Can't renew Let'sEncrypt certificate

ℹ️ Support
1
Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version (eg, 18.0.2): 20.0.4
Operating system and version (eg, Ubuntu 20.04): Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-58-generic x86_64)
Apache or nginx version (eg, Apache 2.4.25):
PHP version (eg, 7.1): 7.4.13

The issue you are facing:

HI,

Cannot renew let’s encrypt certificates,

Nextcloud server Server is working fine but when trying to renew let’s encrypt certs if fails with:

Saving debug log to /var/snap/nextcloud/current/certs/certbot/logs/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for remotecloud.duckdns.org
Using the webroot path /var/snap/nextcloud/current/certs/certbot for all unmatched domains.
Waiting for verification…
Challenge failed for domain remotecloud.duckdns.org
http-01 challenge for remotecloud.duckdns.org
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: remotecloud.duckdns.org
    Type: connection
    Detail: Fetching
    http://remotecloud.duckdns.org/.well-known/acme-challenge/RFZsFeoiGzb1qAXhOo2d0Yurmrb2UQI:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

Checks from check-your-website.server-daten.de are ok:
https://check-your-website.server-daten.de/?q=remotecloud.duckdns.org

Redirection from the outside is ok as well;

It is a Nextcloud in a Docker virtual station in a Qnap NAS, so not really sure how to nginx versions.

NOTE: Random character strings has been edited; let me know if I should share it

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

The output of your Nextcloud log in Admin > Logging:

None. just some Antivirus related entrances ("RuntimeException: The antivirus executable could not be found at /usr/bin/clamscan")

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

PASTE HERE

The output of your Apache/nginx/system log in /var/log/____:

PASTE HERE

The output lets encrypt log in /var/snap/nextcloud/current/certs/certbot/logs/letsencrypt.log:

root@nextlouds1:/var/log# less /var/snap/nextcloud/current/certs/certbot/logs/letsencrypt.log

          "addressUsed": "87.222.229.172"
        }
      ]
    }
  ]
}
2020-12-29 14:43:41,126:DEBUG:acme.client:Storing nonce: 0004VOT-i153dekMF2GamH08kOY
2020-12-29 14:43:41,128:WARNING:certbot.auth_handler:Challenge failed for domain remotecloud.duckdns.org
2020-12-29 14:43:41,128:INFO:certbot.auth_handler:http-01 challenge for remotecloud.duckdns.org
2020-12-29 14:43:41,129:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: remotecloud.duckdns.org
Type:   connection
Detail: Fetching http://remotecloud.duckdns.org/.well-known/acme-challenge/OO88sKm0Zmi9AIBoTYtZ2mwI: Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2020-12-29 14:43:41,131:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/snap/nextcloud/25276/lib/python2.7/site-packages/certbot/auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/snap/nextcloud/25276/lib/python2.7/site-packages/certbot/auth_handler.py", line 154, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.

2020-12-29 14:43:41,131:DEBUG:certbot.error_handler:Calling registered functions
2020-12-29 14:43:41,132:INFO:certbot.auth_handler:Cleaning up challenges
2020-12-29 14:43:41,132:DEBUG:certbot.plugins.webroot:Removing /var/snap/nextcloud/current/certs/certbot/.well-known/acme-challenge/OO88sKm0Zmi9AIBoTYtZ2mwI
2020-12-29 14:43:41,134:DEBUG:certbot.plugins.webroot:All challenges cleaned up
2020-12-29 14:43:41,135:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/snap/nextcloud/25276/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/snap/nextcloud/25276/lib/python2.7/site-packages/certbot/main.py", line 1364, in main
    return config.func(config, plugins)
  File "/snap/nextcloud/25276/lib/python2.7/site-packages/certbot/main.py", line 1249, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/snap/nextcloud/25276/lib/python2.7/site-packages/certbot/main.py", line 115, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/snap/nextcloud/25276/lib/python2.7/site-packages/certbot/renewal.py", line 308, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/snap/nextcloud/25276/lib/python2.7/site-packages/certbot/client.py", line 349, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/snap/nextcloud/25276/lib/python2.7/site-packages/certbot/client.py", line 385, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/snap/nextcloud/25276/lib/python2.7/site-packages/certbot/auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/snap/nextcloud/25276/lib/python2.7/site-packages/certbot/auth_handler.py", line 154, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.```
2

Most common problem is that certbot needs port 80 and 443 forwarded to the server, is this the case?

3

Do you think that could be the case?

You can access the server just fine by going to https://remotecloud.duckdns.org:443

4

Ok, so I just did snap set nextcloud ports.http=80 ports.https=443 and now nextcloud is down :frowning:

5

Can you try again with sudo infront:

$ sudo snap set nextcloud ports.http=80 ports.https=443
6

I did that as root. After restarting the services Nextcloud is not working in neither 80 and 443 ports.

I tried restarting the server and also undoing the changes: it was previously listening in unprivileged higher ports, with port 80 and 443 forwarded from the router, but Nextcloud has entered some failed state and now it not working.

Renew the cert has become secondary so, I will take a look to snap installation logs to see what’s going on…

I’m still kind of lost in this type os installation without system to and some other tools I’m more use to.

Sorry for changing the topic of the post, any help in bringing back to service the Nextcloud server is very welcome.

7

Check your router for what ports you used before and set them for your snap, that should enable contact to nextcloud again imo

8

I’ll try and let you know; guess is something else, since Nextcloud now is inaccessible (ie. page not responding) while trying to access locally, where the router has not been involved.
Thanks anyway, and merry Christmas! :christmas_tree:

9

How do u connect locally? Via ip address and port number? Still if you change the ports on the host (snap) you have to change something in the way you connect. By specifying the ip without a port it should now work, as then it would use port 80 which is now forwarded from the os to the snap.

This is a reason why i dont like snap, it adds a layer of complexity…