Error with Nginx Proxy Manager

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: privateimmich.lcsa.ru

I ran this command: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-22" --agree-tos --authenticator webroot --email "snippetsx@lcsa.ru" --preferred-challenges "dns,http" --domains "privateimmich.lcsa.ru"

It produced this output:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: privateimmich.lcsa.ru
Type: unauthorized
Detail: 91.77.164.211: Invalid response from http://privateimmich.lcsa.ru/.well-known/acme-challenge/L-yP9MhPHEAFrYNFcPJHLMAQueIhs_KzueTzq_0NsI0: "<!doctype html>\n<html>\n <head>\n <!-- (used for SSR) -->\n <!-- metadata:tags -->\n\n <meta charset=\"utf-8\" />\n <meta n"

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Some challenges have failed.

My web server is (include version): nginx proxy manager

The operating system my web server runs on is (include version): Debian 12

My hosting provider, if applicable, is: selfhost

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 2.11.0

Are you sure your DNS is set to the public IP of your self-hosted server?

Because HTTP requests to your domain are replied to by an openresty / express system. Or, maybe you have some kind of firewall software or device seeing the requests first?

Usually with NPM we see it used with an nginx server

In any case, your system is not replying correctly to the HTTP challenge. This is most likely a configuration problem best handled on the NPM support forum.

curl -i http://privateimmich.lcsa.ru/.well-known/acme-challenge/Test404
HTTP/1.1 200 OK
Server: openresty
X-Powered-By: Express
X-Served-By: privateimmich.lcsa.ru

Normally the above request should get a HTTP error 404 Not Found. Yours sends a page that begins like below which is the same as shown in the above error message. The Let's Encrypt server probably got a similar wrong page returned to it.

<!doctype html>
<html>
  <head>
    <!-- (used for SSR) -->
    <!-- metadata:tags -->

    <meta charset="utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <link rel="shortcut icon" type="image/x-icon" href="/favicon.ico" />
    <link rel="icon" type="image/png" sizes="16x16" href="/favicon-16.png" />
    <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32.png" />
3 Likes

I'm sure I'm using a public ip
But I use pinhole to block ads and some sites that do not contain a LetsEncrypt server.

Just adding to what @MikeMcQ wrote:

The two above snippets tell me that Certbot is configured to serve the content via the webroot plugin, but nginx is not properly configured to serve the webroot path for that location. Instead, it seems to be serving the content from the upstream proxy (based on this likely being nginx proxy manager).

Two likely causes:

1- A proper location block is being overwritten by other blocks
2- There is no location block for the acme challenge

3 Likes

Then why did npm work correctly before and did not give errors?

Surprisingly, the problem seems to be specific to this domain. Everything else is generating without any issues.

I don't know what your entire system and setup looks like today, or three months ago.

Something changed. Perhaps on your machine, or perhaps a DNS record.

3 Likes

That suggests you have an issue with the configuration file for that domain, or the DNS.

Compare that domain's DNS configuration and Nginx configuration to the domains that don't have issues. You will probably find the mistake there.

4 Likes

If I try to access your domain with a browser I get redirected to the page below. I guess the HTTP Challenge requests are also getting sent the redirect page. But, the challenge token gets lost when redirected like this so fails.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.