New error creating SSL cert

I'm using unRAID and I pulled my domains from Cloudflare back to Google domains. It I set up a mealie proxy (http) and it went smoothly. When I went to setup my nextcloud proxy I cannot get an SSL cert. I will post my Dozzle output. I never had this problem before so I don't know how to proceed. Thanks for looking!

07/15/2023 6:02:40 AM
[app         ] [7/15/2023] [6:02:40 AM] [Nginx    ] › ⬤  debug     Deleting file: /data/nginx/proxy_host/1.conf
07/15/2023 6:02:40 AM
[app         ] [7/15/2023] [6:02:40 AM] [Nginx    ] › ⬤  debug     Deleting file: /data/nginx/proxy_host/1.conf.err
07/15/2023 6:02:40 AM
[app         ] [7/15/2023] [6:02:40 AM] [Nginx    ] › ⬤  debug     Could not delete file: {
07/15/2023 6:02:40 AM
[app         ]   "errno": -2,
07/15/2023 6:02:40 AM
[app         ]   "syscall": "unlink",
07/15/2023 6:02:40 AM
[app         ]   "code": "ENOENT",
07/15/2023 6:02:40 AM
[app         ]   "path": "/data/nginx/proxy_host/1.conf.err"
07/15/2023 6:02:40 AM
[app         ] }
07/15/2023 6:02:40 AM
[app         ] [7/15/2023] [6:02:40 AM] [Nginx    ] › ℹ  info      Reloading Nginx
07/15/2023 6:02:45 AM
[app         ] [7/15/2023] [6:02:45 AM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates for Cert #26: nextcloud.jsbserver.com
07/15/2023 6:02:45 AM
[app         ] [7/15/2023] [6:02:45 AM] [SSL      ] › ℹ  info      Command: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-26" --agree-tos --authenticator webroot --email "xxxx@gmail.com" --preferred-challenges "dns,http" --domains "nextcloud.jsbserver.com" 
07/15/2023 6:02:46 AM
[app         ] [7/15/2023] [6:02:46 AM] [Nginx    ] › ⬤  debug     Deleting file: /data/nginx/temp/letsencrypt_26.conf
07/15/2023 6:02:46 AM
[app         ] [7/15/2023] [6:02:46 AM] [Nginx    ] › ℹ  info      Reloading Nginx
07/15/2023 6:02:46 AM
[app         ] [7/15/2023] [6:02:46 AM] [Express  ] › ⚠  warning   Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-26" --agree-tos --authenticator webroot --email "xxxx@gmail.com" --preferred-challenges "dns,http" --domains "nextcloud.jsbserver.com" 
07/15/2023 6:02:46 AM
[app         ] The following error was encountered:
07/15/2023 6:02:46 AM
[app         ] [Errno 13] Permission denied: '/var/log/letsencrypt/letsencrypt.log'
07/15/2023 6:02:46 AM
[app         ] Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.
07/15/2023 6:02:46 AM
[app         ] Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-85nl26o5/log or re-run Certbot with -v for more details.
07/15/2023 6:06:18 AM
[app         ] [7/15/2023] [6:06:18 AM] [Nginx    ] › ⬤  debug     Deleting file: /data/nginx/proxy_host/1.conf
07/15/2023 6:06:18 AM
[app         ] [7/15/2023] [6:06:18 AM] [Nginx    ] › ⬤  debug     Deleting file: /data/nginx/proxy_host/1.conf.err
07/15/2023 6:06:18 AM
[app         ] [7/15/2023] [6:06:18 AM] [Nginx    ] › ⬤  debug     Could not delete file: {
07/15/2023 6:06:18 AM
[app         ]   "errno": -2,
07/15/2023 6:06:18 AM
[app         ]   "syscall": "unlink",
07/15/2023 6:06:18 AM
[app         ]   "code": "ENOENT",
07/15/2023 6:06:18 AM
[app         ]   "path": "/data/nginx/proxy_host/1.conf.err"
07/15/2023 6:06:18 AM
[app         ] }
07/15/2023 6:06:18 AM
[app         ] [7/15/2023] [6:06:18 AM] [Nginx    ] › ℹ  info      Reloading Nginx
07/15/2023 6:06:23 AM
[app         ] [7/15/2023] [6:06:23 AM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates for Cert #27: nextcloud.jsbserver.com
07/15/2023 6:06:23 AM
[app         ] [7/15/2023] [6:06:23 AM] [SSL      ] › ℹ  info      Command: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-27" --agree-tos --authenticator webroot --email "xxxx@gmail.com" --preferred-challenges "dns,http" --domains "nextcloud.jsbserver.com" 
07/15/2023 6:06:24 AM
[app         ] [7/15/2023] [6:06:24 AM] [Nginx    ] › ⬤  debug     Deleting file: /data/nginx/temp/letsencrypt_27.conf
07/15/2023 6:06:24 AM
[app         ] [7/15/2023] [6:06:24 AM] [Nginx    ] › ℹ  info      Reloading Nginx
07/15/2023 6:06:24 AM
[app         ] [7/15/2023] [6:06:24 AM] [Express  ] › ⚠  warning   Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-27" --agree-tos --authenticator webroot --email "xxxx@gmail.com" --preferred-challenges "dns,http" --domains "nextcloud.jsbserver.com" 
07/15/2023 6:06:24 AM
[app         ] The following error was encountered:
07/15/2023 6:06:24 AM
[app         ] [Errno 13] Permission denied: '/var/log/letsencrypt/letsencrypt.log'
07/15/2023 6:06:24 AM
[app         ] Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.
07/15/2023 6:06:24 AM
[app         ] Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-fa6dp8rp/log or re-run Certbot with -v for more details.
07/15/2023 6:19:56 AM
[app         ] [7/15/2023] [6:19:56 AM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
07/15/2023 6:19:57 AM
[app         ] [7/15/2023] [6:19:57 AM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
07/15/2023 6:19:57 AM
[app         ] The following error was encountered:
07/15/2023 6:19:57 AM
[app         ] [Errno 13] Permission denied: '/var/log/letsencrypt/letsencrypt.log'
07/15/2023 6:19:57 AM
[app         ] Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.
07/15/2023 6:19:57 AM
[app         ]     at ChildProcess.exithandler (node:child_process:402:12)
07/15/2023 6:19:57 AM
[app         ]     at ChildProcess.emit (node:events:513:28)
07/15/2023 6:19:57 AM
[app         ]     at maybeClose (node:internal/child_process:1100:16)
07/15/2023 6:19:57 AM
[app         ]     at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

