When adding a new (http:80) proxy I get a SSL error in the log

[jicho]

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug When I add a new proxy, without SSL, I get the following error in my docker console output:

today at 08:51:44[5/30/2022] [8:51:44 AM] [Express  ] › ⚠  warning   Command failed: /usr/sbin/nginx -t -g "error_log off;"
today at 08:51:44nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-1/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/npm-1/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
today at 08:51:44nginx: configuration file /etc/nginx/nginx.conf test failed

The fact that NPM can't find the fullchain.pem in the given folder (and the folder) is correct since this certificate isn't available anymore. I've deleted that certificate yesterday using the NPM GUI.

Nginx Proxy Manager Version v2.9.18

To Reproduce Steps I did before:

1. Create a LE-certificate (wildcard)
2. Add proxies
3. Create a new LE-certificate (wildcard) with a new DNS provider
4. Change the existing certificates for the proxies already created
5. Delete the certificate from step 1

The result is that I now have /etc/letsencrypt/live/npm-2/* and /etc/letsencrypt/live/npm-1/ isn't on disk anymore

Steps to reproduce the behavior:

1. Login to NPM
2. Go tho Hosts
3. Press Add Proxy Host
4. Enter domain name
5. Fill in the IP + port
6. Press save
7. On screen I get an Internal Error warning:

And on the docker CLI I get the error:

today at 09:04:55[5/30/2022] [9:04:55 AM] [Express  ] › ⚠  warning   Command failed: /usr/sbin/nginx -t -g "error_log off;"
today at 09:04:55nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-1/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/npm-1/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
today at 09:04:55nginx: configuration file /etc/nginx/nginx.conf test failed
today at 09:04:55

Expected behavior I would expect that NPM created the proxy without any issues

Operating System

• Synology NAS with the latest Docker software
• Browser: Safari 15.5

Additional context I'm using NPM in combination with SQLite.

A little addition... I just thought about restarting the container, when I do that I get the following in the logs:

today at 09:09:41❯ Enabling IPV6 in hosts: /etc/nginx/conf.d
today at 09:09:41  ❯ /etc/nginx/conf.d/include/assets.conf
today at 09:09:41  ❯ /etc/nginx/conf.d/include/block-exploits.conf
today at 09:09:41  ❯ /etc/nginx/conf.d/include/force-ssl.conf
today at 09:09:41  ❯ /etc/nginx/conf.d/include/ip_ranges.conf
today at 09:09:41  ❯ /etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf
today at 09:09:41  ❯ /etc/nginx/conf.d/include/proxy.conf
today at 09:09:41  ❯ /etc/nginx/conf.d/include/ssl-ciphers.conf
today at 09:09:41  ❯ /etc/nginx/conf.d/include/resolvers.conf
today at 09:09:41  ❯ /etc/nginx/conf.d/default.conf
today at 09:09:41  ❯ /etc/nginx/conf.d/production.conf
today at 09:09:41❯ Enabling IPV6 in hosts: /data/nginx
today at 09:09:41  ❯ /data/nginx/default_host/site.conf
today at 09:09:41  ❯ /data/nginx/proxy_host/8.conf
today at 09:09:41  ❯ /data/nginx/proxy_host/4.conf
today at 09:09:41  ❯ /data/nginx/proxy_host/9.conf
today at 09:09:41  ❯ /data/nginx/proxy_host/6.conf
today at 09:09:41  ❯ /data/nginx/proxy_host/3.conf
today at 09:09:41  ❯ /data/nginx/proxy_host/5.conf
today at 09:09:41  ❯ /data/nginx/proxy_host/2.conf
today at 09:09:41  ❯ /data/nginx/redirection_host/1.conf
today at 09:09:41nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-1/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/npm-1/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

[jicho]

I have some more info :)

I've looked into the configuration files and discovered that /data/nginx/redirection_host/1.conf still had a link to the old certificate.

Funny thing is that I've never added a certificate to that redirect. This is a www.example.com redirect to example.com.

So I assume that after deleting the npm-1 certificate this redirect wasn't updates/changed. Or some checks didn't discover this change?

I've changed the config file by hand, restarted the container. After that my the warnings on the CLI where gone for the certificate and the GUI allowed to add a new proxy (as expected)

[the1ts]

I know of this issue having seen it myself. I'm not sure that software can fix this without human intervention since there are a few options that could be called a fix for the SSL cert removal from a current host:

1. New cert created by letsencrypt for replacement
2. New cert to be uploaded for replacement
3. Replace with an existing cert that covers the host
4. No cert and going back to http only.

At the moment, there doesn't appear to be any logic behind the warning dialogue, I get the same warning if the Cert is unused or used. I guess a nice way to fix would be some more logic behind that dialogue.

The flow could be:

If SSL cert is used in one or more hosts:

1. Dialogue with links to the hosts that would be affected by the deletion for human fixes
2. A refresh button to hit after fixes are manually completed
3. Refresh button turns into a delete button when all links to the cert have been removed and shows warning of permanent deletion

If SSL cert is not used in any hosts:

1. Dialogue with delete button warning of permanent deletion

Any chance you can change the label to Enhancement?

[jicho]

@the1ts happy to "hear" that I'm not the only one experiencing this. Your proposal sounds like a nice upgrade to the logic!

I can't change the label into Enhancement, but I assume the project owner can do for us 🤞

[scob7]

There is definitely a serious bug here. After initial setup I created a wild-card lets encrypt cert with no issue. Then I deleted the wildcard as I wanted to replace it. Boom! Proxy manager errors on any operation that attempts to edit the nginx conf files.

Based on the hint from @jicho I ssh'd into the Proxy manager docker instance and deleted old references from the nginx conf files. Normal uses would be totally stuck and need to reinstall proxy manager.

[tajnymag]

Can confirm having the same problem even now on the latest image tag (2.9.19)

For me, the old references were not in /data/nginx/redirection_host/1.conf but instead in /data/nginx/proxy_host/1.conf

[WisManue]

I can confirm the Bug too. I use the latest Image 2.10.4. :(

In my case the old reference were in /data/nginx/proxy_host/3.conf and in /data/nginx/proxy_host/13.conf.

In both conf-Files there are my Proxy-Hosts, on those i had configured the SSL-Certificate i have removed later. It seems so, that NPM deletes the global DNS-SSL but not the SSL-Certificates on the hosts...

[IsaacShoebottom]

Affecting me here, clearing out and SSL cert in the webui does not remove it from proxy hosts actual config files. Needed to remove manually and then restart container

[CoolDouble]

Me too.

[github-actions[bot]]

Issue is now considered stale. If you want to keep it open, please comment :+1:

[IsaacShoebottom]

Bump

[github-actions[bot]]

Issue is now considered stale. If you want to keep it open, please comment :+1: