Automatically Renew Let's Encrypt Certificate

I am currently running Nextcloud 14.0.5 which was installed on Ubuntu 18.04 using the snap package. I have successfully set up SSL with Let’s Encrypt using nextcloud.enable-https lets-encrypt.

What is the best way to automatically renew the certificate? Do I need to set up a cron job? If so, what command allows me to do this automatically as using the nextcloud.enable-https lets-encrypt command seems to require user intervention. I didn’t see any options when running nextcloud.enable-https lets-encrypt -h.

Thanks in advance.

Certbot works for me.

Did you use certbot to provision the original certificate as well?

I was wondering if there is a native nextcloud command I could use as I didn’t install certbot.

Certbot is more about the web server than Nextcloud.

Agreed. I guess the issue I am running into is that because I did not use certbot to acquire the initial certificate, I am running into errors when trying to renew the certificate when running sudo certbot renew:

2019-01-21 04:28:08,458:DEBUG:certbot.main:certbot version: 0.28.0
2019-01-21 04:28:08,459:DEBUG:certbot.main:Arguments: []
2019-01-21 04:28:08,460:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-01-21 04:28:08,467:DEBUG:certbot.log:Root logging level set at 20
2019-01-21 04:28:08,468:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-01-21 04:28:08,468:DEBUG:certbot.renewal:no renewal failures

NOTE: I don’t know if that last line means that renewal is not due yet (in reality it is not) or if it couldn’t even process a renewal attempt. Usually, if a renewal is not due, the message clearly says so.

When running sudo certbot certonly --apache -n -d nctest.tk, I get:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
You should register before running non-interactively, or provide --agree-tos and --email <email_address> flags.

I’m wondering if I would have been better off not using nextcloud.enable-https lets-encrypt initially and just obtained the certificate using certbot right out of the gate?

Thanks again for your quick replies.

Not sure if this is related, but be aware that letsencrypt needs both, port 443 and port 80 to be reachable. At least this is the case with nextcloudpi and its letsencrypt command, which most likely is certbot in background

2 Likes

nextcloud.enable-https :

  • Enable HTTPS via self-signed certificates, Let’s Encrypt, or custom certificates. HTTP will redirect to HTTPS. Non-custom certificates will automatically be kept up-to-date. See nextcloud.enable-https -h for more information. Note that it requires sudo .

Did you let it autorenew certificate?
I think it should autorenew, like the text says. I have never used that, so I don’t know.

@FadeFx Hi Thanks. Yes ports 80 (HTTP) and 443 (HTTPS) are open on the server.

Hi @MeiRos:

I think it should autorenew, like the text says.

Yes, that is the question I am trying to answer. Does anyone know if nextcloud.enable-https is what needs to be in the cron job as every time I run it, it seems to require user intervention but seems problematic if you are trying to automate it.

At this point, I may just wait until the certificate requires renewal and then see what to do.

If you have time to wait, just wait. The easiest way to find the answer. I think it will renew automatically like certbot and acme.sh do. (I would put small bet for autorenew)

Here’s to hoping it automatically updates. I’m gunna end up being confused in a few months otherwise. If it does work, this is a totally awesome feature.

Late to the party, but here are the commands to solve this for anyone else who’s wondering. You need to switch to the standard ports, re-enable HTTPS which invokes the certificate update, then switch back (I’m using the snap version):

sudo snap set nextcloud ports.http=80 ports.https=443
sudo nextcloud.enable-https lets-encrypt
sudo snap set nextcloud ports.http=81 ports.https=443

Iirc this will cause issues, as letsencrypt requires nextcloud to be reachable via port 80 for autorenew

Yes, I know, that was the point of my post. If the http port has been changed, autorenew fails, but there may be good reasons why people can’t normally use port 80 (for example, I’m running my http server on port 80), in which case the commands I posted will renew the certificate & switch the http port back to 81.