Home Assistant Community Add-on: Nginx Proxy Manager

I understand I can turn that bit off with the accept_terms: false flag… but it really seems like these two add-ons are now conflicting, where they weren’t before, so it seems like a strange change… I believe the main reason I didn’t run into the conflict before, is because I let the DuckDNS add-on handle all the certs and just added them manually by their paths to NPM.

And as far as adding certs manually to NPM, that doesn’t even appear to be an option anymore… there used to be a method to manually add a cert in NPM, but now when I go to add a cert, it only gives me the option to generate a new cert… If the option is still there, it was moved somewhere else.

I have the same config and went through the same phase as you.
I disabled the DuckDNS certification handling and went to NPM to do so. The certificates generated by NPM are not located in the ssl root as those generated by DuckDNS.
They are located in this directory /nginxproxymanager/live/npm-5/privkey.pem in ssl directory.
Do you see them ?
You also have to change some lines in the configuration.yaml in the http section
Mine looks like this :

use_x_forwarded_for: true

I removed the NPM add-on and re-added it and the “custom” option for “add ssl certificate” is back. I’m not sure what happened, but it definitely wasn’t there in the UI until I removed and re-added it. Looks like all is working fine now. Thanks!

1 Like

I’ve had a working NPM set-up for a while now, on HA supervised on RPi4 connected via ethernet. Recently, my NPM GUI proxy disappeared, so I uninstalled and reinstalled the add-on, but now I am having issues accessing my external URL. I get a ‘Deceptive site ahead’ warning, as the certificate doesn’t appear to be valid.

I can confirm nothing else changed from when it was working before, only reinstalling the addon. Ports are correctly forwarded and MariaDB is properly configured.

The log I am seeing gives me:

[9/7/2022] [10:59:24 AM] [SSL      ] › ✖  error     Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
Renewal configuration file /etc/letsencrypt/renewal/npm-1.conf is broken.
The error was: expected /etc/letsencrypt/live/npm-1/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/npm-2.conf is broken.
The error was: expected /etc/letsencrypt/live/npm-2/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/npm-26.conf is broken.
The error was: expected /etc/letsencrypt/live/npm-26/cert.pem to be a symlink
0 renew failure(s), 3 parse failure(s)
    at ChildProcess.exithandler (node:child_process:398:12)
    at ChildProcess.emit (node:events:527:28)
    at maybeClose (node:internal/child_process:1092:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:302:5)

I assume that my prior NPM settings are still somewhere. I tried deleting the ssl/nginxproxymanger folder, so that it gets recreated, but that didnt help. Any assistance would be really helpful!

I understand that this add-on is not able to create wildcard certificates for a domain, but needs to create one for every subdomain.
However, no matter if I try my own domain or e.g. one from duckdns, I can always create ONE in this overall domain range, but not a second one.

So I have a subdomain cloud.mydomain.de, successfully created a certificate can access my internal URL service with that.
Doing it the same way for another subdomain like ha.mydomain.de does not work.

Same with duckdns. One subdomain is up and running. I created another one in my duckdns account and tried to add that in NGINX Proxy Manager, but the result for creating an LE certificate is only an error:

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-34" --agree-tos --email "[email protected]" --domains "mysubdomain.duckdns.org" --authenticator dns-duckdns --dns-duckdns-credentials "/etc/letsencrypt/credentials/credentials-34"
Saving debug log to /data/logs/letsencrypt/letsencrypt.log
Trying to detect encoding from a tiny portion of (2) byte(s).
Trying to detect encoding from a tiny portion of (2) byte(s).
Trying to detect encoding from a tiny portion of (2) byte(s).
Trying to detect encoding from a tiny portion of (2) byte(s).
Encountered exception during recovery: certbot.errors.PluginError: The clearing of the TXT record for domain "mysubdomain.duckdns.org" was not successful.
Request status code: 200
Request response text: KO
The TXT update "-i81nJR08ruwf8PGYhuP0DZG98dFNAzMDyP5TBHzn2I" for domain "mysubdomain.duckdns.org" could not be set.
Request status code: 200
Request response text: KO
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /data/logs/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

    at ChildProcess.exithandler (node:child_process:398:12)
    at ChildProcess.emit (node:events:527:28)
    at maybeClose (node:internal/child_process:1092:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:302:5)

Can anyone help? In the end I am only looking for a solution to make different home assistant addons accessible from outside. But my availability of different domains is limited, while I can’t get several subdomains from the same domain to work.

