Content-Type: application/json
Content-Length: 1042
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"81GhXI4H4OQ": "Adding random entries to the directory",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"profiles": {
"classic": "Profiles - Let's Encrypt",
"shortlived": "Profiles - Let's Encrypt (not yet generally available)",
"tlsserver": "Profiles - Let's Encrypt (not yet generally available)"
},
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2025-03-02 14:30:34,681:DEBUG:certbot._internal.display.obj:Notifying user: Renewing an existing certificate for frigate12.themasons.net
2025-03-02 14:30:34,687:DEBUG:acme.client:Requesting fresh nonce
2025-03-02 14:30:34,688:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2025-03-02 14:30:34,753:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2025-03-02 14:30:34,753:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 02 Mar 2025 19:30:34 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: -q2Vbyef4al4_v4mPd5gYpiaY3P7h4Iw_mNVIoqfs-vsSA-BhFQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

2025-03-02 14:30:34,754:DEBUG:acme.client:Storing nonce: -q2Vbyef4al4_v4mPd5gYpiaY3P7h4Iw_mNVIoqfs-vsSA-BhFQ
2025-03-02 14:30:34,754:DEBUG:acme.client:JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "frigate12.themasons.net"\n }\n ]\n}'
2025-03-02 14:30:34,757:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjA4OTk1NTI3NyIsICJub25jZSI6ICItcTJWYnllZjRhbDRfdjRtUGQ1Z1lwaWFZM1A3aDRJd19tTlZJb3Fmcy12c1NBLUJoRlEiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9",
"signature": "GYxegOLWBQwXnyzTZG4nzCvJziBeoShi9hs0GAzGARBIVJCpshFQWogZNBkIJcB10k3H0zfYOoloVvVOTuq6NncaNo2su4pNSrye6YRxqzsRa5rY5YR1roWZpYdutdYFtppyTAksFutB1oNRjoCcsex_taRJskXOMFbg-xVpJOiESFlA1mEfMsbawd6a3aC2eiP4ffH3sBDWarGfwlXRwsiOEwGsv4j0pJ4b1HoR_Y0JjLRjGoIdABrJl4fg-_mAxm7_iImPgzldofOSQHZ4T11PYB00jN6cDxrEcQFxMn-yvL0DEeJUBHv_TLl_Rpc3wXzBQFoY2t7GHeZSx8Arfg",
"payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImZyaWdhdGUxMi50aGVtYXNvbnMubmV0IgogICAgfQogIF0KfQ"
}
2025-03-02 14:30:34,840:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 357
2025-03-02 14:30:34,841:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Sun, 02 Mar 2025 19:30:34 GMT
Content-Type: application/json
Content-Length: 357
Connection: keep-alive
Boulder-Requester: 2089955277
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/2089955277/359574620535
Replay-Nonce: -q2VbyefSmgwUiGVY1uFE3OrqS_ii8Zp1GBRcPIxexLxqUZa9XQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"status": "pending",
"expires": "2025-03-09T19:30:34Z",
"identifiers": [
{
"type": "dns",
"value": "frigate12.themasons.net"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz/2089955277/483844368985"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/2089955277/359574620535"
}
2025-03-02 14:30:34,841:DEBUG:acme.client:Storing nonce: -q2VbyefSmgwUiGVY1uFE3OrqS_ii8Zp1GBRcPIxexLxqUZa9XQ
2025-03-02 14:30:34,842:DEBUG:acme.client:JWS payload:
b''
2025-03-02 14:30:34,843:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/2089955277/483844368985:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjA4OTk1NTI3NyIsICJub25jZSI6ICItcTJWYnllZlNtZ3dVaUdWWTF1RkUzT3JxU19paThacDFHQlJjUEl4ZXhMeHFVWmE5WFEiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LzIwODk5NTUyNzcvNDgzODQ0MzY4OTg1In0",
"signature": "dNldkF42UNqmtP95fUrx80Tvyx_QHt_W2iXPe6RqF701CllpXHPBIGdm5T-ZOYpqxeVbXU2MfduwymrU0i5CtDemZUYKjazqiOKsEB22KmAB0mvgAThgKQr-EpKAciH2U5LsfSG7pKIy986piUwEXnJASs4Ebkjd2heW0dFNsONN6GotG64NEXYbjOcebBVVZ8QEpNCA91FkAdQI3929oQHL-BG6zfKgOjgGP2FnaQxlQ6hwBztfL9FqQLMksMauNo_gVh-OaaOjvcHwN3TRMRp0sSNvYwdzyDj7DWYlLMkwXWFnoriI2bEFb16tjeDXamxrpUmiGTqyZj-PcmWPsg",
"payload": ""
}
2025-03-02 14:30:34,909:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz/2089955277/483844368985 HTTP/1.1" 200 831
2025-03-02 14:30:34,910:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 02 Mar 2025 19:30:34 GMT
Content-Type: application/json
Content-Length: 831
Connection: keep-alive
Boulder-Requester: 2089955277
