Cannot connect to NC AIO. SSL_ERROR after expiration and domain change

p-ipo · January 20, 2024, 8:40am

Hi,
I have issue very similar to this one.

I have had working AIO installation on server behind pfSense firewall:

DynDNS is in use (joker. com), no AAAA records
Forwarded 443,80 and 8443 successfully

After cert expiration I changed (sub)domain name:

created DynDNS entry for new sub-domain
changed domain name.
(I am referring my.domain.tld as the new domain name)

nextcloud-aio-apache log:

{"level":"error","ts":1705738316.5807402,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"my.domain.tld","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"[IPv4 address]: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]}}
{"level":"error","ts":1705738316.5808988,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"my.domain.tld","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"[IPv4 address]: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1369079766/238048687246","attempt":1,"max_attempts":3}
{"level":"error","ts":1705738316.581015,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"my.domain.tld","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - [IPv4 address]: Timeout during connect (likely firewall problem)"}
{"level":"error","ts":1705738316.5811446,"logger":"tls.obtain","msg":"will retry","error":"[my.domain.tld] Obtain: [my.domain.tld] solving challenge: my.domain.tld: [my.domain.tld] authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - [IPv4 address]: Timeout during connect (likely firewall problem) (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":12.649496268,"max_duration":2592000}

Connectiing to https://my.domain.tld gives following error:
SSL_ERROR_INTERNAL_ERROR_ALERT

Connectin to AIO interface via my.domain.tld:8443 is possible and I get valid certificate for that connection.

Verified that configuration.json has only my.domain.tld and no mentions of old domain name is found.

Errors indicate firewall problems but I am confused as to what connection is timing out (SSL cert from port 8443/80 is working).

Any debuging advice and ideas are welcome.

p-ipo · January 20, 2024, 8:54am

Solved. Issue was outside NC/AIO.

I have whitelist of IP ranges that I alllow to connect to port 433 and access my NC. Lets-encrypt servers were not whitelisted so naturally the negotiation was not possible.

Lets encrypt do not annouce their server IP’s so no permanent whitelisting is not possible and I need to manually enable all connections when new cert is being obtained.

Greets

system · January 28, 2024, 8:54am

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.