Debugging/Diagnosing SSL Certificate Internal Error

[copperleaf91]

All,

I've just installed NPM as an LXC in Proxmox. I'm trying to debug getting "internal error" when trying to configure easydns for generating a certificate. I've been able to successfully run certbot in a VM, but have not been able to successfully generate one from the NPM gui.

The first issue was (of course), that the easydns plugin wasn't installed. I tried using the install-certbot-plugin script, but get an error about setup. I ended up using 'pip install --ignore-installed certbot-dns-easydns' successfully which was confirmed with 'certbot plugins'.

However, I still get the "internal error" message. I'm simply looking for any error output to indicate what the problem may be. I've looked in /var/log and in /data/ logs and nothing is appearing there.

Is there a different path that the details of the internal error are captured or something I can turn on? Kind of spinning my wheels now.

UPDATE:

I found I can see the errors by running 'journalctl -u npm.service --no-pager'

It appears that even though the easydns plugin is already installed, NPM wants to try and install it anyway (I assume with 'install-certbot-plugin'). The error I get is

pip._vendor.pyproject_hooks._impl.BackendUnavailable: Cannot import 'setuptools.build_meta'

Any suggestions on how to resolve?

Regards,
Bill

FWIW, if I run certbot manually inside the LXC, it works just fine.

[ismaildasci]

the internal error is frustrating because npm doesnt show detailed logs in the gui. you found the right command with journalctl.

for the setuptools error, the issue is that npm is trying to install the certbot plugin but your pip environment is broken. try this:

1. first fix pip/setuptools inside the container:

docker exec -it nginx-proxy-manager bash
pip install --upgrade pip setuptools wheel

2. then try installing the plugin manually:

pip install certbot-dns-easydns

3. if that still fails, check python version compatibility:

python3 --version
pip show certbot

4. alternative approach - use http challenge instead of dns if possible. http challenge doesnt need any extra plugins.

5. if you must use dns challenge and the plugin install keeps failing, try running certbot directly:

certbot certonly --dns-easydns \
  --dns-easydns-credentials /path/to/credentials.ini \
  -d yourdomain.com

then manually import the generated certs into npm.

6. another option is to use a different docker image that has the dns plugins pre-installed, or build custom image:

FROM jc21/nginx-proxy-manager:latest
RUN pip install --upgrade pip setuptools && pip install certbot-dns-easydns

the setuptools error usually means python packaging tools are outdated in the container.

[edenallen7]

NPM’s “internal error” comes from its own certbot environment trying (and failing) to install certbot-dns-easydns because setuptools.build_meta isn’t available. NPM doesn’t really support arbitrary DNS plugins. Either: issue/renew the cert with standalone certbot and import it into NPM, or build a custom NPM image including setuptools and the plugin.