1 Like

Well, it looks like you have a permissions problem. But, I dont know Dozzle and NPM is very difficult to debug.

Ignoring that, your DNS has a CNAME loop so that is your next problem to fix
https://dnsviz.net/d/nextcloud.jsbserver.com/dnssec/

6 Likes

OK thanks! I changed it to an A name and solved that problem. Dozzle is simply a logging docker for all containers.
I don't know why I'd have a permissions problem. I can move everything back to CF and just install a custom certificate if need be. I'd rather solve this and not use CF is possible. I am running NPM as admin. I don't know why I'd have any permission issues.

I don't either but you see those errors in the log right?

NPM uses Certbot to get the cert. I am not certain but it looks like Certbot doesn't have permission to write to the log file and suggests running as root. If it doesn't have those permissions other things would go wrong too.

I'm not sure what the log entry for Express app involvement is.

This looks like a system setup issue. You might have better luck at a forum with similar setups. We can't be expert at every possible software combination.

That said, maybe another volunteer here will suggest something but I have no further tips.

5 Likes

Much appreciated! I'll get there. You helped me discover a problem I didn't know I had. Thanks!

2 Likes

You mentioned docker:

Does the NPM/nginx container have access to the certbot files?

5 Likes

I believe that NPM contains everything so anything to do with certbot would be contained in the NPM log. It aggregates the logs from all in an easy-to-read format.

Have you shown this file?:
/tmp/certbot-log-fa6dp8rp/log

Also, I'm not clear on why it calls for the webroot authenticator without defining the webroot path:
[wrapped for easier legibility]

certbot certonly \
--config "/etc/letsencrypt.ini" \
--cert-name "npm-27" \
--agree-tos \
--authenticator webroot \
--email "xxxx@gmail.com" \
--preferred-challenges "dns,http" \
--domains "nextcloud.jsbserver.com"
3 Likes

I think NPM sets it in the .ini file instead. Only one of the many things that makes NPM difficult. If we see the Certbot log I think we'd see the webroot path shown in full like in this example:

DEBUG:certbot._internal.main:Arguments: ['--config', '/etc/letsencrypt.ini', '--work-dir', '/tmp/letsencrypt-lib', '--logs-dir', '/tmp/letsencrypt-log', '--cert-name', 'npm-58', '--agree-tos', '--authenticator', 'webroot', '--email', '[redacted]', '--preferred-challenges', 'dns,http', '--domains', 'redacted.is']
DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None

2023-05-06 12:13:59,682:
INFO:certbot._internal.auth_handler:http-01 challenge for redacted.is
INFO:certbot._internal.plugins.webroot:Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
4 Likes

@MikeMcQ @rg305
So a really nice person on reddit saw that my appdata folder had a permissions issue. If anyone happens to come along and have the same problem here was the solution.

chmod -R 755 /mnt/cache/appdata/NginxProxyManager

then

chmod 644 /mnt/cache/appdata/NginxProxyManager/database.sqlite

Thanks everyone!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.