I have
domain.duckdns.org registered with DuckDNS on their website then configured in DuckDNS addon;
subdomain_x.domain.duckdns.org (quite a lot of subdomains) with NPM addon

I do not get that.
I have now domain1.duckdns.org and domain2.duckdns.org registered in duckdns add-on:

In NPM I had already successfully created a certificate for domain1.duckdns.org.
But neither for domain2.duckdns.org nor for subdomain.domain1.duckdns.org I can issue a certificate in NPM.
subdomain.domain1.duckdns.org also confuses me, can you create additional subdomains for your one domain in duckdns? Or do you just invent them and only put them in NPM?!

Can you check that you don’t have other services trying to update DDNS records?
Does the DuckDNS addon report ok in the log?
Did the issuance of certificates work before?
Do you have valid certificates that expired in NPM?

Other stuff to try: leave only domain1.duckdns.org in DuckDNS addon then try to create subdomain.domain1.duckdns.org in NPM

Also, might want to do a reboot as you never know…

Do you mean in DuckDNS or in NPM addons?

Only the domain.duckdns.org is defined on the DuckDNS site and referenced by the DuckDNS addon but for subdomains (sudomain1 part in subdomain1.domain.duckdns.org) you can define anything you want in NPM.

Thanks for the hookup on this, I’ve found it interesting to set up. For the life of me i can’t get lets encrypt to work, so i just made the certs through the DUCKDNS addon in HA.

2 questions please:

  1. Is there a specific directory where nginx proxy manager is storing the keys that i import? I was interested in automating the renewal process so that new keys generated by the duckdns addon would be copied into whereever NGINX is keeping them.
  2. I’m seeing ALOT of conflicting information on trusted proxies. Is it or or both???

Duck DNS log says okay and reports the same IP that I also see in DuckDNS in my account for the two domains.

Issuance of certificates works, I have multiple that also automatically extend, but they are all for different second level domains. Neither with duckdns nor with my own domains I have ever been able to create more than one certificate for different sub-domains under the same second level domain.

I also have two outdated certificates in NPM that I do not use anymore and that therefore expired, yes.

I have rebooted the complete HassOS host, does not change anything.

If I add an NPM entry for subdomain.domain1.duckdns.org with HTTP, it works.
I I choose the domain1.duckdns.org certificate for it and try HTTPS, it gives certificate error.
If I try to issue a certificate for subdomain.domain1.duckns.org in NPM, it leads to the internal error from above.


I think I got it working!

I manually selected to extend the certificate in NPM. That worked, extended until 22.12.22.
Then I did the proxy host entry first with http and no certificate and saved.
Then I went again into this entry, selected to issue a new certificate but DID NOT select to use the DNS challenge where you can then selecte duckdns in the drop-down menu.
So just like this:

This did then work without issues on first look!

And on first try the same procedure also worked for the second domain entry in duckdns, the domain2.duckdns.org.

So all in all it seems that everything was solved by manually pushing NPM to extend ther certificate that was still valid and would have been extended as usual towards end of October anyways.
Very odd, but happy with the result! :smiling_face_with_three_hearts:

On question 2:

This is my relevant configuration.yaml part:

# for nginx proxy manager
  use_x_forwarded_for: true
  ip_ban_enabled: true
  login_attempts_threshold: 5

Thanks flo.

Hi there, yet another guy having this problem.

I’m trying to proxy home.domain.no to my Home Assistant, but I get a 400: Bad Request with these settings -

Yaml file:

Nginx proxy setup:

Continued in next post…

This results in this lovely page when accessing home.domain.no:

I feel like I’ve tried everything in here. Nginx proxy manager is on a different machine than Home Assistant, as opposed to

Any clues?

You don’t need custom location for HA (or anything in the Advanced tab).

Are you sure your certificate is valid?

I removed the custom locations bit, requested a new SSL certificate, and boom it worked instantly. After all this work trying to figure out how the advanced settings work hahah, thanks a bunch!

Hit that SSL tab, request new certificate.

Missed the 2022.10 release.
Anything new about Nginx regarding the "relevant user not found " error?

Do you have MariaDB addon up and running?

Yes… Is running… no errors there…

Just saw that some removed the add-on and re-installed… At the moment I dont dare to do it. Need to login and save the config somehow.

Hi, just tried to go in and update the certificate, and got the same “relevant user not found” error… has been working great for ages…

… just found that the ‘default’ credentials worked: [email protected] / changeme

Somehow it lost the changes through one of the updates.