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: -q2VbyefcwGrJ9pYbUXubWVO8-DeMr1Q_DpHjWkhjMV3erqzXiY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "frigate12.themasons.net"
},
"status": "pending",
"expires": "2025-03-09T19:30:34Z",
"challenges": [
{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/2089955277/483844368985/XGbFTw",
"status": "pending",
"token": "U3fO26OUWngd6HLxS2egItXsgEE1Pu4sMVQZYF5LZFk"
},
{
"type": "tls-alpn-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/2089955277/483844368985/8OcJOw",
"status": "pending",
"token": "U3fO26OUWngd6HLxS2egItXsgEE1Pu4sMVQZYF5LZFk"
},
{
"type": "dns-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/2089955277/483844368985/t1_lUw",
"status": "pending",
"token": "U3fO26OUWngd6HLxS2egItXsgEE1Pu4sMVQZYF5LZFk"
}
]
}
2025-03-02 14:30:34,910:DEBUG:acme.client:Storing nonce: -q2VbyefcwGrJ9pYbUXubWVO8-DeMr1Q_DpHjWkhjMV3erqzXiY
2025-03-02 14:30:34,912:INFO:certbot._internal.auth_handler:Performing the following challenges:
2025-03-02 14:30:34,912:INFO:certbot._internal.auth_handler:http-01 challenge for frigate12.themasons.net
2025-03-02 14:30:34,912:INFO:certbot._internal.plugins.webroot:Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
2025-03-02 14:30:34,913:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /data/letsencrypt-acme-challenge/.well-known/acme-challenge
2025-03-02 14:30:34,915:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /data/letsencrypt-acme-challenge/.well-known/acme-challenge/U3fO26OUWngd6HLxS2egItXsgEE1Pu4sMVQZYF5LZFk
2025-03-02 14:30:34,916:DEBUG:acme.client:JWS payload:
b'{}'
2025-03-02 14:30:34,918:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall/2089955277/483844368985/XGbFTw:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjA4OTk1NTI3NyIsICJub25jZSI6ICItcTJWYnllZmN3R3JKOXBZYlVYdWJXVk84LURlTXIxUV9EcEhqV2toak1WM2VycXpYaVkiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLzIwODk5NTUyNzcvNDgzODQ0MzY4OTg1L1hHYkZUdyJ9",
"signature": "gx7SScbpz_r7TOEljGUGGxGOPTTBM-o9owCgPToDcS8skEntVSsUcKiCjE14tU-IpgRZS57-tETAWRDNVoINn-SdtCmcNqj-FPYVWzcxmtQ-uSmLcv9L5wH03TkRl2F6zINfPGNZT1jG5kBkTbUHgqlmbNGlT6i07JIgUw_En5_ZpW1TtoOhSWBrGJTmpM_egMQzfUv3pfQKi8CBm61UUntMknjlugGHeiabeUrVNLzDHKQBvqVxtNt-iKXi2gV9JsTam8c1JWOIw1uSTMualxSAu1kpM_owUWEO70ljsvhGqTM7qKeANLwLQ19uf9Ave4edNITYJN5KCd7NjtuWOQ",
"payload": "e30"
}
2025-03-02 14:30:34,983:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall/2089955277/483844368985/XGbFTw HTTP/1.1" 200 195
2025-03-02 14:30:34,984:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 02 Mar 2025 19:30:34 GMT
Content-Type: application/json
Content-Length: 195
Connection: keep-alive
Boulder-Requester: 2089955277
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index", https://acme-v02.api.letsencrypt.org/acme/authz/2089955277/483844368985;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall/2089955277/483844368985/XGbFTw
Replay-Nonce: -q2VbyefuYiIbRpjHIdRDJIory5gnUZ2T8lWt5QGwWYUE6Wn6bQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/2089955277/483844368985/XGbFTw",
"status": "pending",
"token": "U3fO26OUWngd6HLxS2egItXsgEE1Pu4sMVQZYF5LZFk"
}
2025-03-02 14:30:34,985:DEBUG:acme.client:Storing nonce: -q2VbyefuYiIbRpjHIdRDJIory5gnUZ2T8lWt5QGwWYUE6Wn6bQ
2025-03-02 14:30:34,985:INFO:certbot._internal.auth_handler:Waiting for verification...
2025-03-02 14:30:35,986:DEBUG:acme.client:JWS payload:
b''
2025-03-02 14:30:35,990:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/2089955277/483844368985:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjA4OTk1NTI3NyIsICJub25jZSI6ICItcTJWYnllZnVZaUliUnBqSElkUkRKSW9yeTVnblVaMlQ4bFd0NVFHd1dZVUU2V242YlEiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LzIwODk5NTUyNzcvNDgzODQ0MzY4OTg1In0",
"signature": "kDYsi5dv-aF-mOJitiPMxnGFlhe4odTMiQNY_E2UqOAQu7ruHLzoSJgns6yIleBJ-ScF3hdX9roZHtxnLIRaoAFG2dRYejv_SL0c_DHAq9pd95HQQL51wVexXSOB_kTjg-f2RV3QKi0EEWwapz6UBLN-3RKAy-VitK3VlKaKWVDKbH6HDas75t9kfySD3yerKpPTENRfmWukX4UvQYiN8AhA2MpTQJgtQcHEbGBV-ZdTW7Ij-VkKX7rodMp9feSjy9yxF0Aa-Y2BcIvGp1nZO1SnRmNLcfpXlN6OY7MwfLa63a9JY-mBZMeY9FQlQkKm0BoXsF18ryupwsU5IBOm0A",
