Can't renew letsencrypt (firewall problem it says)

dunnno · August 12, 2018, 7:03pm

Hi there,

The letsencrypt certificate got expired and trying to renew it gives this error :

And here is the ncp-report :

<–! Paste this in GitHub report -->

NextCloudPi diagnostics


NextCloudPi version  v0.58.1
NextCloudPi image    NextCloudPlus_04-21-18
distribution         Raspbian GNU/Linux 9 \n \l
automount            yes
USB devices          none
datadir              /var/www/nextcloud/data
data in SD           yes
data filesystem      ext2/ext3
data disk usage      83G/118G
rootfs usage         83G/118G
swapfile             /var/swap
dbdir                /var/lib/mysql
Nextcloud check      ok
Nextcloud version    13.0.5.2
HTTPD service        up
PHP service          up
MariaDB service      up
Redis service        up
Postfix service      up
internet check       ok
port check 80        closed
port check 443       open
IP                   192.168.1.34
gateway              192.168.1.1
interface            eth0
certificates         MyDomain.org
NAT loopback         yes
uptime               13min

Nextcloud configuration


{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": {
            "0": "localhost",
            "5": "nextcloudplus.local",
            "1": "192.168.1.34",
            "4": "MyDomain.org",
            "2": "MyDomain.org"
        },
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/MyDomain.org",
        "dbtype": "mysql",
        "version": "13.0.5.2",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "memcache.local": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "timeout": 0,
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "mail_smtpmode": "php",
        "mail_smtpauthtype": "LOGIN",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "overwriteprotocol": "https",
        "loglevel": "2",
        "log_type": "file",
        "maintenance": false,
        "theme": ""
    }
}

HTTPd logs


[Sun Aug 12 18:32:11.498097 2018] [proxy_fcgi:error] [pid 949:tid 1717253168] [client 192.168.1.8:63824] AH01071: Got error 'PHP message: PHP Warning:  fclose(): supplied resource is not a valid stream resource in /var/www/ncp-web/L10N.php on line 166\n'
[Sun Aug 12 18:32:23.672402 2018] [authz_host:error] [pid 949:tid 1717253168] [client 192.168.1.8:63824] AH01753: access check of 'localhost' to /ncp-launcher.php failed, reason: unable to get the remote host name
[Sun Aug 12 18:32:23.677838 2018] [proxy_fcgi:error] [pid 949:tid 1717253168] [client 192.168.1.8:63824] AH01071: Got error 'PHP message: PHP Warning:  fclose(): supplied resource is not a valid stream resource in /var/www/ncp-web/L10N.php on line 166\n'
[Sun Aug 12 18:32:26.610426 2018] [authz_host:error] [pid 949:tid 1717253168] [client 192.168.1.8:63824] AH01753: access check of 'localhost' to /ncp-launcher.php failed, reason: unable to get the remote host name
[Sun Aug 12 18:32:44.155692 2018] [proxy_fcgi:error] [pid 949:tid 1717253168] [client 192.168.1.8:63824] AH01071: Got error 'PHP message: PHP Warning:  fclose(): supplied resource is not a valid stream resource in /var/www/ncp-web/L10N.php on line 166\n'
[Sun Aug 12 18:32:44.180147 2018] [authz_host:error] [pid 949:tid 1717253168] [client 192.168.1.8:63824] AH01753: access check of 'localhost' to /ncp-launcher.php failed, reason: unable to get the remote host name
[Sun Aug 12 18:32:45.751947 2018] [proxy_fcgi:error] [pid 949:tid 1717253168] [client 192.168.1.8:63824] AH01071: Got error 'PHP message: PHP Warning:  fclose(): supplied resource is not a valid stream resource in /var/www/ncp-web/L10N.php on line 166\n'
[Sun Aug 12 18:32:48.099104 2018] [authz_host:error] [pid 949:tid 1717253168] [client 192.168.1.8:63824] AH01753: access check of 'localhost' to /ncp-launcher.php failed, reason: unable to get the remote host name
[Sun Aug 12 18:32:48.104369 2018] [proxy_fcgi:error] [pid 949:tid 1717253168] [client 192.168.1.8:63824] AH01071: Got error 'PHP message: PHP Warning:  fclose(): supplied resource is not a valid stream resource in /var/www/ncp-web/L10N.php on line 166\n'
[Sun Aug 12 18:32:51.235840 2018] [authz_host:error] [pid 949:tid 1717253168] [client 192.168.1.8:63824] AH01753: access check of 'localhost' to /ncp-launcher.php failed, reason: unable to get the remote host name
[Sun Aug 12 18:33:00.299519 2018] [proxy_fcgi:error] [pid 949:tid 1717253168] [client 192.168.1.8:63824] AH01071: Got error 'PHP message: PHP Warning:  fclose(): supplied resource is not a valid stream resource in /var/www/ncp-web/L10N.php on line 166\n'
[Sun Aug 12 18:33:00.311358 2018] [authz_host:error] [pid 949:tid 1717253168] [client 192.168.1.8:63824] AH01753: access check of 'localhost' to /ncp-launcher.php failed, reason: unable to get the remote host name
[Sun Aug 12 18:33:02.167358 2018] [proxy_fcgi:error] [pid 949:tid 1717253168] [client 192.168.1.8:63824] AH01071: Got error 'PHP message: PHP Warning:  fclose(): supplied resource is not a valid stream resource in /var/www/ncp-web/L10N.php on line 166\n'
[Sun Aug 12 18:37:06.148676 2018] [authz_host:error] [pid 949:tid 1717253168] [client 192.168.1.26:64410] AH01753: access check of 'localhost' to /ncp-output.php failed, reason: unable to get the remote host name
[Sun Aug 12 18:37:06.485193 2018] [authz_host:error] [pid 949:tid 1683665968] [client 192.168.1.26:64410] AH01753: access check of 'localhost' to /ncp-output.php failed, reason: unable to get the remote host name
[Sun Aug 12 18:37:09.057975 2018] [proxy_fcgi:error] [pid 949:tid 1717253168] [client 192.168.1.26:64410] AH01071: Got error 'PHP message: PHP Warning:  touch(): Utime failed: Permission denied in /var/www/ncp-web/ncp-output.php on line 81\n'
[Sun Aug 12 18:40:20.212073 2018] [authz_host:error] [pid 949:tid 1708856368] [client 192.168.1.8:65406] AH01753: access check of 'localhost' to /ncp-output.php failed, reason: unable to get the remote host name
[Sun Aug 12 18:40:21.543709 2018] [authz_host:error] [pid 949:tid 1734046768] [client 192.168.1.8:65406] AH01753: access check of 'localhost' to /ncp-output.php failed, reason: unable to get the remote host name
[Sun Aug 12 18:40:47.666895 2018] [proxy_fcgi:error] [pid 949:tid 1708856368] [client 192.168.1.8:65406] AH01071: Got error 'PHP message: PHP Warning:  touch(): Utime failed: Permission denied in /var/www/ncp-web/ncp-output.php on line 81\n'
[Sun Aug 12 18:40:47.671723 2018] [proxy_fcgi:error] [pid 949:tid 1734046768] [client 192.168.1.8:65406] AH01071: Got error 'PHP message: PHP Warning:  touch(): Utime failed: Permission denied in /var/www/ncp-web/ncp-output.php on line 81\n'

