Access forbidden; Access was possible till 0 am and then an ssl problem occurred

[details=“Support intro”]

Sorry to hear you’re facing problems

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

Nextcloud version (eg, 20.0.5): 23.x
Operating system and version (eg, Ubuntu 20.04): Ubuntu 20.04
Apache or nginx version (eg, Apache 2.4.25): Apache2
PHP version (eg, 7.4): 7.4

The issue you are facing: I can´t access my nextcloud anymore. Forbidden You don’t have permission to access this resource.

Is this the first time you’ve seen this error? (Y/N): Yes

Steps to replicate it:

The problem started at 0 AM. I did the setup of my nextcloud yesterday. It’ s hostet at onyxhosting.de and worked fine the whole day. I think it´s about the error in the apache2 log with ssl (server certificate does NOT include an ID which matches the server name). And there is another problem about the environment variable for apache2, produced by the command /usr/sbin/apache2

apache2: Syntax error on line 80 of /etc/apache2/apache2.conf: DefaultRuntimeDir must be a valid directory, absolute or relative to ServerRoot```

I tried to find the problem, but I´m not able to fix this on my own...

The output of your Nextcloud log in **Admin > Logging**:
I can´t access the interface right now... 

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'passwordsalt' => 'AAAAAAAAAA',
  'secret' => 'BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB',
  'trusted_domains' =>
  array (
    0 => 'localhost',
    7 => 'nextcloudpi',
    5 => '111.111.111.111',
    8 => 'https://111.111.111.111',
    3 => 'nextcloudpi.lan',
    11 => '2a03:111:...',
  ),
  'datadirectory' => '/var/www/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '23.0.2.1',
  'overwrite.cli.url' => 'https://nextcloudpi/',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'ncadmin',
  'dbpassword' => '44444444444444444',
  'installed' => true,
  'instanceid' => 'ocqeyqcnpc53',
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => '/var/run/redis/redis.sock',
    'port' => 0,
    'timeout' => 0.0,
    'password' => 'zuiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii',
  ),
  'tempdirectory' => '/var/www/nextcloud/data/tmp',
  'mail_smtpmode' => 'sendmail',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_from_address' => 'admin',
  'mail_domain' => 'ownyourbits.com',
  'preview_max_x' => '2048',
  'preview_max_y' => '2048',
  'jpeg_quality' => '60',
  'overwriteprotocol' => 'https',
);

The output of your Apache/nginx/system log in /var/log/error.log:

[Sat Mar 12 00:00:02.706378 2022] [ssl:warn] [pid 23596:tid 139964684574016] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
[Sat Mar 12 00:00:02.706539 2022] [ssl:error] [pid 23596:tid 139964684574016] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=localhost.localdomain / issuer: CN=localhost.localdomain / serial: 6A07A08EBC5445CCBFXXXXXXXXXX78C579A14 / notbefore: Oct  6 11:38:38 2021 GMT / notafter: Oct  4 11:38:38 2031 GMT]
[Sat Mar 12 00:00:02.706554 2022] [ssl:error] [pid 23596:tid 139964684574016] AH02604: Unable to configure certificate localhost:443:0 for stapling
[Sat Mar 12 00:00:02.708859 2022] [mpm_event:notice] [pid 23596:tid 139964684574016] AH00489: Apache/2.4.52 (Debian) OpenSSL/1.1.1k configured -- resuming normal operations
[Sat Mar 12 00:00:02.708877 2022] [core:notice] [pid 23596:tid 139964684574016] AH00094: Command line: '/usr/sbin/apache2'
[Sat Mar 12 00:05:10.426530 2022] [authz_host:error] [pid 63514:tid 139964318738176] [client 185.142.236.41:60016] AH01753: access check of 'localhost' to /favicon.ico failed, reason: unable to get the remote host name
[Sat Mar 12 00:05:10.426588 2022] [authz_core:error] [pid 63514:tid 139964318738176] [client 185.142.236.41:60016] AH01630: client denied by server configuration: /var/www/ncp-web/favicon.ico
[Sat Mar 12 00:23:31.419382 2022] [authz_core:error] [pid 63514:tid 139964176127744] [client 222.2222.22.22:39612] AH01630: client denied by server configuration: /var/www/ncp-web/index.php
[Sat Mar 12 00:23:31.540756 2022] [authz_core:error] [pid 63514:tid 139964483520256] [client 222.2222.22.22:53138] AH01630: client denied by server configuration: /var/www/ncp-web/ocs
[Sat Mar 12 00:23:31.777885 2022] [authz_core:error] [pid 63514:tid 139964050302720] [client 222.2222.22.22:39612] AH01630: client denied by server configuration: /var/www/ncp-web/status.php
[Sat Mar 12 00:23:31.789440 2022] [authz_core:error] [pid 63514:tid 139964483520256] [client 222.2222.22.22:37975] AH01630: client denied by server configuration: /var/www/ncp-web/index.php
[Sat Mar 12 00:23:31.927998 2022] [authz_core:error] [pid 63514:tid 139964407871232] [client 222.2222.22.22:39612] AH01630: client denied by server configuration: /var/www/ncp-web/status.php

Seem’s to me your letsencrypt certificat doesn’t match you servername…

Revoke them, check your host config…

This might come from a mistyping in some conf files, an apt upgrade, a files chmod error…

Thanks for your answer.
Honestly I used the automated script of ownyourbits (curl -sSL https://raw.githubusercontent.com/nextcloud/nextcloudpi/master/install.sh | bash), so I didn´t change a lot.

I checked:

• /etc/host.conf
  multi on

• /etc/hostname
  There was a old ddns-adress noted. I deleted it.