"payload": ""
}
2025-03-02 14:30:36,059:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz/2089955277/483844368985 HTTP/1.1" 200 1397
2025-03-02 14:30:36,060:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 02 Mar 2025 19:30:36 GMT
Content-Type: application/json
Content-Length: 1397
Connection: keep-alive
Boulder-Requester: 2089955277
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 7Mi0XlJldwrGHopSVO4jrU4nmjJYVF8CpvrHsylvAd1PLr-ilzc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "frigate12.themasons.net"
},
"status": "invalid",
"expires": "2025-03-09T19:30:34Z",
"challenges": [
{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/2089955277/483844368985/XGbFTw",
"status": "invalid",
"validated": "2025-03-02T19:30:34Z",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "100.8.123.38: Invalid response from https://frigate12.themasons.net/.well-known/acme-challenge/U3fO26OUWngd6HLxS2egItXsgEE1Pu4sMVQZYF5LZFk: 404",
"status": 403
},
"token": "U3fO26OUWngd6HLxS2egItXsgEE1Pu4sMVQZYF5LZFk",
"validationRecord": [
{
"url": "http://frigate12.themasons.net/.well-known/acme-challenge/U3fO26OUWngd6HLxS2egItXsgEE1Pu4sMVQZYF5LZFk",
"hostname": "frigate12.themasons.net",
"port": "80",
"addressesResolved": [
"100.8.123.38"
],
"addressUsed": "100.8.123.38"
},
{
"url": "https://frigate12.themasons.net/.well-known/acme-challenge/U3fO26OUWngd6HLxS2egItXsgEE1Pu4sMVQZYF5LZFk",
"hostname": "frigate12.themasons.net",
"port": "443",
"addressesResolved": [
"100.8.123.38"
],
"addressUsed": "100.8.123.38"
}
]
}
]
}
2025-03-02 14:30:36,060:DEBUG:acme.client:Storing nonce: 7Mi0XlJldwrGHopSVO4jrU4nmjJYVF8CpvrHsylvAd1PLr-ilzc
2025-03-02 14:30:36,061:INFO:certbot._internal.auth_handler:Challenge failed for domain frigate12.themasons.net
2025-03-02 14:30:36,062:INFO:certbot._internal.auth_handler:http-01 challenge for frigate12.themasons.net
2025-03-02 14:30:36,062:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: frigate12.themasons.net
Type: unauthorized
Detail: 100.8.123.38: Invalid response from https://frigate12.themasons.net/.well-known/acme-challenge/U3fO26OUWngd6HLxS2egItXsgEE1Pu4sMVQZYF5LZFk: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2025-03-02 14:30:36,062:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3.10/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/usr/lib/python3.10/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2025-03-02 14:30:36,063:DEBUG:certbot._internal.error_handler:Calling registered functions
2025-03-02 14:30:36,063:INFO:certbot._internal.auth_handler:Cleaning up challenges
2025-03-02 14:30:36,063:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/U3fO26OUWngd6HLxS2egItXsgEE1Pu4sMVQZYF5LZFk
2025-03-02 14:30:36,064:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2025-03-02 14:30:36,065:ERROR:certbot._internal.renewal:Failed to renew certificate npm-6 with error: Some challenges have failed.
2025-03-02 14:30:36,081:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python3.10/site-packages/certbot/_internal/renewal.py", line 540, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python3.10/site-packages/certbot/_internal/main.py", line 1529, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File "/usr/lib/python3.10/site-packages/certbot/_internal/main.py", line 130, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python3.10/site-packages/certbot/_internal/renewal.py", line 399, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/usr/lib/python3.10/site-packages/certbot/_internal/client.py", line 429, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3.10/site-packages/certbot/_internal/client.py", line 497, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/usr/lib/python3.10/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/usr/lib/python3.10/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2025-03-02 14:30:36,085:DEBUG:certbot._internal.display.obj:Notifying user:

