No cert, just an internal error.

[jondor]

Problem/Motivation

Running NPM as an addon under Home Assistant on a X86-64 machine.

After update, all I get is "internal errors" when trying to get a let's encrypt certificate using DNS challenge for trans.ip
This, using the same settings, certificate etc. as when using the prev. version.

Expected behavior

Recieving a cert.

Actual behavior

"Internal Error"
1/14/2024] [2:30:26 PM] [Express ] › ⚠ warning Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-6" --agree-tos --email "gerhard@xxxx.nl" --domains "emby.xxxx.nl" --authenticator dns-transip --dns-transip-credentials "/etc/letsencrypt/credentials/credentials-6"
Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Encountered exception during recovery: RuntimeError: The private key doesn't exist
An unexpected error occurred:
RuntimeError: The private key doesn't exist

Besides, non of the named files can be found, which I assume is the result of using an virtual environment? But also a search over the whole disk can't find the letsencrypt.log

Steps to reproduce

The ususal, create redirect host, go to ssl tab, select dns challenge and transip, fill the fields. Wait, get "internal error" check NPM log and see the error mentioned above.

Also gave it a try with a new key pair, but to no avail.
And for good order, I got everything running just last week under de prev. version with exactly the same settings, keys etc. Nothing advanced, nothing different.

Proposed changes

(If you have a proposed change, workaround or fix,
describe the rationale behind it)

[ronaldtveen]

Is there a way to "cleanly" uninstall and starting over?
I'm getting the same error of the private key not existing.

The steps I used was just basically run the add-on upgrade from within Home Assistant and logging in to the local IP on port 81 to re-connect to the GUI. There I created a new account and password. Next step was re-doing the steps I did a couple months ago, by going to the [SSL Certificates] tab and using the DNS Challenge to generate a new certificate.

Error:

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-7" --agree-tos --email "xxxxxx@gmail.com" --domains "*.xxxxxx.nl" --authenticator dns-transip --dns-transip-credentials "/etc/letsencrypt/credentials/credentials-7" --dns-transip-propagation-seconds 30
Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Encountered exception during recovery: RuntimeError: The private key doesn't exist
An unexpected error occurred:
RuntimeError: The private key doesn't exist
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

    at ChildProcess.exithandler (node:child_process:422:12)
    at ChildProcess.emit (node:events:517:28)
    at maybeClose (node:internal/child_process:1098:16)
    at ChildProcess._handle.onexit (node:internal/child_process:303:5)

• My e-mail and domain name are masked, but the domain I'm trying is a wildcard.
  • Also tried a specific subdomain instead of a wildcard, also resulting in an error.
• When I try the [Test server reachability] I also get an error "Communication with the API failed, is NPM running correctly?". Never tried that one before so I don't know if that is new or always has been because I never had this problem before.

The directory /tmp/letsencrypt-log/ (and thus: logfile) does not exist so there is no log file to check.

I've generated a new API key on TransIP and replaced the "old" one in the file I use during the Challange DNS config:

dns_transip_username = xxxxxx
dns_transip_key_file = /ssl/transip/transip.key

I've also tried copying that file over to /etc/letsencrypt/transip-rsa.key which is in the default example config when selecting TransIP from the Use DNS Challenge option. Same result (error: "The private key doesn't exist").
I had to create the /etc/letsencrypt/ directory myself, which is odd because it is all over the error logs.

---

I also checked ~/addon_configs/a0d7b954_nginxproxymanager/keys.json which does actually show a different private key then I would expect (different from the TransIP generated) which is located in /ssl/transip/transip.key (and a copy of it in /etc/letsencrypt/transip-rsa.key

---

[remb0]

Is there a way to "cleanly" uninstall and starting over? I'm getting the same error of the private key not existing.

The steps I used was just basically run the add-on upgrade from within Home Assistant and logging in to the local IP on port 81 to re-connect to the GUI. There I created a new account and password. Next step was re-doing the steps I did a couple months ago, by going to the [SSL Certificates] tab and using the DNS Challenge to generate a new certificate.

Error:

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-7" --agree-tos --email "xxxxxx@gmail.com" --domains "*.xxxxxx.nl" --authenticator dns-transip --dns-transip-credentials "/etc/letsencrypt/credentials/credentials-7" --dns-transip-propagation-seconds 30
Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Encountered exception during recovery: RuntimeError: The private key doesn't exist
An unexpected error occurred:
RuntimeError: The private key doesn't exist
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

    at ChildProcess.exithandler (node:child_process:422:12)
    at ChildProcess.emit (node:events:517:28)
    at maybeClose (node:internal/child_process:1098:16)
    at ChildProcess._handle.onexit (node:internal/child_process:303:5)

• My e-mail and domain name are masked, but the domain I'm trying is a wildcard.

  • Also tried a specific subdomain instead of a wildcard, also resulting in an error.

• When I try the [Test server reachability] I also get an error "Communication with the API failed, is NPM running correctly?". Never tried that one before so I don't know if that is new or always has been because I never had this problem before.

The directory /tmp/letsencrypt-log/ (and thus: logfile) does not exist so there is no log file to check.

