Errors in NPM log files

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
1.redswitch.co.uk
budi.redswitch.co.uk

I ran this command:
Restarted the Nginx Proxy Manager (NPM) container

It produced this output:

[1/17/2026] [1:51:00 PM] [SSL      ] › ℹ  info      Revoking LetsEncrypt certificates for Cert #9: 1.redswitch.co.uk
[1/17/2026] [1:51:00 PM] [SSL      ] › ℹ  info      Command: certbot revoke --config /etc/letsencrypt.ini --work-dir /tmp/letsencrypt-lib --logs-dir /data/logs --cert-path /etc/letsencrypt/live/npm-9/fullchain.pem --delete-after-revoke
[1/17/2026] [1:51:03 PM] [SSL      ] › ✖  error     Saving debug log to /data/logs/letsencrypt.log
An unexpected error occurred:
Unable to revoke :: Certificate is expired
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /data/logs/letsencrypt.log or re-run Certbot with -v for more details.

[1/17/2026] [1:51:08 PM] [SSL      ] › ℹ  info      Revoking LetsEncrypt certificates for Cert #8: budi.redswitch.co.uk
[1/17/2026] [1:51:08 PM] [SSL      ] › ℹ  info      Command: certbot revoke --config /etc/letsencrypt.ini --work-dir /tmp/letsencrypt-lib --logs-dir /data/logs --cert-path /etc/letsencrypt/live/npm-8/fullchain.pem --delete-after-revoke
[1/17/2026] [1:51:10 PM] [SSL      ] › ✖  error     Saving debug log to /data/logs/letsencrypt.log
An unexpected error occurred:
Unable to revoke :: Certificate is expired
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /data/logs/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
NPM is configured to route traffic to numerous containers running different applications. The 2 containers running behind the NPM are no longer running. May this is likely the cause of the problem?

The operating system my web server runs on is (include version):
Docker

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
NPM container (jc21)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
5.2.2

No, that command is trying to revoke a certificate that is expired. Just like the error message explains. Once a cert is expired it is not valid for use and cannot be revoked.

You should ask the NPM support people how to stop making that request.

I know the error message refers you here. NPM uses a program called Certbot for its cert requests. Certbot always refers people here for any kind of problem.

But, this is some kind of NPM configuration / setup issue. Best to ask them what to do.

It appears NPM is trying to revoke the previous certificate before it attempts to renew one, and fails, because the certificates are expired. When the certificates are already expired, it should simply discard them and request new ones, not attempt to have them revoked. This is not an error on LE's side, as it is expected behaviour to reject the revocation of certificates that are expired. You should talk with NPM about why it is doing this, as it is erroneous behaviour. It may just be a misconfiguration.

In general, revoking a certificate is only needed in rare cases, like if its key was compromised or the subscriber doesn't control the domain anymore. I can't imagine why any client would be trying to revoke a certificate unless a user explicitly instructed it to.

It definitely seems excessive. I suspect some sort of misconfiguration.

No, I don't think so. Notice the --delete-after-revoke option on the Certbot command. This will delete the cert if revocation succeeds.

That would be a risky action for a routine renewal. Why? Because it is not guaranteed you will get a new cert instantly. Let's Encrypt may be down, there may be network problems, or any other of a variety of causes. Some (most?) web servers will fail to start if an expected cert file is missing. This could leave your system in a bad state or even completely down. To risk that during a routine renewal is extremely bad practice. And, I'm pretty sure NPM doesn't revoke for these reasons.

It is more likely coming from a cleanup attempt that is poorly implemented. As I noted in my post ... that's for NPM support / forum experts to sort out.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.