2025-03-02 14:30:36,086:ERROR:certbot._internal.renewal:All renewals failed. The following certificates could not be renewed:
2025-03-02 14:30:36,086:ERROR:certbot._internal.renewal: /etc/letsencrypt/live/npm-6/fullchain.pem (failure)
2025-03-02 14:30:36,086:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2025-03-02 14:30:36,086:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 8, in
sys.exit(main())
File "/usr/lib/python3.10/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
File "/usr/lib/python3.10/site-packages/certbot/_internal/main.py", line 1873, in main
return config.func(config, plugins)
File "/usr/lib/python3.10/site-packages/certbot/_internal/main.py", line 1621, in renew
renewed_domains, failed_domains = renewal.handle_renewal_request(config)
File "/usr/lib/python3.10/site-packages/certbot/_internal/renewal.py", line 568, in handle_renewal_request
raise errors.Error(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2025-03-02 14:30:36,087:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)

My web server is (include version): Frigate unraid docker 0.15.0-cea210d

The operating system my web server runs on is (include version): Unraid 6.12.14

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): I don't think so

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 3.1.0

I also ran the Let's Debug and that seemed to be fine. I now realize why I suddenly got renewal notices for my domains starting a couple of weeks ago. These notices indicated that they were going to stop sending email notices and I thought that this is why I was suddenly getting email notifications. I didn't pick up on the fact that the renewals were not working.

