Unable to get SSL cert from Nginx Proxy Manager. Getting Internal Error

Installed DuckDNS and got a domain. Was suggested to us Nginx Proxy Manager. Followed the gif in the docs. Both ports forwarded. When trying to add SSL to the host it just throws Internal Error. I tried using homeassistant as the URL and just the IP address. No change. What else do I need to do?

Here’s the log:
https://pastebin.com/erkjX7WC

Have exactly the same issue, did you solve?

Up !

Same issue !! …

I’m wanting to use the Nginx proxy manager and am getting the exact same issue,
“192.168.86.207:81 says Internal Error” was a solution ever found for this

Little more detail, the log reads;

[4/9/2020] [4:51:07 PM] [Express ] › :warning: warning Command failed: /usr/bin/certbot certonly --non-interactive --config “/etc/letsencrypt.ini” --cert-name “npm-14” --agree-tos --email “[email protected]” --preferred-challenges “dns,http” --webroot --domains “xxxxxx.duckdns.org
Saving debug log to /data/logs/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for xxxxxx.duckdns.org
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification…
Challenge failed for domain xxxxxx.duckdns.org
http-01 challenge for xxxxxx.duckdns.org
Cleaning up challenges
Some challenges have failed.

After spending quite a few hours, trying to set this up I have come down to the following things that worked for me, maybe it will help someone:

  • First create a duckdns account and setup the DuckDNS addon on Hass.io. If you have your own domain you can add a subdomain A record to resolve to your public IP and not use DuckDNS at all.
  • if you use DuckDNS, allow DuckDNS addon to create the cert
  • Forward Port 80 on Router to Port 80 of Hass.io IP
  • Forward Port 443 on Router to Port 443 of Hass.io IP
  • It will even help if your Hassio instance on your network gets the same IP every time
  • For the above 2 make sure your ISP does not block those 2 ports. It is very important that when a https request is made to the domain, it needs to resolve to the Hassio machine.
  • Comment out/remove the http: line from your configuration.yaml (I had to do this to get it to work)

Next steps are what is described in this addon’s documentation

  • Now add the domain in NGinx Proxy Manager, set the scheme to http, forward hostname/ip to 192.168.x.x (this should be the IP of your Hassio) and port to 8123
  • The domain should now be accessible without https (this is why you had port 80 mapped to Hassio)
  • Now edit the Proxy entry, go to SSL tab, select "Request a new SSL certificate", select "Force SSL" and click save

That should be it, now your Hassio interface should be accessible at https://your.domain.com

3 Likes

Hello Parag,

I’m following your steps, but I’m facing some issues,
I did forward the ports on my router I installed the NGinx Proxy Manager i create teh proxy host to

Source: xxxx.duckdns.org
Destination: http://10.1.0.1:8123

first of all if I try to access from outside to http://xxxx.duckdns.org it takes me to my router

then if I try to enable the SSL in Nginx I follow the steps to request a new certificate and it fails. this is the log

[6/24/2020] [8:05:44 PM] [Nginx ] › :heavy_check_mark: success Wrote config: /data/nginx/proxy_host/1.conf # ------------------------------------------------------------

xxxx.duckdns.org

------------------------------------------------------------

server {
set $forward_scheme http;
set $server “10.1.0.1”;
set $port 8123;
listen 80;
#listen [::]:80;
server_name xxxx.duckdns.org;
access_log /proc/1/fd/1 proxy;
location / {

# Proxy!
include conf.d/include/proxy.conf;

}

Custom

include /data/nginx/custom/server_proxy[.]conf;
}
[6/24/2020] [8:05:44 PM] [Nginx ] › :information_source: info Testing Nginx configuration
[6/24/2020] [8:05:44 PM] [Nginx ] › :information_source: info Reloading Nginx
[6/24/2020] [8:05:44 PM] [Express ] › :warning: warning Command failed: /usr/bin/certbot certonly --non-interactive --config “/etc/letsencrypt.ini” --cert-name “npm-10” --agree-tos --email “[email protected]” --preferred-challenges “dns,http” --webroot --domains “xxxx.duckdns.org
Saving debug log to /data/logs/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for xxxx.duckdns.org
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification…
Challenge failed for domain xxxx.duckdns.org
http-01 challenge for xxxx.duckdns.org
Cleaning up challenges
Some challenges have failed.

could that be due port 80 can’t be routed to my hassio?

any help is welcome.

Yes, LetsEncrypt needs your Port 80 open to your Hassio. Did you forward Port 80 to your Hassio IP?

Yes, I did it in my router.

i do have

Service Name: hassio_80
LAN IP: 10.1.0.1
Protocol: TCP
LAN Port: 80
Public Port: 80

but in the Nginx Proxy manager if I left port 80 it didn’t initialize

if I change the port 80 for another (8080) I can start it but obviously I can not get the certificate
as you mentioned must be port 80

Hello Parag,

I think I did it, what I did was to change my port forwarding to

Protocol: TCP
LAN Port: 8888
Public Port: 80

Ans started the Nginx in port 8888, and it worked.

Thank you,

I have the same issue
I installed the addon
on my router I forwarded both public ports 80 and 443 to the IP address where he NPM is installed on my HASS
I am able to login into NPM admin page and change password ets.
I cannot get a Letsencrypt SSL certificate it gives me an internal error and it fails
I set the proxy to forward my duckdns subdomain to my local IP address of the HASS install on port 8123. when I try accessing thru the subdomain without SSL it also fails
Please help If you can.

