LetsEncrypt ACME redirect issue fixes #2881 #3121
Conversation
|
i don't know why NPM isn't starting when it's trying to migrate the DBs
` |
|
@jc21 any chance of merging this in? 🙂 |
|
This fixed my installation. Please merge. |
|
Thanks for approving @etabarestx 🙂 Do you know if a new release is upcoming with this and other PRs included? |
|
Manually applied this fix via CLI and can confirm it works! If anyone else doesn't want to wait for the merge, here is how to do it manually:
|
|
Bumping to keep this alive. |
|
I found a fix for my issue: allocating more storage space. Running NPM in a Proxmox CT (no docker at all), and happened to catch that it was at 96% of its storage. I gave it some extra, and boom. Worked! |
|
This has been an ongoing issue since 2022. How is this not merged yet? As it stands, NPM will block renewals. I don't want to compromise security (-> disable "Force SSL") to enable renewals. |
|
/bump please merge this! |
|
Applied this manually, but couldn't validate if it worked, since |
There was a problem hiding this comment.
This fixed my installation after manually applying this fix.
@jc21 could you please merge this when you have time? Thank you.
Until this is committed, why not just create a force-ssl.conf (in the same directory as docker-compose.yml) docker-compose.yml services:
app:
image: 'jc21/nginx-proxy-manager:latest'
restart: unless-stopped
ports:
# These ports are in format <host-port>:<container-port>
- '80:80' # Public HTTP Port
- '443:443' # Public HTTPS Port
- '81:81' # Admin Web Port
# Add any other Stream port you want to expose
# - '21:21' # FTP
# Uncomment the next line if you uncomment anything in the section
environment:
# Uncomment this if you want to change the ___location of
# the SQLite DB file within the container
# DB_SQLITE_FILE: "/data/database.sqlite"
# Uncomment this if IPv6 is not enabled on your host
DISABLE_IPV6: 'true'
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt
- ./force-ssl.conf:/etc/nginx/conf.d/include/force-ssl.conf # <~~~~~~~~~~~~~~~This way if you update your container's base image, the |
| } | ||
| if ($request_uri !~ "^\/.well-known\/acme-challenge\/(.*)") { |
There was a problem hiding this comment.
The dot (.) should probably be escaped in the regex:
^\/\.well-known\/acme-challenge\/(.*)There was a problem hiding this comment.
OK I've pushed that update although I see the main develop branch has changed from FORCE to TEST -
set $test "";
if ($scheme = "http") {
set $test "H";
}
if ($request_uri = /.well-known/acme-challenge/test-challenge) {
set $test "${test}T";
}
if ($test = H) {
return 301 https://$host$request_uri;
}docker/rootfs/etc/nginx/conf.d/include/force-ssl.conf
It is therefore blocking this merge and won't autogenerate a container. Not sure if the underlying fix they have made resolved the issue or not?
There was a problem hiding this comment.
The underlying fix has not resolved the issue. The URI can change per test, so your code works. We could refactor the existing to:
set $test "";
if ($scheme = "http") {
set $test "H";
}
if ($request_uri ~ "^\/\.well-known\/acme-challenge\/(.*)") {
set $test "${test}T";
}
if ($test = H) {
return 301 https://$host$request_uri;
}
There was a problem hiding this comment.
Thanks @willyouvba - have updated the commit accordingly.
There was a problem hiding this comment.
Sorry @EDIflyer, what I meant was: the contents of force-ssl.conf as it currently exists can be updated to the above (or modified completely to your version). Amalgamating the two won't work. It also looks like I lost a parenthesis at the end of the regex - I've updated my previous comment - sorry 😥.
There was a problem hiding this comment.
Ahh, that explains why things went down for me overnight when Watchtower pulled the new image then 😂. Will try to change it to your revised version.
There was a problem hiding this comment.
@willyouvba OK, can confirm sites back up and running using this new system!
Revised as per PR discussion.
|
Can confirm that this is still an ongoing issue. I was really surprised that there is such an easy way to misconfigure NPM from the GUI such that SSL renewals just stop working. Please merge! |
Re-do PR NginxProxyManager#3121 on latest development branch.
|
@EDIflyer I'm assuming that fixing merge conflicts in the current PR would've generated a docker image, or at least that's what I'd hope. Have you tried doing that before creating a duplicate PR? |
|
@Guiorgy no I hadn't tried that as wasn't quite sure how to do so within Github. The new one built fine - will see if I can do anything to edit this current branch and whether it re-triggers anything. |
|
Hmm OK I've now click on my patch and updated the fork - seems to have triggered a build so if that works I'll close the other PR. Thanks for the suggestion - as it was 'stuck' I just didn't know how to get a new one built! Also I see it is now under a different ___location ( |
|
@Guiorgy OK new docker container built OK so have closed the other PR - thanks for the suggestion :) |
|
@jc21 I see some other PRs have recently been merged in, any chance of accepting this one? I think it would close off quite a few issues. |
|
I had the same issue with renewing while "force ssl" is enabled. I switched to docker image |
|
@jc21 Adding my voice to request that this PR is merged in. |
|
Updated PR to latest version of dev branch. Please remember to backup any databases before updating! |
|
Docker Image for build 8 is available on Note: ensure you backup your NPM instance before testing this image! Especially if there are database changes |
|
Have updated from 2.12.2 to 2.12.3 - updated OK and able to renew cert OK with SSL still active. |
Can confirm it's working as intended again. 👍 |
|
I've updated from 2.12.3 to |
Evolution of #2038 to escape regex sequence (as per #2038 (comment)) and rebased against latest develop branch.