It seems that NGINX Proxy manager thinks everything is fine and the only way to tell that the renewal failed is to check the logs. I did see some posts indicating that NGINX proxy manager is not preferred. I actually switched to it from SWAG that was giving me issues. But open to suggestions moving forward.

But first, hoping to get some help on how to renew my certificates. Thanks.

Caddy.

We don't have much experience with nginx proxy manager and we don't really like it as software. A 404 is telling you something but I'm not sure what may cause it with nginx proxy manager.

Thanks for weighing in. It is strange that so many people are using NGINX Proxy Manager and it is universally recommended on the unraid forum. And its primary certificate approach is with LetsEncrypt and yet it seems that no one on the LetsEncrypt side wants anything to do with it.

I originally started with SWAG. It worked but has no ui on unraid. So switched to NGINX based on community recommendation. So here I am.

I looked into Caddy - I haven't found any documentation on how to set it up on unraid yet but will spend some time on it.

Meanwhile, I am hoping that someone can weigh in and help me interpret the logs to see what I have broken so I can fix it. Thanks

It is difficult for us to debug NPM problems for various reasons. One is that the summary error it shows is a completely useless part of the output. Another is that NPM invokes Certbot in a non-standard way so it is difficult to retry that manually or with different options. Even the detailed log file is sometimes hard to find. You helpfully provided that (which is rare).

Generally, problems with NPM are in its setup and config. We can't be expert in every possible system. The best place for problems using NPM is usually the NPM support forum itself. Sometimes we can spot trouble with your DNS or server but beyond that NPM support is the best place for help.

All I can see from the log output is this is the key part of the error:

"type": "http-01",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall/2089955277/483844368985/XGbFTw",
  "status": "invalid",
  "validated": "2025-03-02T19:30:34Z",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "100.8.123.38: Invalid response from https://frigate12.themasons.net/.well-known/acme-challenge/U3fO26OUWngd6HLxS2egItXsgEE1Pu4sMVQZYF5LZFk: 404",

A "404" is an HTTP Not Found. Which means your system told the Let's Encrypt server it was ready to receive its HTTP request to validate the domain. LE sent that request and your system responded saying it couldn't find the token it just setup.

That is always some sort of config / setup problem on the requesting system. Such as the path NPM tells Certbot to place this challenge token is not the same as your responding server looks for it. Things like that. With so many components in an NPM setup it needs someone with deep NPM experience to sort it out.

NPM has a lot of "moving parts" and, as explained, doesn't make it easy to find the info.

Most of the helpers here are unpaid volunteers. We offer our personal time and expertise to this community. I don't know of any of the volunteers who use NPM personally. I certainly have no need for it or desire so this is about all I can add.

Thanks. I appreciate you taking the time. NGINX Proxy Manager doesn't have a dedicated support just a long winding thread on the Unraid forums. I posted there as well but haven't gotten anything yet.

As I mentioned before I went down this path due to the recommendations on the Unraid forums. But I am not all wedded to it. I did look into Caddy as mentioned above. I didn't see any instructions on how to install and configure on Unraid but there is a docker template there so assuming this is a better option then I will so some research on that.

Yeah, like any DIY project finding the right tools and learning to use them is a big part of it. For example, I won't use a table saw so some home reno projects become difficult

As to NPM, there is their website: https://nginxproxymanager.com/

Follow the github link on their page for a place to post questions / problems (Issues section). I see plenty of unraid users posting there

Thanks - I should have caught the web site. Dockers in unraid have a support link which is supposed to take you to the best place - and in this case it takes me to thread in the Unraid forums. I will keep looking - my goal would be to fix the current situation and then look into alternatives. Hopefully I don't need to use a table saw on my server!

P.S. I found it in 5 minutes of looking through the posts. Posting a link to it here just in case someone runs into this thread here. Thanks again.