Renewal configuration file /etc/letsencrypt/renewal/npm-1.conf is broken. The error was: expected /etc/letsencrypt/live/npm-1/cert.pem to be a symlink

[guarnacciaa]

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

I have this docker container for more than a year now, it has always worked flawlessly.
Rencently, my renewal process started failing and I can't find a clear root cause for it.

Nginx Proxy Manager Version
v2.11.3

To Reproduce
Steps to reproduce the behavior:

1. Go to 'SSL Certificates'
2. Click on 'the three dots menu'
3. Click on 'Renew Now'
4. Get Internal Error popup

Expected behavior
Certificate renewal ends successfully

Operating System
Ubuntu 24.04 LTS"

Additional context
The logs report the following:
`
[8/10/2024] [4:21:52 PM] [Certbot ] › ▶ start Installing google...
[8/10/2024] [4:21:52 PM] [Global ] › ⬤ debug CMD: . /opt/certbot/bin/activate && pip install --no-cache-dir certbot-dns-google==$(certbot --version | grep -Eo '0-9+') && deactivate
[8/10/2024] [4:21:57 PM] [Certbot ] › ☒ complete Installed google
[8/10/2024] [4:21:57 PM] [Setup ] › ℹ info Added Certbot plugins google
[8/10/2024] [4:21:57 PM] [Setup ] › ℹ info Logrotate Timer initialized
[8/10/2024] [4:21:57 PM] [Global ] › ⬤ debug CMD: logrotate /etc/logrotate.d/nginx-proxy-manager
[8/10/2024] [4:21:57 PM] [Setup ] › ℹ info Logrotate completed.
[8/10/2024] [4:21:57 PM] [IP Ranges] › ℹ info Fetching IP Ranges from online services...
[8/10/2024] [4:21:57 PM] [IP Ranges] › ℹ info Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
[8/10/2024] [4:21:58 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v4
[8/10/2024] [4:21:58 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v6
[8/10/2024] [4:21:58 PM] [SSL ] › ℹ info Let's Encrypt Renewal Timer initialized
[8/10/2024] [4:21:58 PM] [SSL ] › ℹ info Renewing SSL certs expiring within 30 days ...
[8/10/2024] [4:21:58 PM] [IP Ranges] › ℹ info IP Ranges Renewal Timer initialized
[8/10/2024] [4:21:58 PM] [Global ] › ℹ info Backend PID 174 listening on port 3000 ...
[8/10/2024] [4:21:58 PM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates via Google for Cert #1: *.censored.domain
[8/10/2024] [4:21:58 PM] [SSL ] › ℹ info Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-1" --disable-hook-validation --no-random-sleep-on-renew
[8/10/2024] [4:21:58 PM] [Global ] › ⬤ debug CMD: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-1" --disable-hook-validation --no-random-sleep-on-renew
[8/10/2024] [4:21:58 PM] [SSL ] › ✖ error Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/npm-1.conf is broken.
The error was: expected /etc/letsencrypt/live/npm-1/cert.pem to be a symlink
Skipping.
0 renew failure(s), 1 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

[8/10/2024] [4:21:58 PM] [SSL ] › ℹ info Completed SSL cert renew process
[8/10/2024] [4:23:26 PM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates via Google for Cert #1: *.censored.domain
[8/10/2024] [4:23:26 PM] [SSL ] › ℹ info Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-1" --disable-hook-validation --no-random-sleep-on-renew
[8/10/2024] [4:23:26 PM] [Global ] › ⬤ debug CMD: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-1" --disable-hook-validation --no-random-sleep-on-renew
[8/10/2024] [4:23:26 PM] [Express ] › ⚠ warning Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/npm-1.conf is broken.
The error was: expected /etc/letsencrypt/live/npm-1/cert.pem to be a symlink
Skipping.
0 renew failure(s), 1 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.
`

[guarnacciaa]

Adding the docker compose file to show how things are exposed:

services:
  app:
    image: 'jc21/nginx-proxy-manager:github-pr-3789'
    restart: unless-stopped
    ports:
      # These ports are in format <host-port>:<container-port>
      - '80:80' # Public HTTP Port
      - '443:443' # Public HTTPS Port
      - '81:81' # Admin Web Port
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
    healthcheck:
      test: ["CMD", "/bin/check-health"]
      interval: 10s
      timeout: 3s

networks:
  proxy:
    external: true

[franconianmetal]

facing same problem here. renewal fails

EDIT:
see my comment here
#3920 (comment)

