# Request the 7 Missing NPMplus Certs via UI (DNS Cloudflare) **Last Updated:** 2026-01-31 **Document Version:** 1.0 **Status:** Active Documentation --- **Why**: The NPM API only accepts `domain_names` + `provider: "letsencrypt"`. It does **not** accept `letsencrypt_email`, `credential_id`, or `method: "dns"` in this version, so API-requested certs use HTTP challenge and often fail (same-day expiry, Inactive). The 19 working certs were issued **in the NPM UI** with **DNS Challenge** and **Cloudflare**. **Do this**: Request a certificate **in the NPM UI** for each of the 7 hosts below, using **DNS Challenge** and your Cloudflare credential. --- ## 7 Hosts Without a Certificate | Host ID | Domain | |--------|--------| | 22 | cross-all.defi-oracle.io | | 26 | rpc.d-bis.org | | 24 | rpc.defi-oracle.io | | 27 | rpc2.d-bis.org | | 28 | ws.rpc.d-bis.org | | 29 | ws.rpc2.d-bis.org | | 25 | wss.defi-oracle.io | --- ## Steps (for each host) 1. Open **NPMplus** (e.g. https://192.168.11.167:81). 2. Go to **Hosts** → click the host (e.g. **cross-all.defi-oracle.io**). 3. Open the **SSL** tab. 4. Click **Request a new SSL Certificate** (or **Get a new certificate**). 5. Choose **Use a DNS Challenge** (or **DNS Challenge**). 6. **DNS Provider**: **Cloudflare**. 7. **Credentials**: Select the Cloudflare credential you added (the one with your “Credentials File Content”). 8. **Email**: your Let’s Encrypt contact email (e.g. from `.env` or the one you use in NPM). 9. Agree to the Let’s Encrypt ToS and submit. 10. Wait for issuance (usually under a minute). Confirm **Expires** is ~90 days out and **Status** is **Active**. 11. Repeat for the other 6 hosts. **Quick links**: Run `./scripts/print-npmplus-7-cert-edit-urls.sh` to print direct edit URLs (e.g. `.../81/#/proxy-hosts/edit/22`). Open each → SSL tab → Request certificate → DNS Challenge → Cloudflare. --- ## After All 7 Are Done - Run `./scripts/list-npmplus-proxy-hosts-cert-status.sh` → you should see **With cert: 26**, **No cert: 0**. - Run `./scripts/list-npmplus-certificates-status.sh` → all 26 proxy hosts should have a cert with **KEEP** (in use, not expiring soon). --- **See also**: `docs/04-configuration/NPM_SSL_DNS_CLOUDFLARE_TROUBLESHOOTING.md`, `scripts/certbot/print-cloudflare-credentials-from-env.sh`.