• /etc/hosts

127.0.0.1       localhost
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters

127.0.1.1 nextcloudpi```

That was not the reason.

I tried to make a new certificate, but this error occured. I don´t know how to handle this...

```root@Rootserver:~# certbot --authenticator webroot --installer apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel): Rootserver.ddns.net
Requesting a certificate for Rootserver.ddns.net
Performing the following challenges:
http-01 challenge for Rootserver.ddns.net
Input the webroot for Rootserver.ddns.net: (Enter 'c' to cancel): /var/www/
Waiting for verification...
Challenge failed for domain Rootserver.ddns.net
http-01 challenge for Rootserver.ddns.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: domain.ddns.net
   Type:   unauthorized
   Detail: Invalid response from
   https://domain.ddns.net/.well-known/acme-challenge/3oKvbt-zZ-mqO0TQO9F_ZvOxZgybXZQrNQJiU2qpyuk
   [111.11.111.111]: 403

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.```

check your dns zone, the letsencrypt challenge is bad …

this is the error saying some challenge have failed…

Three major possibilities by order

1 Could be a wrong A record on your DNS ZONE, check the IP ( ipv4 use A record, ipv6 use AAAA )

OR

2 your zone should have something like this:
sub.domain.ext CAA 128 issue "letsencrypt.org"

OR

3 Bad firewall configuration. Port 80 and 443 should be open.

1: I´m not sure what that means, but my dyn-dns adress is fine. I get forwarded to the correct IP / Webpage. SO it shouldn`t be this one, right?

2 I tried to find out on google where I have to put this, but can´t find out. Can you please tell me where I need to change this (config file or with a command)?

3 I added the rules with this commands:
sudo ufw allow 80
sudo ufw allow 443

I get the 403 Forbidden message, so I have a connection to my webserver. And the crazy thing is,that it worked fine untill 0:00:02 AM. Then this error came up:

[Sat Mar 12 00:00:02.706539 2022] [ssl:error] [pid 23596:tid 139964684574016] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=localhost.localdomain / issuer: CN=localhost.localdomain / serial: 6A07A08EBC5445CCBFXXXXXXXXXX78C579A14 / notbefore: Oct  6 11:38:38 2021 GMT / notafter: Oct  4 11:38:38 2031 GMT]
[Sat Mar 12 00:00:02.706554 2022] [ssl:error] [pid 23596:tid 139964684574016] AH02604: Unable to configure certificate localhost:443:0 for stapling
[Sat Mar 12 00:00:02.708859 2022] [mpm_event:notice] [pid 23596:tid 139964684574016] AH00489: Apache/2.4.52 (Debian) OpenSSL/1.1.1k configured -- resuming normal operations
[Sat Mar 12 00:00:02.708877 2022] [core:notice] [pid 23596:tid 139964684574016] AH00094: Command line: '/usr/sbin/apache2'```

When I typed: 
```root@rootserver:~# /usr/sbin/apache2
[Sat Mar 12 05:35:40.597853 2022] [core:warn] [pid 52279] AH00111: Config variable ${APACHE_RUN_DIR} is not defined
apache2: Syntax error on line 80 of /etc/apache2/apache2.conf: DefaultRuntimeDir                                                       must be a valid directory, absolute or relative to ServerRoot

Line 80: DefaultRuntimeDir ${APACHE_RUN_DIR}

I changed it to:
DefaultRuntimeDir /var/www/
and restarted apache2 and the whole system. Afterwards I get this:

[Sat Mar 12 05:41:06.117572 2022] [core:warn] [pid 1923] AH00111: Config variable ${APACHE_PID_FILE} is not defined
[Sat Mar 12 05:41:06.117841 2022] [core:warn] [pid 1923] AH00111: Config variable ${APACHE_RUN_USER} is not defined
[Sat Mar 12 05:41:06.117993 2022] [core:warn] [pid 1923] AH00111: Config variable ${APACHE_RUN_GROUP} is not defined
[Sat Mar 12 05:41:06.118150 2022] [core:warn] [pid 1923] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[Sat Mar 12 05:41:06.136446 2022] [core:warn] [pid 1923:tid 139809433242944] AH00111: Config variable ${APACHE_RUN_DIR} is not defined
[Sat Mar 12 05:41:06.137728 2022] [core:warn] [pid 1923:tid 139809433242944] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
AH00543: apache2: bad user name ${APACHE_RUN_USER}```

Ok, get it…

In fact, your SSL cert should be updated everytime your dyndns A record change ( everytime your IP change ). Witch is difficult, and a non-standard behavior for letsencrypt’s…

Furthermore, the cerbot renew is limited to 10 times per days, even less…

See if a fix ip is possible…

But my ip isn’t changing at all, it’s a static ip - the nextcloud is hosted on a vServer. Actually I added the dynDNS service at the second day (after the problems occcured). Before this I was accessing my nextcloud directly by the ip-address.

What do you mean by that? “see if a fix ip is possible”? Are you talking about a specific command?

Thanks for helping me!!

Dido

Thanks for your help. I generated my own ssl-certificate.

sudo openssl genrsa -out "/etc/ssl/certs/domain.net.key" 2048
sudo openssl req -new -key "/etc/ssl/certs/domain.net.key" -out "/etc/apache2/ssl/domain.net.csr"
sudo openssl x509 -req -days 365 -in "/root/ca2/beispiel.csr" -signkey "/root/ca2/beispiel.key" -out "/root/ca2/beispiel.crt"

and added it to /etc/apache2/sites-available/default-ssl.conf:

SSLCertificateKeyFile /etc/ssl/certs/jandeuchert.ddns.net.key

a2enmod ssl activate ssl
a2ensite default-ssl activate the config-file

now it works