Unable to generate a SSL Certificate - Nginx proxy manager docker

I requested a new ssl certificate for my subdomain using Nginx Proxy Manager but it always returns some internal error

My domain is: adguard.xd003.site

Here are the complete logs - https://pastebin.com/raw/FYhEmJmi

Hosting provider: Hostinger

I can login to a root shell on my machine (yes or no, or I don't know): yes

Additional info -
• The Nginx proxy manager docker is deployed on my ubuntu server 22.04
• My domain is added in cloudflare wherein i have created A record, entered subdomain in name and my vps external ip in ipv4 address & lastly proxy status is off (dns only)

Hi @xd003, and welcome to the LE community forum :slight_smile:

The [first] problem seems to be within DNS:

nslookup -q=ns xd003.site
xd003.site      nameserver = abby.ns.cloudflare.com
xd003.site      nameserver = lamar.ns.cloudflare.com

nslookup xd003.site abby.ns.cloudflare.com
Server:  abby.ns.cloudflare.com
Address: 172.64.32.100
Name:    xd003.site
[EMPTY REPLY]

nslookup xd003.site lamar.ns.cloudflare.com
Server:  lamar.ns.cloudflare.com
Address: 172.64.35.142
Name:    xd003.site
[EMPTY REPLY]
3 Likes

OK, I see now [from the pastebin] that the FQDN is not "xd003.site":

      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",        "detail": "141.148.212.132: Invalid response from
http://adguard.xd003.site/.well-known/acme-challenge/WGvtL2az0RAK6rBEE4MMWnNO0xfS7lWIX2QPNoNalHE: 403",
        "status": 403

403 is a permissions problem.
The ACME challenge path should be excluded from such restrictions.

curl -Ii http://adguard.xd003.site/.well-known/acme-challenge/Test-File-1234
HTTP/1.1 403 Forbidden <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Access-Control-Allow-Origin: http://adguard.xd003.site
Vary: Origin
Date: Thu, 17 Aug 2023 17:48:25 GMT
Content-Length: 9
Content-Type: text/plain; charset=utf-8
3 Likes

@rg305 thanks for the prompt reply. I don't really know much about networking or encryption, only thing i ever use it is to just simply reverse proxy my subdomain. As i can infer from your comments it being a permission related problem and i should exclude acme challenge path from the restriction but i haven't really enforced it or changed anything myself, everything is at default to the best of my knowledge. (In both cloudflare and NPM )
How would i go about resolving this issue from my end

1 Like

I'd start with the full nginx configuration.
nginx -T
[mind you, I know near to nothing about NPM - and don't care to learn any of it]

Somewhere within that config, you should see the HTTP vhost that handles that FQDN.
Therein, you should probably add a location section to handle the challenge requests without requiring authentication.

3 Likes

This is a mess. Please don't use "npm" to refer to it, we think of Node if you do.

For what I've seen, your http (no S) server is not redirecting properly, and issuing 403 errors instead of 404.

2 Likes

hmm...
So, there are two things "NPM".
Now that overcomplicates an already usually complicated situation!

4 Likes

@rg305
Heres the nginx configuration - https://pastes.io/raw/cozspnh6mr

Also if it helps i would like to add lets encrypt ssl certificate generation had failed for me with Caddy as well so i thought of trying Nginx Proxy Manager

1 Like

Now that is a difficult task to accomplish!

6 Likes

The paste is borderline annoying:

  • contains 653 blank lines
  • 36 lines that wrapped
  • 192 lines that "set_real_ip_from ..." - Why? That won't scale well!

The real meat and potatoes are at the bottom of the paste:

# configuration file /data/nginx/proxy_host/1.conf:
# ------------------------------------------------------------
# adguard.xd003.site
# ------------------------------------------------------------
server {
  set $forward_scheme http;
  set $server         "adguard";
  set $port           80;
  listen 80;
listen [::]:80;
  server_name adguard.xd003.site;
  access_log /data/logs/proxy-host-1_access.log proxy;
  error_log /data/logs/proxy-host-1_error.log warn;
  location / {
    # Proxy!
    include conf.d/include/proxy.conf;
  }
  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}

The included proxy.conf file may be problematic for the ACME challenge requests.
I would create a separate location section just to handle the challenge requests [and exclude the use of the proxy.conf file therein].

5 Likes

Thanks for all the help, after some trial and error, i have fixed the error. The issue was that port 80 was already occupied on my server by some other container. After sorting that out, i was able to generate ssl certificate using Nginx Proxy manager successfully

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.