C
CrowdSec4w ago
light

NPM remediation component can't reach LAPI due to certificate error

proxy-host-6_error.log:2025/09/06 04:41:52 [error] 241#241: *1782 [lua] live.lua:39: live_query(): failed to query LAPI https://crowdsec.local.rxample.net/v1/decisions?ip=192.168.1.52: 20: unable to get local issuer certificate, client: 192.168.1.52, server: homeassistant.example.net, request: "POST /api/webhook/wow HTTP/1.1", host: "homeassistant.example.net" The crowdsec log processor and curl etc. in the same machine can reach the LAPI just fine. My LAPI runs in a separate machine reachable through https://crowdsec.local.example.net inside the local network. Other log processors running in home assistant and it's bouncer can also connect with the LAPI without issues. I also changed to lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; inside the container non persistent file but that didn't help either. So, 1. NPM container should give the option to change certificate path in persistent storage, and 2. Even after that, it seems to be unable to connect. I have since exposed 8080, and connecting in a non secure manner
9 Replies
CrowdSec
CrowdSec4w ago
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve
© Created By WhyAydan for CrowdSec ❤️
light
lightOP4w ago
Looks similar to this https://discourse.crowdsec.net/t/unable-to-get-local-issuer-certificate/1687/2
CrowdSec
Unable to get local issuer certificate
It well may be that my configuration is dumb or i didn´t get something correctly. All domains and subdomains are proxied via NPM. In crowdsec console i can see bouncer just okay. I can see alerts in console as well. LAPI endpoint is publicly accessible via https:// domain2.com and its subdomains are behind cloudflare proxy
light
lightOP4w ago
API calls from inside the nginxproxymanager container also works fine: 
pranks@picluster1:~ $ docker exec -it nginxproxymanager bash
 _   _       _            ____                      __  __                                   
| \ | | __ _(_)_ __ __  _|  _ \ _ __ _____  ___   _|  \/  | __ _ _ __   __ _  __ _  ___ _ __ 
|  \| |/ _` | | '_ \\ \/ / |_) | '__/ _ \ \/ / | | | |\/| |/ _` | '_ \ / _` |/ _` |/ _ \ '__|
| |\  | (_| | | | | |>  <|  __/| | | (_) >  <| |_| | |  | | (_| | | | | (_| | (_| |  __/ |   
|_| \_|\__, |_|_| |_/_/\_\_|   |_|  \___/_/\_\\__, |_|  |_|\__,_|_| |_|\__,_|\__, |\___|_|   
       |___/                                  |___/                          |___/           
Version dev (0d7af0b) 2025-07-15 11:51:48 SAST, OpenResty 1.27.1.2, debian 12 (bookworm), Certbot certbot 4.1.1
Base: debian:bookworm-slim, linux/arm64
Certbot: lepresidente/nginx-full:latest, linux/arm64
Node: lepresidente/nginx-full:certbot, linux/arm64
[root@docker-nginxproxymanager:/app]# curl  -H "X-Api-Key: mykeyapi"  https://crowdsec.local.exmple.net/v1/decisions?ip=52.169.13.133
[{"duration":"166h6m1s","id":226261159,"origin":"crowdsec","scenario":"crowdsecurity/http-probing","scope":"Ip","type":"captcha","value":"52.169.13.133"},{"duration":"37h55m37s","id":225330520,"origin":"crowdsec","scenario":"crowdsecurity/http-probing","scope":"Ip","type":"captcha","value":"52.169.13.133"}]
pranks@picluster1:~ $ docker exec -it nginxproxymanager bash
 _   _       _            ____                      __  __                                   
| \ | | __ _(_)_ __ __  _|  _ \ _ __ _____  ___   _|  \/  | __ _ _ __   __ _  __ _  ___ _ __ 
|  \| |/ _` | | '_ \\ \/ / |_) | '__/ _ \ \/ / | | | |\/| |/ _` | '_ \ / _` |/ _` |/ _ \ '__|
| |\  | (_| | | | | |>  <|  __/| | | (_) >  <| |_| | |  | | (_| | | | | (_| | (_| |  __/ |   
|_| \_|\__, |_|_| |_/_/\_\_|   |_|  \___/_/\_\\__, |_|  |_|\__,_|_| |_|\__,_|\__, |\___|_|   
       |___/                                  |___/                          |___/           
Version dev (0d7af0b) 2025-07-15 11:51:48 SAST, OpenResty 1.27.1.2, debian 12 (bookworm), Certbot certbot 4.1.1
Base: debian:bookworm-slim, linux/arm64
Certbot: lepresidente/nginx-full:latest, linux/arm64
Node: lepresidente/nginx-full:certbot, linux/arm64
[root@docker-nginxproxymanager:/app]# curl  -H "X-Api-Key: mykeyapi"  https://crowdsec.local.exmple.net/v1/decisions?ip=52.169.13.133
[{"duration":"166h6m1s","id":226261159,"origin":"crowdsec","scenario":"crowdsecurity/http-probing","scope":"Ip","type":"captcha","value":"52.169.13.133"},{"duration":"37h55m37s","id":225330520,"origin":"crowdsec","scenario":"crowdsecurity/http-probing","scope":"Ip","type":"captcha","value":"52.169.13.133"}]
light
lightOP4w ago
OK folks I found the issue and submitted a pull request - https://github.com/LePresidente/docker-nginx-proxy-manager/pull/20 Would appreciate a quick review/feedback please. Thanks!
GitHub
Point to correct certificate for NPM by priyankub · Pull Request #...
Current build fails to reach out to LAPI at a remote location if LAPI is accessible through a URL eg. https://crowdsec.local.example.com. It works only if LAPI is reached through its IP with 8080 p...
iiamloz
iiamloz4w ago
btw LePresidente announced couple months back that he will be deprecating that NPM image hence why we dont promote it anymore, if you want to stay updated and want to use NPM the only alternative with CrowdSec is NPMPlus.
light
lightOP4w ago
OK. I created another patch - https://github.com/LePresidente/docker-nginx-full/pull/1 Do you know if NPMPLus also has this same issue?
GitHub
Correct the cert location to enable remote LAPI comms through https...
light
lightOP4w ago
NPMPlus is quite good! Just got it up. Handles cert correctly as well
iiamloz
iiamloz4w ago
awesome to hear, yeah were sad to see LePresidente image go, but they have moved on to using Pangolin so all the power to them as we are talking to the founders and they are pretty great guys 😄
CrowdSec
CrowdSec4w ago
Resolving NPM remediation component can't reach LAPI due to certificate error This has now been resolved. If you think this is a mistake please run /unresolve

Did you find this page helpful?