[boehamian]

Same issue here. Been going on for a lot of versions now with no work around.
Checklist

Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
Yes
Are you sure you're not using someone else's docker image?
Yes
Have you searched for similar issues (both open and closed)?
Yes

Nginx Proxy Manager Version
v2.11.3

To Reproduce
Steps to reproduce the behavior:

Go to 'SSL Certificates'
Click on 'the three dots menu'
Click on 'Renew Now'
Get Internal Error popup

Also tested the lets encrypt server reachability and got the following error

Expected behavior
Certificate renewal ends successfully

Serve reachability test without failure.

I have checked the public DNS and internal DNS are pointing to the right IP address.

Operating System
Ubuntu 24.04 LTS"

Additional context
The logs report the following:

root@docker-2cbb66229267:/tmp/letsencrypt-log]# cat letsencrypt.log
2024-08-17 05:04:25,534:DEBUG:certbot._internal.main:certbot version: 2.11.0
2024-08-17 05:04:25,534:DEBUG:certbot._internal.main:Location of certbot entry point: /opt/certbot/bin/certbot
2024-08-17 05:04:25,534:DEBUG:certbot._internal.main:Arguments: ['--force-renewal', '--config', '/etc/letsencrypt.ini', '--work-dir', '/tmp/letsencrypt-lib', '--logs-dir', '/tmp/letsencrypt-log', '--cert-name', 'npm-7', '--preferred-challenges', 'dns,http', '--no-random-sleep-on-renew', '--disable-hook-validation']
2024-08-17 05:04:25,534:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-08-17 05:04:25,546:DEBUG:certbot._internal.log:Root logging level set at 30
2024-08-17 05:04:25,547:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/npm-7.conf
2024-08-17 05:04:25,548:DEBUG:certbot.configuration:Var pref_challs=['dns-01', 'http-01'] (set by user).
2024-08-17 05:04:25,548:DEBUG:certbot.configuration:Var config_dir=/etc/letsencrypt (set by user).
2024-08-17 05:04:25,548:DEBUG:certbot.configuration:Var logs_dir=/tmp/letsencrypt-log (set by user).
2024-08-17 05:04:25,548:DEBUG:certbot.configuration:Var work_dir=/tmp/letsencrypt-lib (set by user).
2024-08-17 05:04:25,548:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2024-08-17 05:04:25,548:DEBUG:certbot.configuration:Var preferred_chain=ISRG Root X1 (set by user).
2024-08-17 05:04:25,548:DEBUG:certbot.configuration:Var key_type=ecdsa (set by user).
2024-08-17 05:04:25,548:DEBUG:certbot.configuration:Var elliptic_curve=secp384r1 (set by user).
2024-08-17 05:04:25,548:DEBUG:certbot.configuration:Var webroot_path=['/data/letsencrypt-acme-challenge'] (set by user).
2024-08-17 05:04:25,548:DEBUG:certbot.configuration:Var webroot_map={'webroot_path'} (set by user).
2024-08-17 05:04:25,548:DEBUG:certbot.configuration:Var webroot_path=['/data/letsencrypt-acme-challenge'] (set by user).
2024-08-17 05:04:25,559:DEBUG:certbot._internal.renewal:Auto-renewal forced with --force-renewal...
2024-08-17 05:04:25,559:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2024-08-17 05:04:25,559:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Saves the necessary validation files to a .well-known/acme-challenge/ directory within the nominated webroot path. A seperate HTTP server must be running and serving files from the webroot path. HTTP challenge only (wildcards not supported).
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='webroot', value='certbot._internal.plugins.webroot:Authenticator', group='certbot.plugins')
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7f9f68b52590>
Prep: True
2024-08-17 05:04:25,560:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7f9f68b52590> and installer None
2024-08-17 05:04:25,560:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2024-08-17 05:04:25,648:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/1745804132', new_authzr_uri=None, terms_of_service=None), 0402ec5fb0b9d47655f11d8a5e813c1f, Meta(creation_dt=datetime.datetime(2024, 5, 25, 10, 49, 4, tzinfo=), creation_host='e807a6f371f8', register_to_eff=None))>
2024-08-17 05:04:25,649:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2024-08-17 05:04:25,650:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2024-08-17 05:04:26,524:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 746
2024-08-17 05:04:26,526:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 17 Aug 2024 05:04:26 GMT
Content-Type: application/json
Content-Length: 746
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert",
"s41584iLwsw": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
}
2024-08-17 05:04:26,529:DEBUG:certbot._internal.display.obj:Notifying user: Renewing an existing certificate for nextcloud.outbacknerd.party
2024-08-17 05:04:26,539:DEBUG:acme.client:Requesting fresh nonce
2024-08-17 05:04:26,539:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2024-08-17 05:04:26,827:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2024-08-17 05:04:26,829:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 17 Aug 2024 05:04:26 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: u9f3N-xzQt_e5_7YwyFasfXQ0DIU6yHoHSEAiKqlKxbXn8cJSyU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

