Last edited:
Hi all, I've been trying to install Nginx Proxy Manager and having major difficulties getting NPM set up with Lets Encrypt. I have provided pictures of my error messages for you but I have also copied and pasted the text for your ease of reference near the bottom of this email.
My current set-up is below…this is BEFORE introducing Nginx Proxy Manager into the equation. So this is the baseline.
In Option 1, when I try to request an SSL certificate for the [apple.synology.me] domain, it doesn’t work. I get an “Internal Error” message with the following error message in a red box. I’ve marked XXX to remove any personal info.
Can you please tell me why is this? Is it because NPM can’t request an SSL cert for a synology DDNS address? Is it because on my Synology I already have an SSL cert for the exact same domain [apple.synology.me] and I have to delete this first?
The NPM error log shows two kinds of errors but multiple iterations of them. They look like one of two:
When I do this, the settings get saved as an SSL cert and then I would make a proxy host and use the SSL certificate I just created in this step.
So now when I create a proxy host for [bit.apple.synology.me] I have the following settings: bit.apple.synology.me is the source; destination is my NAS IP:[PortNumber]. The SSLcert I choose in the dropdown is the SSL cert I imported from Synology. I turn on the following options: “Force SSL”, “HTTP/2 Support”, “HSTS enabled” and “HSTS subdomains”. Once I do that, the status of the proxy is “Offline” with a red colour. And when I put my mouse over it the error message is as follows:
error: command failed: /usr/sbin/nginx -t -g "error_log off;" nginx: [emerg] SSL_CTX_use_PrivateKey ("/data/custom_ssl/npm-26/privkey.pem") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch) nginx: configuration file /etc/nginx/nginx.conf test failed
Can someone please help me with these errors? I’ve tried my best to read as many sources as possible but now I am stuck. I want to avoid command line work as much as possible - I have portainer installed and can do any work in the containers with that method if that works.
I would like to get SSL certs working with NPM so I can stop using Synology Reverse Proxy. Greatly greatly appreciate your help.
My current set-up is below…this is BEFORE introducing Nginx Proxy Manager into the equation. So this is the baseline.
- I have Synology's internal Reverse Proxy already working beautifully with the following applications: Jellyfin, Bitwarden
- I am using a Synology DDNS domain name. Assume the domain name is [apple.synology.me]. Assume the subdomains for these 2 applications are: [bit.apple.synology.me] and [jel.apple.synology.me]
- Using Synology's "Certificates" manager in the Control Panel, I have one Lets Encrypt (LE) certificate set up for both applications above. The LE domain name is [apple.synology.me] and for the subject alternative name (SAN) I have put down *.apple.synology.me because there is a note in Synology that wildcard is accepted.
- The LE certificate is already mapped to these two services I set up using Synology's internal reverse proxy in the "Applications Portal" section of the control panel.
- This set up has worked for me thus far. However, I know that Nginx Proxy Manager (NPM) (or Caddy, Traefik) provide additional customization. In particular, one niggling issue I have is that for Bitwarden, if I want to hide the admin panel (/admin), I cannot do that using Synology's built it Reverse Proxy. So I wanted to use NPM to have more flexibility to do more things.
- Using Portainer, I have installed NPM and have it working (I’m using the often recommended JC21 version). I was not able to get NPM setup with mariaDB database, so I just installed it with SQlite version and its working fine and I can login.
- As Synology by default uses ports 80/443 for its own reverse proxy, I used different ports for NPM. Assume I used 8882/6443 for 80/433 respectively. Admin panel is 8181.
- Using my Asus Merlin Router, I port forwarded the external port 443 to internal port 6443 and likewise 80->8882. So I believe the router should be sending data directly to NPM.
- In the NPM container (I’m using Portainer’s GUI to manage it), NPM has its own network (nginx_app_1). This was made automatically when I installed NPM using a docker compose file online.
- Before I create any proxy hosts in NPM I wanted to have SSL certs added. Using the “SSL Certificates” section of NPM there are two options:
- 1) Add SSL certificate from Let’s Encrypt, OR;
- 2) Use ‘Custom’ to import my existing SSL certificate for [apple.synology.me]
In Option 1, when I try to request an SSL certificate for the [apple.synology.me] domain, it doesn’t work. I get an “Internal Error” message with the following error message in a red box. I’ve marked XXX to remove any personal info.
Error: Command failed: /opt/certbot/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-30" --agree-tos --email "[email protected]" --preferred-challenges "dns,http" --domains "apple.synology.me"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
An unexpected error occurred:
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError(': Failed to establish a new connection: [Errno -3] Temporary failure in name resolution')) Please see the logfiles in /var/log/letsencrypt for more details.
at ChildProcess.exithandler (node:child_process:326:12)
at ChildProcess.emit (node:events:369:20)
at maybeClose (node:internal/child_process:1067:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5)
Can you please tell me why is this? Is it because NPM can’t request an SSL cert for a synology DDNS address? Is it because on my Synology I already have an SSL cert for the exact same domain [apple.synology.me] and I have to delete this first?
The NPM error log shows two kinds of errors but multiple iterations of them. They look like one of two:
In Option 2, when I try to import SSL certs from Synology, I first export the SSL cert from Synology. Synology provides me 3 files: 1) cert.pem; 2) chain.pem; 3) privkey.pem. Then I add “Custom” certificate and do the following: For the name its “Bitwarden” For the “Certificate Key” I import “privkey.pem”. For the “Certificate” I import “chain.pem”. I do not import the third file – “cert.pem” into the “Intermediate Certificate” setting.
- 2021/05/15 11:54:51 [error] 265#265: *6 connect() failed (111: Connection refused) while connecting to upstream, client: 127.0.0.1, server: nginxproxymanager, request: "GET /api/ HTTP/1.1", upstream: "http://127.0.0.1:3000/", host: "127.0.0.1:81"
- 2021/05/15 15:18:41 [error] 21252#21252: *7746 upstream timed out (110: Connection timed out) while connecting to upstream, client: 192.168.16.1, server: bit.apple.synology.me, request: "POST /identity/connect/token HTTP/2.0", upstream: "http://192.168.50.67:5005/identity/connect/token", host: "bit.apple.synology.me"
When I do this, the settings get saved as an SSL cert and then I would make a proxy host and use the SSL certificate I just created in this step.
So now when I create a proxy host for [bit.apple.synology.me] I have the following settings: bit.apple.synology.me is the source; destination is my NAS IP:[PortNumber]. The SSLcert I choose in the dropdown is the SSL cert I imported from Synology. I turn on the following options: “Force SSL”, “HTTP/2 Support”, “HSTS enabled” and “HSTS subdomains”. Once I do that, the status of the proxy is “Offline” with a red colour. And when I put my mouse over it the error message is as follows:
error: command failed: /usr/sbin/nginx -t -g "error_log off;" nginx: [emerg] SSL_CTX_use_PrivateKey ("/data/custom_ssl/npm-26/privkey.pem") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch) nginx: configuration file /etc/nginx/nginx.conf test failed
Can someone please help me with these errors? I’ve tried my best to read as many sources as possible but now I am stuck. I want to avoid command line work as much as possible - I have portainer installed and can do any work in the containers with that method if that works.
I would like to get SSL certs working with NPM so I can stop using Synology Reverse Proxy. Greatly greatly appreciate your help.