Database logs


2018-08-12 18:28:50 1977811776 [Note] /usr/sbin/mysqld: Shutdown complete

2018-08-12 18:29:21 1989095424 [Note] InnoDB: Using mutexes to ref count buffer pool pages
2018-08-12 18:29:21 1989095424 [Note] InnoDB: The InnoDB memory heap is disabled
2018-08-12 18:29:21 1989095424 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
2018-08-12 18:29:21 1989095424 [Note] InnoDB: GCC builtin __atomic_thread_fence() is used for memory barrier
2018-08-12 18:29:21 1989095424 [Note] InnoDB: Compressed tables use zlib 1.2.8
2018-08-12 18:29:21 1989095424 [Note] InnoDB: Using Linux native AIO
2018-08-12 18:29:21 1989095424 [Note] InnoDB: Using generic crc32 instructions
2018-08-12 18:29:21 1989095424 [Note] InnoDB: Initializing buffer pool, size = 128.0M
2018-08-12 18:29:21 1989095424 [Note] InnoDB: Completed initialization of buffer pool
2018-08-12 18:29:21 1989095424 [Note] InnoDB: Highest supported file format is Barracuda.
2018-08-12 18:29:22 1989095424 [Note] InnoDB: 128 rollback segment(s) are active.
2018-08-12 18:29:22 1989095424 [Note] InnoDB: Waiting for purge to start
2018-08-12 18:29:22 1989095424 [Note] InnoDB:  Percona XtraDB (http://www.percona.com) 5.6.35-80.0 started; log sequence number 854866648
2018-08-12 18:29:22 1447031616 [Note] InnoDB: Dumping buffer pool(s) not yet started
2018-08-12 18:29:22 1989095424 [Note] Plugin 'FEEDBACK' is disabled.
2018-08-12 18:29:22 1989095424 [Note] Server socket created on IP: '127.0.0.1'.
2018-08-12 18:29:23 1989095424 [Note] /usr/sbin/mysqld: ready for connections.
Version: '10.1.23-MariaDB-9+deb9u1'  socket: '/var/run/mysqld/mysqld.sock'  port: 3306  Raspbian 9.0