2024-08-17 05:04:26,830:DEBUG:acme.client:Storing nonce: u9f3N-xzQt_e5_7YwyFasfXQ0DIU6yHoHSEAiKqlKxbXn8cJSyU
2024-08-17 05:04:26,832:DEBUG:acme.client:JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "nextcloud.outbacknerd.party"\n }\n ]\n}'
2024-08-17 05:04:26,848:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTc0NTgwNDEzMiIsICJub25jZSI6ICJ1OWYzTi14elF0X2U1XzdZd3lGYXNmWFEwRElVNnlIb0hTRUFpS3FsS3hiWG44Y0pTeVUiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9",
"signature": "vzMrfDKcBst1a-pKGyFmC7IlN3Lvym0g21Z7rGT-v1VkummeNuRn5gMLvHFLs3W2EsFdc9Ofrq9mOBPjdV92adnvQPbhFXBbQCnEeHaQTu4IzU-X-Uj6rC24hnUls1xILqN6LjtOSjvTVOzXPgr03ZnR851T4J5qi0hM23S080d8TIfn4NkIurQKX35NcnE5O5KmR1ppoparOVygE5KiX3L0QVqvOvCoagbeJrvjqk485lgMuhHo52jOVvjYuLkBLlb7T5cNVtZMyQVnUDYZKfRWooyU4wXJwP21xnVCtGQBjlaxduD5ulYU1YozyfxVJphjHPE9tNo9Ht1aUFY19Q",
"payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIm5leHRjbG91ZC5vdXRiYWNrbmVyZC5wYXJ0eSIKICAgIH0KICBdCn0"
}
2024-08-17 05:04:27,312:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 353
2024-08-17 05:04:27,312:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Sat, 17 Aug 2024 05:04:27 GMT
Content-Type: application/json
Content-Length: 353
Connection: keep-alive
Boulder-Requester: 1745804132
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/1745804132/296961663766
Replay-Nonce: u9f3N-xzJkPYZqzvHxpOyxp6h31C-XkIoDervsdrnt1TZTXVdJ8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"status": "pending",
"expires": "2024-08-24T05:04:27Z",
"identifiers": [
{
"type": "dns",
"value": "nextcloud.outbacknerd.party"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/391314699636"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/1745804132/296961663766"
}
2024-08-17 05:04:27,312:DEBUG:acme.client:Storing nonce: u9f3N-xzJkPYZqzvHxpOyxp6h31C-XkIoDervsdrnt1TZTXVdJ8
2024-08-17 05:04:27,313:DEBUG:acme.client:JWS payload:
b''
2024-08-17 05:04:27,314:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/391314699636:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTc0NTgwNDEzMiIsICJub25jZSI6ICJ1OWYzTi14ekprUFlacXp2SHhwT3l4cDZoMzFDLVhrSW9EZXJ2c2RybnQxVFpUWFZkSjgiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzM5MTMxNDY5OTYzNiJ9",
"signature": "tqctybVpHOZvqziSrjS1Dj2WJbljcJfpajo_X5EZ0Ag_nv_SaFifQcMkc6YrH-RPD5m7IAkGkYuxlK_l9x401rFc4s1ShmFyVuF2rPjMz6lYnc5FLVHmVAnQpJg9wjJuz2L7bnSpLK9SWbKUj5g-SKzx20X0_yLIS1r238r_xgGXBMsTFsDg6zg9FPR2VWJ6ByHzxb71kXHuD5fi4ANbhbeL9Xs9dcFVE9chfTaTggmd0e_z-DfWNbaaKqHmsXozeuAaWVwX7BjX1pYTUy8wEYB-7kG1HX-Bt5aeJLdOLei9fYB1UCVyBcZQbBjHfrmx5aDMxmYHFJ-ArB4BVfjyFQ",
"payload": ""
}
2024-08-17 05:04:27,612:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/391314699636 HTTP/1.1" 200 811
2024-08-17 05:04:27,613:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 17 Aug 2024 05:04:27 GMT
Content-Type: application/json
Content-Length: 811
Connection: keep-alive
Boulder-Requester: 1745804132
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: u9f3N-xzwgC17G2VnC87Wffg1zgOmscWBhPMjjHkJ985VMHyhDU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "nextcloud.outbacknerd.party"
},
"status": "pending",
"expires": "2024-08-24T05:04:27Z",
"challenges": [
{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/HQjEfQ",
"status": "pending",
"token": "no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac"
},
{
"type": "dns-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/8dlNhg",
"status": "pending",
"token": "no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac"
},
{
"type": "tls-alpn-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/7_z38w",
"status": "pending",
"token": "no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac"
}
]
}
2024-08-17 05:04:27,613:DEBUG:acme.client:Storing nonce: u9f3N-xzwgC17G2VnC87Wffg1zgOmscWBhPMjjHkJ985VMHyhDU
2024-08-17 05:04:27,614:INFO:certbot._internal.auth_handler:Performing the following challenges:
