I understand I can turn that bit off with the accept_terms: false flag… but it really seems like these two add-ons are now conflicting, where they weren’t before, so it seems like a strange change… I believe the main reason I didn’t run into the conflict before, is because I let the DuckDNS add-on handle all the certs and just added them manually by their paths to NPM.
And as far as adding certs manually to NPM, that doesn’t even appear to be an option anymore… there used to be a method to manually add a cert in NPM, but now when I go to add a cert, it only gives me the option to generate a new cert… If the option is still there, it was moved somewhere else.
I have the same config and went through the same phase as you.
I disabled the DuckDNS certification handling and went to NPM to do so. The certificates generated by NPM are not located in the ssl root as those generated by DuckDNS.
They are located in this directory /nginxproxymanager/live/npm-5/privkey.pem in ssl directory.
Do you see them ?
You also have to change some lines in the configuration.yaml in the http section
Mine looks like this :
I removed the NPM add-on and re-added it and the “custom” option for “add ssl certificate” is back. I’m not sure what happened, but it definitely wasn’t there in the UI until I removed and re-added it. Looks like all is working fine now. Thanks!
I’ve had a working NPM set-up for a while now, on HA supervised on RPi4 connected via ethernet. Recently, my NPM GUI proxy disappeared, so I uninstalled and reinstalled the add-on, but now I am having issues accessing my external URL. I get a ‘Deceptive site ahead’ warning, as the certificate doesn’t appear to be valid.
I can confirm nothing else changed from when it was working before, only reinstalling the addon. Ports are correctly forwarded and MariaDB is properly configured.
The log I am seeing gives me:
[9/7/2022] [10:59:24 AM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation
Renewal configuration file /etc/letsencrypt/renewal/npm-1.conf is broken.
The error was: expected /etc/letsencrypt/live/npm-1/cert.pem to be a symlink
Skipping.
Renewal configuration file /etc/letsencrypt/renewal/npm-2.conf is broken.
The error was: expected /etc/letsencrypt/live/npm-2/cert.pem to be a symlink
Skipping.
Renewal configuration file /etc/letsencrypt/renewal/npm-26.conf is broken.
The error was: expected /etc/letsencrypt/live/npm-26/cert.pem to be a symlink
Skipping.
0 renew failure(s), 3 parse failure(s)
at ChildProcess.exithandler (node:child_process:398:12)
at ChildProcess.emit (node:events:527:28)
at maybeClose (node:internal/child_process:1092:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:302:5)
I assume that my prior NPM settings are still somewhere. I tried deleting the ssl/nginxproxymanger folder, so that it gets recreated, but that didnt help. Any assistance would be really helpful!
I understand that this add-on is not able to create wildcard certificates for a domain, but needs to create one for every subdomain.
However, no matter if I try my own domain or e.g. one from duckdns, I can always create ONE in this overall domain range, but not a second one.
So I have a subdomain cloud.mydomain.de, successfully created a certificate can access my internal URL service with that.
Doing it the same way for another subdomain like ha.mydomain.de does not work.
Same with duckdns. One subdomain is up and running. I created another one in my duckdns account and tried to add that in NGINX Proxy Manager, but the result for creating an LE certificate is only an error:
Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-34" --agree-tos --email "[email protected]" --domains "mysubdomain.duckdns.org" --authenticator dns-duckdns --dns-duckdns-credentials "/etc/letsencrypt/credentials/credentials-34"
Saving debug log to /data/logs/letsencrypt/letsencrypt.log
Trying to detect encoding from a tiny portion of (2) byte(s).
Trying to detect encoding from a tiny portion of (2) byte(s).
Trying to detect encoding from a tiny portion of (2) byte(s).
Trying to detect encoding from a tiny portion of (2) byte(s).
Encountered exception during recovery: certbot.errors.PluginError: The clearing of the TXT record for domain "mysubdomain.duckdns.org" was not successful.
Request status code: 200
Request response text: KO
The TXT update "-i81nJR08ruwf8PGYhuP0DZG98dFNAzMDyP5TBHzn2I" for domain "mysubdomain.duckdns.org" could not be set.
Request status code: 200
Request response text: KO
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /data/logs/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
at ChildProcess.exithandler (node:child_process:398:12)
at ChildProcess.emit (node:events:527:28)
at maybeClose (node:internal/child_process:1092:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:302:5)
Can anyone help? In the end I am only looking for a solution to make different home assistant addons accessible from outside. But my availability of different domains is limited, while I can’t get several subdomains from the same domain to work.
I have domain.duckdns.org registered with DuckDNS on their website then configured in DuckDNS addon;
subdomain_x.domain.duckdns.org (quite a lot of subdomains) with NPM addon
Can you check that you don’t have other services trying to update DDNS records?
Does the DuckDNS addon report ok in the log?
Did the issuance of certificates work before?
Do you have valid certificates that expired in NPM?
Also, might want to do a reboot as you never know…
Do you mean in DuckDNS or in NPM addons?
Only the domain.duckdns.org is defined on the DuckDNS site and referenced by the DuckDNS addon but for subdomains (sudomain1 part in subdomain1.domain.duckdns.org) you can define anything you want in NPM.
Thanks for the hookup on this, I’ve found it interesting to set up. For the life of me i can’t get lets encrypt to work, so i just made the certs through the DUCKDNS addon in HA.
2 questions please:
Is there a specific directory where nginx proxy manager is storing the keys that i import? I was interested in automating the renewal process so that new keys generated by the duckdns addon would be copied into whereever NGINX is keeping them.
I’m seeing ALOT of conflicting information on trusted proxies. Is it 172.30.33.0/24 or 127.0.0.1 or both???
Issuance of certificates works, I have multiple that also automatically extend, but they are all for different second level domains. Neither with duckdns nor with my own domains I have ever been able to create more than one certificate for different sub-domains under the same second level domain.
I manually selected to extend the certificate in NPM. That worked, extended until 22.12.22.
Then I did the proxy host entry first with http and no certificate and saved.
Then I went again into this entry, selected to issue a new certificate but DID NOT select to use the DNS challenge where you can then selecte duckdns in the drop-down menu.
So just like this:
And on first try the same procedure also worked for the second domain entry in duckdns, the domain2.duckdns.org.
So all in all it seems that everything was solved by manually pushing NPM to extend ther certificate that was still valid and would have been extended as usual towards end of October anyways.
Very odd, but happy with the result!
I removed the custom locations bit, requested a new SSL certificate, and boom it worked instantly. After all this work trying to figure out how the advanced settings work hahah, thanks a bunch!
FOR FUTURE READERS:
Hit that SSL tab, request new certificate.
