Home Assistant Community Add-on: Nginx Proxy Manager

This is definitely something that just started happening.

I am using (and have been using for a long time) mariadb. I can see my user and credentials in the DB. When trying to logon I get ‘no relevant user found’. But its there. I can logon with the default user which is interesting but that isn’t in the DB. #wtf When logging in with that user, there’s no configuration. nginx is still working with the configuration though. :slight_smile: I just cant change it or see it.

I just fixed this YESTERDAY but starting from scratch and then today after a reboot it happened again.

Probably the problem is with MariaDB, not NPM.

Are you able to set a fresh Docker install of NPM+MariaDB and move the configuration there? Home Assistant Community Add-on: Nginx Proxy Manager - #548 by Petrica

I dont think so. The database is fine after the connection is re-established even in the SAME nginx container by replacing the production.json in the container itself all works. It certainly appears to be nginx. That issue above is trying to figure things out though.

Hi there!
Is anybody using it with Cloudflare certs?
I would like to setup the Cloudflare (with proxy) certs to use HTTPS on my external domain, while keeping HTTP internally (to avoid certificate issues locally and with the app).
I tried to import the Cloudflare cert into Nginx Proxy Manager, but I have certificate issue now.
If I revert to use the HA config with CF certificates, no issue are detected.
I also tried to add the local network as trusted proxies.

Yes it works fine. I’d recheck how you imported and the config. You can also proxy with letsencrypt certs. I use letsencrypt because I prefer locally to connect locally rather than going through cloudflare. If I use letsencrypt certs, I can simply put a local dns entry on my network for the private IP and connect direct locally and remotely when I am outside the network via cloudflare with the same domain name/url.

origin certs work too though without the ability to locally connect. I started with that. They are supposedly more efficient because they are smaller but like we’d notice a 1k difference. :slight_smile:

Yeah just like in @calisro case it works fine. I first had it work with Lets Encrypt and then switched to origin certificate since it lasts for 30 years and apparently better. You have to turn origin checking on under SSL in Cloudflare, then generate it and install it on NPM under SSL tab. Then enable strict checking in Cloudflare. All that works with local domains being HTTP and HTTPS as I have both.

You can also use CloudFlared HA addon which basically automates everything for you and you don’t have to forward any ports on the router… although it doesn’t support sub-locations for domains to my knowledge like example.com/plex . Subdomain like plex.example.com is fine though.

Thanks for pointing the way to portainer config. Do you by any chance know how to set up NPM as sub location? ex: domain.com/npm

Just a note. The certs don’t expire and they are smaller (tiny bit less data but we’re talking home assistant here not a million hit per second application LOL) but if you use origin certs, you can’t access that local url directly anymore which is why I moved back to letsencrypt certs. I still retain strict checking in cloudflare with the same end-to-end encryption.

btw, if you’re going to use this methodology, be sure to disable caching in cloudflare or things are going to be very slowwwwwww. You do that under ‘page rules’.

For all local stuff I just use IP and http so no issues with SSL not being verified. I actually haven’t noticed any issues with default caching turned on.

You probably will when you have lots of images trying to load, you’ll notice. It’s sluggish as hell. I use a a card that loads all my doorbell images from a sensor and it timed out constantly. Also try shift+refresh on a browser and see how long things can take especially if you have lots of custom cards and JavaScripts.

Hi all.
couls anybody here explain IPs used by NPM?
After tries and fails I have it up and running with following http config

  use_x_forwarded_for: true
  ip_ban_enabled: true
  login_attempts_threshold: 3

The last one, ie. seems to be critical one.

I SSH docker inspect addon_a0d7b954_nginxproxymanager | jq -r and it displayed

"Gateway": "",
"IPAddress": "",

This one in http config is clear, but remaing two?

Without it was working from the internal network only and from external randomly, usually after several refreshing of IP, restarting companion app, but without automatic reconnection.

I had this issue today after a server restart. I restarted MariaDB and this fixed the issue for me.

I’m getting the error “another instance of certbot is already running”. I previously had the DuckDNS add-on running alongside NPM, and I just manually pointed NPM at the certs that the DuckDNS add-on had generated. Does this error mean I can’t run the DuckDNS add-on and NPM side-by-side anymore? It doesn’t look like I can even manually add SSL certs in NPM now. Previously, I could supply the path to the certs, but I don’t see any options other than adding a new one via Let’s Encrypt. I’m also concerned that if I can’t run the DuckDNS add-on alongside NPM, then I no longer have anything syncing my external IP with DuckDNS… What’s going on here?

in DuckDNS addon, have you modified the line :

accept_terms: false
using the SSL certs paths works well

I understand I can turn that bit off with the accept_terms: false flag… but it really seems like these two add-ons are now conflicting, where they weren’t before, so it seems like a strange change… I believe the main reason I didn’t run into the conflict before, is because I let the DuckDNS add-on handle all the certs and just added them manually by their paths to NPM.