2024-08-17 05:04:27,614:INFO:certbot._internal.auth_handler:http-01 challenge for nextcloud.outbacknerd.party
2024-08-17 05:04:27,615:INFO:certbot._internal.plugins.webroot:Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
2024-08-17 05:04:27,615:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /data/letsencrypt-acme-challenge/.well-known/acme-challenge
2024-08-17 05:04:27,617:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /data/letsencrypt-acme-challenge/.well-known/acme-challenge/no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac
2024-08-17 05:04:27,618:DEBUG:acme.client:JWS payload:
b'{}'
2024-08-17 05:04:27,627:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/HQjEfQ:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTc0NTgwNDEzMiIsICJub25jZSI6ICJ1OWYzTi14endnQzE3RzJWbkM4N1dmZmcxemdPbXNjV0JoUE1qakhrSjk4NVZNSHloRFUiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLXYzLzM5MTMxNDY5OTYzNi9IUWpFZlEifQ",
"signature": "yRPTY6yD7BGCOExSV7-Vt02RUup6K5lfPdPArO0pYGadjHZ6y0YCOLdLqXvAbLEJI12deF5-uJXcVbdZ_EAEEda6jP2CP1lg9Aztqw8neW1tnYgs_ysonapXSt020E7VwvONQ86LRNqvSzgQqT1eVGkl2te_r0axvOBK1q1KTeGOy0RiY2c0RDKYgIi6PNkGNSz1VOepy5Kmh2JhV5rOmqNwJ7xWUbZJ5xdLlzpVDC5t-8zE2mnmk649Y1umBrOdY6h4wxahvtciMQmZ1QsNiXUbcx75nGaMNPyNYTZoE2dJQiDKXQl4MroWBjuU82JtjaMOamnhJyeMnPgYuYJvcA",
"payload": "e30"
}
2024-08-17 05:04:27,921:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/391314699636/HQjEfQ HTTP/1.1" 200 187
2024-08-17 05:04:27,921:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 17 Aug 2024 05:04:27 GMT
Content-Type: application/json
Content-Length: 187
Connection: keep-alive
Boulder-Requester: 1745804132
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index", https://acme-v02.api.letsencrypt.org/acme/authz-v3/391314699636;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/HQjEfQ
Replay-Nonce: u9f3N-xzv6Rv4ITaymUbK7ZT-mb11YxSlHSIz42ASE7fOGuD2ks
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/HQjEfQ",
"status": "pending",
"token": "no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac"
}
2024-08-17 05:04:27,921:DEBUG:acme.client:Storing nonce: u9f3N-xzv6Rv4ITaymUbK7ZT-mb11YxSlHSIz42ASE7fOGuD2ks
2024-08-17 05:04:27,922:INFO:certbot.internal.auth_handler:Waiting for verification...
2024-08-17 05:04:28,922:DEBUG:acme.client:JWS payload:
b''
2024-08-17 05:04:28,924:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/391314699636:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTc0NTgwNDEzMiIsICJub25jZSI6ICJ1OWYzTi14enY2UnY0SVRheW1VYks3WlQtbWIxMVl4U2xIU0l6NDJBU0U3Zk9HdUQya3MiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzM5MTMxNDY5OTYzNiJ9",
"signature": "0CQv_QhiB3N9Gbww59AohtLV5nkgnsSpBAV-z0tYRS-B3ZfcAafo3VOzk-fjTRJsBxN0XaEe05xjCHEkydbren1fjNy5sod_gds3p0RTwcNf5l_aUo6XFKv77WZiYkQb0t6S61Y1iV7TAS0MZr6SroIJGhUT-SYw2urETinXKP14-gO9hKdWj0fHOg2jiT-NDVCQzkxcRdc-tiv2zHh3H8KmeIT8Uv_qp8kDdES8Yj59EWDlETbDP8bz6KDcV-sqipWxOp0j0bXhKFeIudEFMpUJ2WgdzXILm7oyxH6bkgKBSRu8HDezOpcoVkLC9-F5B5z7P_vc1e7BURdKJABcg",
"payload": ""
}
2024-08-17 05:04:29,230:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/391314699636 HTTP/1.1" 200 811
2024-08-17 05:04:29,232:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 17 Aug 2024 05:04:29 GMT
Content-Type: application/json
Content-Length: 811
Connection: keep-alive
Boulder-Requester: 1745804132
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: u9f3N-xzjFBOmMiWd-b6spfNxQnMiGvZRG4xoeQFRv-tD8MLHdg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "nextcloud.outbacknerd.party"
},
"status": "pending",
"expires": "2024-08-24T05:04:27Z",
"challenges": [
{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/HQjEfQ",
"status": "pending",
"token": "no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac"
},
{
"type": "dns-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/8dlNhg",
"status": "pending",
"token": "no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac"
},
{
"type": "tls-alpn-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/7_z38w",
