Let's Encrypt Certificates on Nginx Proxy Manager unreachable

Overview: I am trying to run certificates for sites within my homelab following this tutorial: video tutorial

When I am within Proxy Manager I get the following error

CommandError: Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
An unexpected error occurred:
ValueError: Requesting acme-v02.api.letsencrypt.org/directory: Network is unreachable
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

    at /app/lib/utils.js:16:13
    at ChildProcess.exithandler (node:child_process:430:5)
    at ChildProcess.emit (node:events:518:28)
    at maybeClose (node:internal/child_process:1104:16)
    at ChildProcess._handle.onexit (node:internal/child_process:304:5)

The part I am most concerned with is this Requesting acme-v02.api.letsencrypt.org/directory: Network is unreachable

But if I do this on the server I get a 200 OK response.

root@NginxProxyManager:~# curl -I https://acme-v02.api.letsencrypt.org/directory
HTTP/2 200 
server: nginx
date: Fri, 14 Mar 2025 02:07:53 GMT
content-type: application/json
content-length: 1042
cache-control: public, max-age=0, no-cache
replay-nonce: 3BLlaDHkeEnM6eK7I8F96rAq6zY-l3-3ODe6Ld1GzPcg9XUmV2c
x-frame-options: DENY
strict-transport-security: max-age=604800

My domain is: lthlabs.duckdns.org

I ran this command: mentioned above

It produced this output: shown above

My web server is (include version): no web server

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: self hosted

I can login to a root shell on my machine (yes or no, or I don't know): yes I can login as root on my machine

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): The control panel is Nginx Proxy Manager

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hello @LearnToHomeLab, welcome to the Let's Encrypt community.

The online tool Let's Debug yields these results https://letsdebug.net/lthlabs.duckdns.org/2391156

image1004×240 3.77 KB

That is your local IP Address, you likely want your public facing Internet IP Address.

You can check what the Internet visible IP Address are with:

curl -4 ifconfig.me
curl -6 ifconfig.me

and/or

curl -4 ifconfig.co
curl -6 ifconfig.co

and/or

curl -4 ifconfig.io
curl -6 ifconfig.io

And then adjust your DNS A Records and AAAA Records (if any) to match.

I appreciate the fast response; if you follow his video, he also uses private IP addresses, and the point of this tutorial with using DuckDNS is exactly for that.

I finally got it to log so I think I am good here and on to a new issue within Nginx where the proxy host settings aren't taking me to the local IP redirect.

Thus using the DNS-01 challenge, correct?

If that is the case here is the results https://letsdebug.net/lthlabs.duckdns.org/2391167

image1005×271 4.38 KB

I have not checked in 2 or 3 months; but duckdns.org was having some issues,
kind of looks like they still might.

Edit:

Here is a link to DuckDNS having failures

And still some issues here Hardenize Report: duckdns.org

interesting, the video is a year old so it may be an issue. I do have public domains to use that may be an option IDK? They are at namecheap.

This is starting to age, but here is a DNS providers who easily integrate with Let's Encrypt DNS validation

You want one with an API the can add/edit/delete DNS records.

Your Registrar doesn’t have to be your Authoritative Name Services provider.

interesting, I got the Namecheap SSL cert first try with my API key. Going to Proxy hosts those and clicking the domain I once again get the "This site can't be reached" error.

Kindly wait to see if there are more knowledgeable Let's Encrypt community volunteers willing to assist.
As I know nothing about Nginx Proxy Manager.

That is a problem with your server making an outbound connection to the Let's Encrypt API server

You say "once again". But, that message is different than earlier. Looks like a problem connecting from somewhere (like the public internet) inbound to your server.

Can you be clearer about what you did to get this most recent error?

As Bruce noted, you need a public IP in the public DNS for people to reach you across the public internet.

Connecting on your private network is something to take up with the people at NPM. That's just local network configuration. A bit outside our scope. Especially with NPM which has so many "moving parts"

All right, for anyone wondering, I fixed my issue.

Sine I am using DuckDNS with Nginx Proxy Manager all the private IP;s were the same the issue was my OPNsense firewall wanted the following then all Proxy Host redirects worked fine

Option 1: Use Wildcard DNS Overrides
You can create a wildcard DNS override in OPNsense to redirect all subdomains of a specific domain (e.g., *.duckdns.org) to the IP address of your Nginx Proxy Manager server.

Steps:
Enable Unbound DNS:

Navigate to Services > Unbound DNS > General Settings.

Ensure that Unbound DNS is enabled.

Add a Wildcard DNS Override:

Go to Services > Unbound DNS > Overrides.

Click the orange + Add button under Host Overrides.

Fill out the form:

Host: * (wildcard for all subdomains).

Domain: duckdns.org.

Type: Select A for IPv4.

IP Address: Enter the internal IP of your Nginx Proxy Manager server (e.g., 192.168.50.234).

Optionally, add a description like "Wildcard for DuckDNS domains."

Save and apply changes.

TLDR: Follow this video, and then do the Unbound wild card above, and you are good!

Thanks @LearnToHomeLab for sharing the steps you took for resolving the issue.
It really does help others.

Agree thanks for sharing. You might also post that on the NPM support channel. Configuring local servers, private IP, and firewalls to work within NPM framework is more their territory.

You are welcome! The advantage of forms is shared knowledge!

you should probably only override your subdomains, not the whole service. I would check if you can still access their api to update the ip.