Maybe its too late but, are you trying from your local ip or your ddns domain? I was doing it from my ddns and allways fail. Use your local ip on nginx dashboard

Hello, I have Unifi System …any help about this will be appreciate !!! thank you. :sob:

Home Assistant at Hyper-V VM, MariaDb with Nginx PM. Dyndns Service

Port Forwarding from 80 to 192.168.1.240:80, 443 to 192.168.1.240:443

Setting:

  • NPM MESSAGES

INTERNAL ERROR

Copy to clipboard

Error: Command failed: /usr/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-30" --agree-tos --email "j**********[email protected]" --preferred-challenges "dns,http" --domains "homeassistant.h*****s.org" 
Saving debug log to /data/logs/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Performing the following challenges:
http-01 challenge for homeassistant.h*****s.org
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Challenge failed for domain homeassistant.h*****s.org
http-01 challenge for homeassistant.h*****s.org
Cleaning up challenges
Some challenges have failed.

    at ChildProcess.exithandler (child_process.js:308:12)
    at ChildProcess.emit (events.js:315:20)
    at maybeClose (internal/child_process.js:1048:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:288:5)
  • HA NPM Reg

Copy to clipboard

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] permissions: applying... 
[fix-attrs.d] permissions: exited 0.
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 00-banner.sh: executing... 
-----------------------------------------------------------
 Add-on: Nginx Proxy Manager
 Manage Nginx proxy hosts with a simple, powerful interface
-----------------------------------------------------------
 Add-on version: 0.11.0
 You are running the latest version of this add-on.
 System: Home Assistant OS 5.13  (amd64 / qemux86-64)
 Home Assistant Core: 2021.5.5
 Home Assistant Supervisor: 2021.04.3
-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
[cont-init.d] 00-banner.sh: exited 0.
[cont-init.d] 01-log-level.sh: executing... 
[cont-init.d] 01-log-level.sh: exited 0.
[cont-init.d] mysql.sh: executing... 
[cont-init.d] mysql.sh: exited 0.
[cont-init.d] nginx.sh: executing... 
[cont-init.d] nginx.sh: exited 0.
[cont-init.d] npm.sh: executing... 
[cont-init.d] npm.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[17:53:41] INFO: Starting NGinx...
[17:53:41] INFO: Starting the Manager...
[5/21/2021] [5:53:42 PM] [Migrate  ] › ℹ  info      Current database version: 20210210154703
[5/21/2021] [5:53:42 PM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
[5/21/2021] [5:53:42 PM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
[5/21/2021] [5:53:43 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4
[5/21/2021] [5:53:43 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6
[5/21/2021] [5:53:43 PM] [SSL      ] › ℹ  info      Let's Encrypt Renewal Timer initialized
[5/21/2021] [5:53:43 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[5/21/2021] [5:53:43 PM] [IP Ranges] › ℹ  info      IP Ranges Renewal Timer initialized
[5/21/2021] [5:53:43 PM] [Global   ] › ℹ  info      Backend PID 537 listening on port 3000 ...
[5/21/2021] [5:53:44 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[5/21/2021] [5:53:44 PM] [SSL      ] › ℹ  info      Renew Complete
`QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0
`QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` method will be removed in 3.0
QueryBuilder#omit is deprecated. This method will be removed in version 3.0
[5/21/2021] [5:54:50 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[5/21/2021] [5:54:50 PM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates for Cert #31: homeassistant.h*****s.org
[5/21/2021] [5:54:56 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[5/21/2021] [5:54:56 PM] [Express  ] › ⚠  warning   Command failed: /usr/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-31" --agree-tos --email "j**********[email protected]" --preferred-challenges "dns,http" --domains "homeassistant.h*****s.org" 
Saving debug log to /data/logs/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Performing the following challenges:
http-01 challenge for homeassistant.h*****s.org
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Challenge failed for domain homeassistant.h*****s.org
http-01 challenge for homeassistant.h*****s.org
Cleaning up challenges
Some challenges have failed.

Any idea ?? :pray:

This is exactly what I was looking for! Thank you!

Same problem here…

Did you find a solve?

Thanks

1 Like

Has anyone been able to find a fix for this?

I am still unable to get nginx Proxy manager to work properly… i’m constantly met with errors even when following the directions to the T… can anyone help please?

ui says: Internal Error

log says:

[10/26/2021] [9:08:34 AM] [Nginx    ] › ℹ  info      Reloading Nginx
[10/26/2021] [9:08:34 AM] [SSL      ] › ℹ  info      Renew Complete
`QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0
`QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` method will be removed in 3.0
QueryBuilder#omit is deprecated. This method will be removed in version 3.0
[10/26/2021] [9:31:50 AM] [Nginx    ] › ℹ  info      Reloading Nginx
[10/26/2021] [9:31:50 AM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates for Cert #1: XXXXredacted.duckdns.org
[10/26/2021] [9:32:03 AM] [Nginx    ] › ℹ  info      Reloading Nginx
[10/26/2021] [9:32:03 AM] [Express  ] › ⚠  warning   Command failed: /usr/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-1" --agree-tos --email "[email protected]" --preferred-challenges "dns,http" --domains "XXXXredacted.duckdns.org" 
Saving debug log to /data/logs/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Performing the following challenges:
http-01 challenge for XXXXredacted.duckdns.org
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Challenge failed for domain XXXXredacted.duckdns.org
http-01 challenge for XXXXredacted.duckdns.org
Cleaning up challenges
Some challenges have failed.

Thanks

Did you figure it out?
I’m having the same issues it seems…
Thanks

Same problem for me as well… despite verifying NAT on 443 & 80 ports
Some idea ?

same here. NGINX Proxy Manager tells me “Internal Error” when trying to use SSL.

Complete re-installation of Nginx PM and Maria DB from scratch…
And got a new SSL certificate…
Just take care not using MariaDB elsewhere.