"status": "pending",
"token": "no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac"
}
]
}
2024-08-17 05:04:29,232:DEBUG:acme.client:Storing nonce: u9f3N-xzjFBOmMiWd-b6spfNxQnMiGvZRG4xoeQFRv-tD8MLHdg
2024-08-17 05:04:32,234:DEBUG:acme.client:JWS payload:
b''
2024-08-17 05:04:32,248:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/391314699636:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTc0NTgwNDEzMiIsICJub25jZSI6ICJ1OWYzTi14empGQk9tTWlXZC1iNnNwZk54UW5NaUd2WlJHNHhvZVFGUnYtdEQ4TUxIZGciLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzM5MTMxNDY5OTYzNiJ9",
"signature": "Cv5wAZyJM85hcVMu1zR8KfMYTPR6yMX_1GCCPnCzsVycU-GEh0OZSGGDl5COfiLUUAXnBJk-p6azmLwq3h2lsdRca211PqQeHjY3rqJWHZs1n71eKxovuHzZ9VqeKKUHGhrRmeQ-fK6_4YhywG6kVFgr-_HvRxZlT0MW5kfzBnoPVTvqvfUjdPn-Pg53s39S2PNT4eaEtwi19I0GqAVOrkq-0FTmkNbP8fqedobnMAGU90SJAlbpXLG3unHQ_DsfjcJieYt9-Lxo7WUr3cF3SgGzpKo3d9cDVERvI679GA2latA-GxuMzh2llkSOYtpen8elMYqVTxDXRMxEmvGUVQ",
"payload": ""
}
2024-08-17 05:04:32,595:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/391314699636 HTTP/1.1" 200 811
2024-08-17 05:04:32,598:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 17 Aug 2024 05:04:32 GMT
Content-Type: application/json
Content-Length: 811
Connection: keep-alive
Boulder-Requester: 1745804132
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: u9f3N-xz5VLwwzt3ulCuByRWiP9v6lE7KMXVvAfSwzMkkRVgDCI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "nextcloud.outbacknerd.party"
},
"status": "pending",
"expires": "2024-08-24T05:04:27Z",
"challenges": [
{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/HQjEfQ",
"status": "pending",
"token": "no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac"
},
{
"type": "dns-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/8dlNhg",
"status": "pending",
"token": "no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac"
},
{
"type": "tls-alpn-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/7_z38w",
"status": "pending",
"token": "no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac"
}
]
}
2024-08-17 05:04:32,598:DEBUG:acme.client:Storing nonce: u9f3N-xz5VLwwzt3ulCuByRWiP9v6lE7KMXVvAfSwzMkkRVgDCI
2024-08-17 05:04:35,601:DEBUG:acme.client:JWS payload:
b''
2024-08-17 05:04:35,607:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/391314699636:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTc0NTgwNDEzMiIsICJub25jZSI6ICJ1OWYzTi14ejVWTHd3enQzdWxDdUJ5UldpUDl2NmxFN0tNWFZ2QWZTd3pNa2tSVmdEQ0kiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzM5MTMxNDY5OTYzNiJ9",
"signature": "dgzXSh7wKFyv2MbGy7jTbLR-k-il5BgcXteaUf35cnml0wNW44q_lrY8RzyCoQ2hgjE8fQu78UNShC9Eds48PqHzByw5x857qlAZ_uC27Aplch9as_xo9kPt__dZ1pfvcYXv6vNJVa1W2PDqt4X2ZbkfFa9_6v9ZjzPKn4TGwPogSXwMtPtPq8BdIqnfXba2kFPmLfliacQi3_qrvikQ4DYsxOB1l5_VZIBXGI1PVywoNfNjKltIvvMaZdpa6-UrK_GXR0erb_P4cFCbz06xXQanyjEiJ9sbdTnlRLpSVepd1NgNak5xm1LTL4v5x1K56MU04UQ3ooX37Lx2EXTdrQ",
"payload": ""
}
2024-08-17 05:04:35,899:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/391314699636 HTTP/1.1" 200 811
2024-08-17 05:04:35,902:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 17 Aug 2024 05:04:35 GMT
Content-Type: application/json
Content-Length: 811
Connection: keep-alive
Boulder-Requester: 1745804132
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: Hj5k7jKgqNGQF2FgaX1aHsx8_eFbABzkTA_sRu7D5rJ1ui2qt78
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "nextcloud.outbacknerd.party"
},
"status": "pending",
"expires": "2024-08-24T05:04:27Z",
"challenges": [
{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/HQjEfQ",
"status": "pending",
"token": "no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac"
},
{
"type": "dns-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/8dlNhg",
"status": "pending",
"token": "no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac"
},
{
"type": "tls-alpn-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/7_z38w",