And as far as adding certs manually to NPM, that doesn’t even appear to be an option anymore… there used to be a method to manually add a cert in NPM, but now when I go to add a cert, it only gives me the option to generate a new cert… If the option is still there, it was moved somewhere else.

I have the same config and went through the same phase as you.
I disabled the DuckDNS certification handling and went to NPM to do so. The certificates generated by NPM are not located in the ssl root as those generated by DuckDNS.
They are located in this directory /nginxproxymanager/live/npm-5/privkey.pem in ssl directory.
Do you see them ?
You also have to change some lines in the configuration.yaml in the http section
Mine looks like this :

use_x_forwarded_for: true

I removed the NPM add-on and re-added it and the “custom” option for “add ssl certificate” is back. I’m not sure what happened, but it definitely wasn’t there in the UI until I removed and re-added it. Looks like all is working fine now. Thanks!

1 Like

I’ve had a working NPM set-up for a while now, on HA supervised on RPi4 connected via ethernet. Recently, my NPM GUI proxy disappeared, so I uninstalled and reinstalled the add-on, but now I am having issues accessing my external URL. I get a ‘Deceptive site ahead’ warning, as the certificate doesn’t appear to be valid.

I can confirm nothing else changed from when it was working before, only reinstalling the addon. Ports are correctly forwarded and MariaDB is properly configured.

The log I am seeing gives me:

[9/7/2022] [10:59:24 AM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
Renewal configuration file /etc/letsencrypt/renewal/npm-1.conf is broken.
The error was: expected /etc/letsencrypt/live/npm-1/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/npm-2.conf is broken.
The error was: expected /etc/letsencrypt/live/npm-2/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/npm-26.conf is broken.
The error was: expected /etc/letsencrypt/live/npm-26/cert.pem to be a symlink
0 renew failure(s), 3 parse failure(s)
    at ChildProcess.exithandler (node:child_process:398:12)
    at ChildProcess.emit (node:events:527:28)
    at maybeClose (node:internal/child_process:1092:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:302:5)

I assume that my prior NPM settings are still somewhere. I tried deleting the ssl/nginxproxymanger folder, so that it gets recreated, but that didnt help. Any assistance would be really helpful!

I understand that this add-on is not able to create wildcard certificates for a domain, but needs to create one for every subdomain.
However, no matter if I try my own domain or e.g. one from duckdns, I can always create ONE in this overall domain range, but not a second one.

So I have a subdomain cloud.mydomain.de, successfully created a certificate can access my internal URL service with that.
Doing it the same way for another subdomain like ha.mydomain.de does not work.

Same with duckdns. One subdomain is up and running. I created another one in my duckdns account and tried to add that in NGINX Proxy Manager, but the result for creating an LE certificate is only an error:

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-34" --agree-tos --email "[email protected]" --domains "mysubdomain.duckdns.org" --authenticator dns-duckdns --dns-duckdns-credentials "/etc/letsencrypt/credentials/credentials-34"
Saving debug log to /data/logs/letsencrypt/letsencrypt.log
Trying to detect encoding from a tiny portion of (2) byte(s).
Trying to detect encoding from a tiny portion of (2) byte(s).
Trying to detect encoding from a tiny portion of (2) byte(s).
Trying to detect encoding from a tiny portion of (2) byte(s).
Encountered exception during recovery: certbot.errors.PluginError: The clearing of the TXT record for domain "mysubdomain.duckdns.org" was not successful.
Request status code: 200
Request response text: KO
The TXT update "-i81nJR08ruwf8PGYhuP0DZG98dFNAzMDyP5TBHzn2I" for domain "mysubdomain.duckdns.org" could not be set.
Request status code: 200
Request response text: KO
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /data/logs/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

    at ChildProcess.exithandler (node:child_process:398:12)
    at ChildProcess.emit (node:events:527:28)
    at maybeClose (node:internal/child_process:1092:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:302:5)

Can anyone help? In the end I am only looking for a solution to make different home assistant addons accessible from outside. But my availability of different domains is limited, while I can’t get several subdomains from the same domain to work.

I have
domain.duckdns.org registered with DuckDNS on their website then configured in DuckDNS addon;
subdomain_x.domain.duckdns.org (quite a lot of subdomains) with NPM addon