I've generated a new API key on TransIP and replaced the "old" one in the file I use during the Challange DNS config:

dns_transip_username = xxxxxx
dns_transip_key_file = /ssl/transip/transip.key

I've also tried copying that file over to /etc/letsencrypt/transip-rsa.key which is in the default example config when selecting TransIP from the Use DNS Challenge option. Same result (error: "The private key doesn't exist"). I had to create the /etc/letsencrypt/ directory myself, which is odd because it is all over the error logs.

I also checked ~/addon_configs/a0d7b954_nginxproxymanager/keys.json which does actually show a different private key then I would expect (different from the TransIP generated) which is located in /ssl/transip/transip.key (and a copy of it in /etc/letsencrypt/transip-rsa.key

I have exaclty the same. Did you have it working again? I restored my backups, but still want to updat if i can get my transip wildcard domain working properly.

[ronaldtveen]

Temporary fixed it by not using a wildcard but request a certificate per (sub)domain via the non-dns challenge way, opening port 80 temporarily on my router.

Still awaiting a fix for this but at least got it to work for now.

[joukio]

I copied my key to ~/addon_configs/a0d7b954_nginxproxymanager/letsencrypt/transip-rsa.key and with /etc/letsencrypt/transip-rsa.key in the configuration that worked out... just my 2 cents

[ronaldtveen]

I copied my key to ~/addon_configs/a0d7b954_nginxproxymanager/letsencrypt/transip-rsa.key and with /etc/letsencrypt/transip-rsa.key in the configuration that worked out... just my 2 cents

How? Does not work for me. Here's my config:

dns_transip_username = myusernamehere
dns_transip_key_file = /etc/letsencrypt/transip-rsa.key

Copied my transip-rsa.key to these locations (and did a combination of path switching here):

/etc/letsencrypt/transip-rsa.key
/ssl/letsencrypt/transip.rsa.key
~/addon_configs/a0d7b954_nginxproxymanager/letsencrypt/transip-rsa.key

All with the same error:

RuntimeError: The private key doesn't exist

[shupershuff]

Has anyone found a fix to this?

[CrystalSpore]

I had it work once, but I went to add a second subdomain, & now it's not working. Same "Internal Error" message & everything.

I'm going to try re-installing the addon, to see if that fixes the issue, otherwise I will try rolling back to my backup from before 1.0.0/1.0.1 & re-upgrade again

[CrystalSpore]

Well, now it crashes on log in, so that is significantly worse...

[github-actions]

There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues.
Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍
This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!

[jondor]

Hmm.. bot seems to think that if nobody says anything, the issue has magically disappeared.. But no. Sorry..
the ususal unhelpful "internal error"

Trying to renew the let's encrypt key on my generic-x86-64 HA system.
-->8--
[4/1/2024] [7:31:42 PM] [Nginx ] › ⬤ debug Deleting file: /config/nginx/proxy_host/1.conf
[4/1/2024] [7:31:42 PM] [Nginx ] › ⬤ debug Deleting file: /config/nginx/proxy_host/1.conf.err
[4/1/2024] [7:31:42 PM] [Nginx ] › ⬤ debug Could not delete file: {
"errno": -2,
"syscall": "unlink",
"code": "ENOENT",
"path": "/config/nginx/proxy_host/1.conf.err"
}
[4/1/2024] [7:31:42 PM] [Nginx ] › ℹ info Reloading Nginx
[4/1/2024] [7:31:42 PM] [SSL ] › ℹ info Requesting Let'sEncrypt certificates via TransIP for Cert #13: emby.frappe4all.nl
[4/1/2024] [7:31:42 PM] [SSL ] › ℹ info Command: mkdir -p /etc/letsencrypt/credentials 2> /dev/null; echo 'dns_transip_username = jondor
dns_transip_key_file = /ssl/transip-rsa.key' > '/etc/letsencrypt/credentials/credentials-13' && chmod 600 '/etc/letsencrypt/credentials/credentials-13' && pip install certbot-dns-transip~=0.4.3 && certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-13" --agree-tos --email "gerhard@xxx.nl" --domains "emby.xxx.nl" --authenticator dns-transip --dns-transip-credentials "/etc/letsencrypt/credentials/credentials-13"
[4/1/2024] [7:31:45 PM] [Nginx ] › ℹ info Reloading Nginx
[4/1/2024] [7:31:45 PM] [Express ] › ⚠ warning Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-13" --agree-tos --email "gerhard@xxx.nl" --domains "emby.xxx.nl" --authenticator dns-transip --dns-transip-credentials "/etc/letsencrypt/credentials/credentials-13"
Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Encountered exception during recovery: RuntimeError: The private key doesn't exist
An unexpected error occurred:
RuntimeError: The private key doesn't exist
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.
-->8--

The folders mentioned are not there, neither is the logfile in the /tmp (or anywhere else on the system for that matter). The private key is where the system, according to the log file, expects it and the name is correct. Non of the folders and files which are made and copied too in the /etc folder are there which also makes rerunning certbot -v difficult.

If there's anything else I could check I more than willen to give it a go, but lacking useful info I'm stuck for now.