"status": "pending",
"token": "no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac"
}
]
}
2024-08-17 05:04:35,903:DEBUG:acme.client:Storing nonce: Hj5k7jKgqNGQF2FgaX1aHsx8_eFbABzkTA_sRu7D5rJ1ui2qt78
2024-08-17 05:04:38,905:DEBUG:acme.client:JWS payload:
b''
2024-08-17 05:04:38,912:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/391314699636:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTc0NTgwNDEzMiIsICJub25jZSI6ICJIajVrN2pLZ3FOR1FGMkZnYVgxYUhzeDhfZUZiQUJ6a1RBX3NSdTdENXJKMXVpMnF0NzgiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzM5MTMxNDY5OTYzNiJ9",
"signature": "g0GiqBkrXVEZGgvuanjr0Xq23btS52lS_vasEhx4i9a9UWofLx7bSLYJ6-bZQVDe5VySvvE5xk3gFKnrHF7KYPdMqdzXYjd0o2hZFwlnDYBuxFdbbcsmkh5MwCDOpHnMOoDZQ4QDsTE3Z0C719GmrR7-8AWqSvQfqwRZJQzdh4O8XtbTIkzUrj_293FDwe-Y-qZwWMRk8pf859lrYAFGZqLZv89anvKdJftrrNUs0uBH6WQGTDeShO3iFyeWWx7_GlOQpvyifDPj28-JoTklsYdbO8D82B5PixTUfdSNEUVoS-s5m5qi_IWPUvcFWmzmHwI_cK-dyD0_JHbf5zc2ZQ",
"payload": ""
}
2024-08-17 05:04:39,205:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/391314699636 HTTP/1.1" 200 1100
2024-08-17 05:04:39,208:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 17 Aug 2024 05:04:39 GMT
Content-Type: application/json
Content-Length: 1100
Connection: keep-alive
Boulder-Requester: 1745804132
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: Hj5k7jKgKC4yvghfzBCnrwHT1t80uWw9-ItjNSFSyLbf989ZFbs
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "nextcloud.outbacknerd.party"
},
"status": "invalid",
"expires": "2024-08-24T05:04:27Z",
"challenges": [
{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/391314699636/HQjEfQ",
"status": "invalid",
"validated": "2024-08-17T05:04:27Z",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "144.6.165.0: Fetching http://nextcloud.outbacknerd.party/.well-known/acme-challenge/no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac: Timeout during connect (likely firewall problem)",
"status": 400
},
"token": "no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac",
"validationRecord": [
{
"url": "http://nextcloud.outbacknerd.party/.well-known/acme-challenge/no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac",
"hostname": "nextcloud.outbacknerd.party",
"port": "80",
"addressesResolved": [
"144.6.165.0"
],
"addressUsed": "144.6.165.0"
}
]
}
]
}
2024-08-17 05:04:39,209:DEBUG:acme.client:Storing nonce: Hj5k7jKgKC4yvghfzBCnrwHT1t80uWw9-ItjNSFSyLbf989ZFbs
2024-08-17 05:04:39,212:INFO:certbot._internal.auth_handler:Challenge failed for domain nextcloud.outbacknerd.party
2024-08-17 05:04:39,212:INFO:certbot._internal.auth_handler:http-01 challenge for nextcloud.outbacknerd.party
2024-08-17 05:04:39,213:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: nextcloud.outbacknerd.party
Type: connection
Detail: 144.6.165.0: Fetching http://nextcloud.outbacknerd.party/.well-known/acme-challenge/no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2024-08-17 05:04:39,218:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2024-08-17 05:04:39,218:DEBUG:certbot._internal.error_handler:Calling registered functions
2024-08-17 05:04:39,219:INFO:certbot._internal.auth_handler:Cleaning up challenges
2024-08-17 05:04:39,219:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/no-wFrs2KSJHCz0TPf_myK3AHnWV8YqmMwN4n62Xiac
2024-08-17 05:04:39,220:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2024-08-17 05:04:39,221:ERROR:certbot._internal.renewal:Failed to renew certificate npm-7 with error: Some challenges have failed.
2024-08-17 05:04:39,224:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/renewal.py", line 540, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1550, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 131, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/renewal.py", line 399, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2024-08-17 05:04:39,227:DEBUG:certbot._internal.display.obj:Notifying user:

---

2024-08-17 05:04:39,227:ERROR:certbot._internal.renewal:All renewals failed. The following certificates could not be renewed:
2024-08-17 05:04:39,227:ERROR:certbot._internal.renewal: /etc/letsencrypt/live/npm-7/fullchain.pem (failure)
2024-08-17 05:04:39,227:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-08-17 05:04:39,227:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/opt/certbot/bin/certbot", line 8, in
sys.exit(main())
^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1894, in main
return config.func(config, plugins)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1642, in renew
renewed_domains, failed_domains = renewal.handle_renewal_request(config)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/renewal.py", line 568, in handle_renewal_request
raise errors.Error(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2024-08-17 05:04:39,228:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)
[root@docker-2cbb66229267:/tmp/letsencrypt-log]# ^C
[root@docker-2cbb66229267:/tmp/letsencrypt-log]#

@jc21

[souravsk]

Did anyone solved this error

[excel0n]

Well, I spent 4 days troubleshooting this, and then figured out I had restricted the region of my router to only accept traffic from the US. As soon as I opened it up, I was able to renew my certificates.

[AlfaJackal]

This is the solution and it makes sense. What doesn't make sense is that my router settings have been unchanged for ages and my last certificate renewals went through.

Second solution is a DNS challenge with a wildcard cert:
https://medium.com/@martin.hodges/adding-a-wildcard-lets-encrypt-certificate-to-your-server-without-a-web-server-2e86e4e292ab