Temp workaround (that works for me!) for SSL certificate renewal bug

[EDIflyer]

I know there are already lots of issues on this topic - I've tried to link to most of them below. I've just had to renew 16 sites on one server (running the latest v.2.10.2) and thought I'd go through the process that seemed to work reliably for me in case it helps others (with thanks to posters in other issues where I've gleaned this info from!).

Given how it works I suspect the issue is the the requests to the ACME endpoint not being allowed through when force SSL is enabled (as mentioned in some bug reports) and I'm hopeful @jc21 can merge in #2038 that seems to be an option (but is unfortunately now based off an older base).

Symptom

SSL certificates do not automatically renew and you receive a warning email from LetsEncrypt about an upcoming expiring certificate (typically I seem to get them when <20 days left to go). Attempts to manually review end up just showing an 'Internal server error'

Workaround
Part 1 - clear any certbot.lock files
I've found there is sometime an error caused by a a duplicate instance of CertBot running. You can check whether there are .certbot.lock files in your system:

find / -type f -name ".certbot.lock"

If there are, you can remove them:

find / -type f -name ".certbot.lock" -exec rm {} \;

(from https://community.letsencrypt.org/t/solved-another-instance-of-certbot-is-already-running/44690/2)

Part 2 - turn off Force SSL and then renew

After clearing any certbot lock, I then went through site by site and 1) disabled Force SSL on the proxy host page then 2) requested certificate renewal on the SSL page and then 3) re-enabled SSL and all sub-options back on the proxy host page.

As I say it takes a while and is frustrating but I found it worked reliably and they're all now renewed for the next 3 months. If you don't switch off Force SSL then you just end up with an internal error.

Related issues on this topic (in the hope that once this issue is resolved these can all be closed)
#1771 #1816 #1856 #2048 #2251 #2258 #2267 #210 #2418 #2499 #2593 #2642 #2713 #2860

[ririko5834]

It really works thanks. Certs were before normally renewed, found out that it stopped working when I updated to the latest version. When it will be fixed?

[EDIflyer]

Agree, @ririko5834 - it used to work fine for me but seemed to stop a few version ago. Hopefully the PR can be merged in to the latest codebase....

[pd5rm]

Just did this, thanks for the workaround writeup.

[jhalak1984]

Hmm, for me, no such files were found, hence, didn't work for me

[EDIflyer]

@jc21 any word on when a fix might be coming for this SSL cert renewal issue? That's me having to manually renew another 10 sites this evening 😔

[JohnnyLAmpAz]

Hmm, for me, no such files were found, hence, didn't work for me

Neither I found any lock file but the trick disabling force SSL its the important part! Try anyway

[EDIflyer]

Hmm, for me, no such files were found, hence, didn't work for me

@jhalak1984 did you try part 2? The main bit seems to be force SSL not allowing an ACME exclusion, the first bit is just to ensure no conflicting certbot instances running.

[EDIflyer]

Thanks to the work from @the1ts in #2038 and the comments from @Whoopsadaisy re regex on that PR #2038 (comment) I've created a new PR #3121 that combines their comments to stop /.well-known/acme-challenge requests from being redirected to https.

The new PR has been build (you can access it in a docker compose file by commenting out your current image and using image: 'jc21/nginx-proxy-manager:github-pr-3121' instead). The only change I made was to the one force-ssl-.conf file, but it is based off the current develop branch (2.10.4 as of today) so will include any other changes on there.

I've tried it on two servers that I run - on the first I was now enable to renew OK just by clicking 'renew now' on the SSL page (something that previously errored out). On the other one I initially still got the internal error but when I ran the first bit of the code in my OP above I found 3 certbot instances running so once I cleared them it seemed to renew OK. Out of interest I've only renewed one certificate on that server to see if the rest renew OK automatically. In both cases everything still seems to redirect to https OK and the regex seems to check out OK - (https://regex101.com/r/H58N25/1)

If you're happy to do so then please test it out - it is showing as OK to merge so if this merges hopefully it'll be accepted by @jc21 😃

PS - I checked back 10-15 min later and it seems that all the other certs have autorenewed too so that saved me quite a bit of work switching force SSL off/on for each one!

[jhalak1984]

Awesome!! Works without a hitch now. Thank you!!!