Nginx Proxy Manager Troubleshooting

I recently set up a media server on a Ubuntu server with the software running from Docker. Now I've been trying to get Nginx Proxy Manager (NPM)/Let's Encrypt up and running. I'm able to get into the NPM UI and I tried adding my domain and subdomains. For a bit it seemed to be working on my home network but not remotely. But I get the following error message when I try to create an SSL certificate:

"Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-19" --agree-tos --email "samlane86@pm.me" --domains "*.samflix.eu,samflix.eu" --authenticator dns-gandi --dns-gandi-credentials "/etc/letsencrypt/credentials/credentials-19"
Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Invalid sharing_id: SHARINGID.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)" 

I have a domain from Gandi.net, but I’m not sure if I have it set up correctly. I have an A record pointing to my local host IP and CNAME wild card pointing to my domain. I did forward ports 80 and 443 on my router. But I’m not sure if my docker compose file is set up correctly with NPM to forward everything correctly. Does any know what could be causing this error?

I know very little about your specific situation but it looks like you have not setup the gandi credentials properly. My guess is you need to comment out the line about SHARINGID if you don't have a valid value for that.

See this section on that

That will not use HTTP for authentication.
[the A record and CNAME are not relevant]
For that to succeed, you must have setup DNS authentication properly.

btw you don't have wildcard DNS on *.samflix.eu zone, just A CNAME on www to webredir.vip.gandi.net, and those to pointed to different IP address (217.70.184.50 for www 217.70.184.38 for base domain)

looks like web redirector from gandi

Hey Mike! Yeah I seem to be dealing with a very specific situation. Do you know where SHARINGID would be commented out? So far I've just been working in the GUIs on gandi and NPM. Thanks for sharing this link, it looks very promising!

Hi rg305! Thanks! I guess I'll have to figure out how to create a record that does work with Http(s) then.

Hello orangepizza! Yeah gandi came with a bunch of pre-configured records. I thought I had added two of my own including one wildcard, but perhaps I didn't do it right.

Please look to the DNS-01 challenge of the Challenge Types - Let's Encrypt.

Also see DNS providers who easily integrate with Let's Encrypt DNS validation

Hey Bruce! Thank you so much for sharing these links! I'll dig into them for sure!

In this file perhaps?

Ah okay, that makes sense! I'll try it out! Thanks again!

Just wanted to leave a quick update here, I finally got most of my web apps working with my domain. So I was really happy to get that worked out. There just one that still isn't working. Every time I try to create a certificate for it is get this error:
Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-88" --agree-tos --authenticator webroot --email "samlane86@pm.me" --preferred-challenges "dns,http" --domains "sonarr.samflix.eu"
Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

Looks like your DNS is pointing to a private IP. That won't work for HTTP Challenge

Thanks for sharing that debugging page! It’s weird because it’s configured within the same range of IPs as all the web apps that are working. The only thought I had is, since I was running Sonarr from my computer on the same local network, that the one on my media server is now somehow conflicting with the old one. But I tried changing both the port and the static IP and nothing changed.

If you are doing the DNS Challenge with Gandi then the IP address can be private.

Your NPM system is very bad at describing errors. Your earlier requests used a wildcard which need a DNS Challenge. This did not use a wildcard so can be HTTP or DNS Challenge.

Do you have more of the log file to share?

Thanks for the additional info about that error, Mike! I thought I had the same set up as all the other web apps using a wild card. But at one point I did try using the static IP directly just to see if that would work. But when it didn’t, I switched back to the wild card. It was giving the same error earlier, so perhaps it doesn’t recognize changes in the DNS immediately. That would explain why all the other apps weren’t working at first either then progressively started working. I am not using the Gandi DNS challenge because every time I’ve tried I get a bunch of error messages there too. Perhaps I’m not using the right API key (Gandi doesn’t make it very easy to access it). I’ll dig into the logs when I get home later and see what I can find.

Got it working! Early on in this process I had created a DNS record pointing to that private IP. Since it was further down on the domain list I forgot about it. But once I found it and deleted it I was able to generate a certificate and activate the domain. Thanks again for all your help!

I don't think your DNS is setup fully correct yet. It has two IP addresses but they don't respond the same

dig +noall +answer sonarr.samflix.eu
sonarr.samflix.eu.      300     IN      CNAME   samflix.eu.
samflix.eu.             234     IN      A       83.254.3.91
samflix.eu.             234     IN      A       217.70.184.38

One points to an OpenResty server and the other nginx

curl -I4 http://83.254.3.91
HTTP/1.1 200 OK
Server: openresty

curl -I4 http://217.70.184.38
HTTP/1.1 404 Not Found
Server: nginx

Yeah I noticed that too. I think what happened is Gandi came with a bunch of prefigured domains, including the 217.70.184.38 one. I just now deleted it and it seems like all is okay now. Thanks for double checking that though!

Okay so this was all working perfectly, and then tonight I somehow over wrote my certificates and every time I try to create new ones I get the following error: DBError: insert into certificate (created_on, domain_names, expires_on, meta, modified_on, nice_name, owner_user_id, provider) values (datetime('now','localtime'), '["jellyfin.samflix.eu"]', datetime('now','localtime'), '{"letsencrypt_email":"samlane86@pm.me","letsencrypt_agree":true,"dns_challenge":false}', datetime('now','localtime'), 'jellyfin.samflix.eu', 1, 'letsencrypt') - SQLITE_READONLY: attempt to write a readonly database
at wrapError (/app/node_modules/db-errors/lib/dbErrors.js:19:14)
at handleExecuteError (/app/node_modules/objection/lib/queryBuilder/QueryBuilder.js:1123:32)
at QueryBuilder.execute (/app/node_modules/objection/lib/queryBuilder/QueryBuilder.js:449:20)

Any idea of what's causing this and how to fix it?

Thanks!

Sam