400 Bad Request on Let's Encrypt Certificate Creation In NPM 2.13+

[compmodder26]

NPM Version: 2.13+
Terraform Provider Version: 1.2.2

When I try to create a let's encrypt cert I'm met with a 400 Bad Request error. Here is debug output from the operation:

2025-11-06T16:21:19.248-0500 [INFO]  provider.terraform-provider-nginxproxymanager_v1.2.2: Successfully authenticated with the Nginx Proxy Manager API: @module=nginxproxymanager tf_provider_addr=registry.terraform.io/Sander0542/nginxproxymanager tf_req_id=acdf0234-8fdb-e1fd-e42d-f781c1efb173 tf_rpc=ConfigureProvider @caller=github.com/sander0542/terraform-provider-nginxproxymanager/internal/provider/provider.go:166 timestamp=2025-11-06T16:21:19.248-0500
2025-11-06T16:21:19.248-0500 [INFO]  provider.terraform-provider-nginxproxymanager_v1.2.2: Successfully initialized the Nginx Proxy Manager API client: tf_rpc=ConfigureProvider @caller=github.com/sander0542/terraform-provider-nginxproxymanager/internal/provider/provider.go:179 @module=nginxproxymanager tf_provider_addr=registry.terraform.io/Sander0542/nginxproxymanager tf_req_id=acdf0234-8fdb-e1fd-e42d-f781c1efb173 timestamp=2025-11-06T16:21:19.248-0500
nginxproxymanager_certificate_letsencrypt.wildcard_cert: Creating...
2025-11-06T16:21:19.257-0500 [INFO]  Starting apply for nginxproxymanager_certificate_letsencrypt.wildcard_cert
2025-11-06T16:21:19.260-0500 [ERROR] provider.terraform-provider-nginxproxymanager_v1.2.2: Response contains error diagnostic: @caller=github.com/hashicorp/terraform-plugin-go@v0.28.0/tfprotov6/internal/diag/diagnostics.go:58 tf_proto_version=6.9 tf_req_id=028f56dd-0b3e-6d44-d538-81c7e0a6be66 tf_rpc=ApplyResourceChange @module=sdk.proto diagnostic_detail="Unable to create certificate, got error: 400 Bad Request" diagnostic_severity=ERROR diagnostic_summary="Client Error" tf_provider_addr=registry.terraform.io/Sander0542/nginxproxymanager tf_resource_type=nginxproxymanager_certificate_letsencrypt timestamp=2025-11-06T16:21:19.260-0500
2025-11-06T16:21:19.270-0500 [ERROR] vertex "nginxproxymanager_certificate_letsencrypt.wildcard_cert" error: Client Error
╷
│ Error: Client Error
│ 
│   with nginxproxymanager_certificate_letsencrypt.wildcard_cert,
│   on nginx_proxy_manager.tf line 9, in resource "nginxproxymanager_certificate_letsencrypt" "wildcard_cert":
│    9: resource "nginxproxymanager_certificate_letsencrypt" "wildcard_cert" {
│ 
│ Unable to create certificate, got error: 400 Bad Request
╵
2025-11-06T16:21:19.285-0500 [INFO]  provider: plugin process exited: plugin=.terraform/providers/registry.terraform.io/sander0542/nginxproxymanager/1.2.2/linux_amd64/terraform-provider-nginxproxymanager_v1.2.2 id=1937806

This does not occur on NPM versions less than 2.13. I've checked the NPM logs and nothing shows in them related to this problem. I'm wondering if something changed in the NPM API in 2.13+.

This is the Terraform configuration I'm using:

# Configure the Nginx Proxy Manager provider.
provider "nginxproxymanager" {
  url      = var.npm_url
  username = var.npm_username
  password = var.npm_password
}

# Set up wildcard cert in let's encrypt
resource "nginxproxymanager_certificate_letsencrypt" "wildcard_cert" {
  domain_names = [var.base_domain, "*.${var.base_domain}"]

  letsencrypt_email = var.letsencrypt_email
  letsencrypt_agree = true

  dns_challenge            = true
  dns_provider             = "cloudflare"
  propagation_seconds  = 60
  dns_provider_credentials = "dns_cloudflare_api_token=${var.cloudflare_api_token}"
}

# Set up Nginx Proxy Manager proxy host definitions
resource "nginxproxymanager_proxy_host" "proxy_hosts" {
  for_each = var.subdomain_definitions
  domain_names      = ["${each.key}.${var.base_domain}"]
  
  forward_scheme          = each.value.scheme
  forward_host            = each.value.local_ip
  forward_port            = each.value.port
  block_exploits          = true
  allow_websocket_upgrade = true
  ssl_forced              = true
  hsts_enabled            = true
  hsts_subdomains         = true
  advanced_config         = "proxy_ssl_verify off;"
  certificate_id          = nginxproxymanager_certificate_letsencrypt.wildcard_cert.id

  # Ensures the ssl certificate is created before the proxy hosts.
  depends_on = [nginxproxymanager_certificate_letsencrypt.wildcard_cert]
}

[Sander0542]

Hey @compmodder26, thanks for reporting this issue. It looks like the API has changed since version 2.13+. I will investigate and make a PR as soon as possible to resolve this issue.

[bdstr]

Hi @Sander0542, any progress on this?

[Sander0542]

I haven't been able to start working on it yet due to work being busy. I found the problem, which is (again) in the API specification of Nginx Proxy Manager. The API spec requires some changes which is boring work, but I'll try to start on it next week

[Sander0542]

I created the API schema changes in NginxProxyManager/nginx-proxy-manager#4998. Once that PR is merged, then I can start working on updating the Terraform provider.