Nextcloud logs


{"reqId":"W29AkH8AAQEAAGaAUVcAAACD","level":2,"time":"2018-08-11T20:01:20+00:00","remoteAddr":"37.49.231.93","user":"--","app":"core","method":"GET","url":"\/\/libs\/js\/iframe.js","message":"Trusted domain error. \"37.49.231.93\" tried to access using \"86.71.134.102\" as host.","userAgent":"python-requests\/2.19.1","version":"13.0.5.2"}
{"reqId":"W29Dl38AAQEAAGaAUVgAAI0f","level":4,"time":"2018-08-11T20:14:16+00:00","remoteAddr":"90.109.235.200","user":"ncp","app":"webdav","method":"MKCOL","url":"\/remote.php\/webdav\/Photos","message":"Exception: {\"Exception\":\"Sabre\\\\DAV\\\\Exception\\\\MethodNotAllowed\",\"Message\":\"The resource you tried to create already exists\",\"Code\":0,\"Trace\":\"#0 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/CorePlugin.php(594): Sabre\\\\DAV\\\\Server->createCollection('Photos', Object(Sabre\\\\DAV\\\\MkCol))\\n#1 [internal function]: Sabre\\\\DAV\\\\CorePlugin->httpMkcol(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#2 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/sabre\\\/event\\\/lib\\\/EventEmitterTrait.php(105): call_user_func_array(Array, Array)\\n#3 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(479): Sabre\\\\Event\\\\EventEmitter->emit('method:MKCOL', Array)\\n#4 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(254): Sabre\\\\DAV\\\\Server->invokeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#5 \\\/var\\\/www\\\/nextcloud\\\/apps\\\/dav\\\/appinfo\\\/v1\\\/webdav.php(80): Sabre\\\\DAV\\\\Server->exec()\\n#6 \\\/var\\\/www\\\/nextcloud\\\/remote.php(164): require_once('\\\/var\\\/www\\\/nextcl...')\\n#7 {main}\",\"File\":\"\\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php\",\"Line\":1181}","userAgent":"Mozilla\/5.0 (iOS) Nextcloud-iOS\/2.21.3","version":"13.0.5.2"}
{"reqId":"W29TO38AAQEAAGZ-DuQAAABW","level":2,"time":"2018-08-11T21:20:59+00:00","remoteAddr":"37.49.231.93","user":"--","app":"core","method":"GET","url":"\/\/libs\/js\/iframe.js","message":"Trusted domain error. \"37.49.231.93\" tried to access using \"86.71.134.102\" as host.","userAgent":"python-requests\/2.19.1","version":"13.0.5.2"}
{"reqId":"W295AX8AAQEAAGaAUV8AAACW","level":2,"time":"2018-08-12T00:02:09+00:00","remoteAddr":"37.49.231.93","user":"--","app":"core","method":"GET","url":"\/\/libs\/js\/iframe.js","message":"Trusted domain error. \"37.49.231.93\" tried to access using \"86.71.134.102\" as host.","userAgent":"python-requests\/2.19.1","version":"13.0.5.2"}
{"reqId":"W2@LH38AAQEAAGZ-DvIAAABR","level":2,"time":"2018-08-12T01:19:27+00:00","remoteAddr":"37.49.231.93","user":"--","app":"core","method":"GET","url":"\/\/libs\/js\/iframe.js","message":"Trusted domain error. \"37.49.231.93\" tried to access using \"86.71.134.102\" as host.","userAgent":"python-requests\/2.19.1","version":"13.0.5.2"}
{"reqId":"W2@dXX8AAQEAAGZ-DvMAAABU","level":2,"time":"2018-08-12T02:37:17+00:00","remoteAddr":"37.49.231.93","user":"--","app":"core","method":"GET","url":"\/\/libs\/js\/iframe.js","message":"Trusted domain error. \"37.49.231.93\" tried to access using \"86.71.134.102\" as host.","userAgent":"python-requests\/2.19.1","version":"13.0.5.2"}
{"reqId":"W2@vzH8AAQEAAGaAUWAAAACG","level":2,"time":"2018-08-12T03:55:57+00:00","remoteAddr":"37.49.231.93","user":"--","app":"core","method":"GET","url":"\/\/libs\/js\/iframe.js","message":"Trusted domain error. \"37.49.231.93\" tried to access using \"86.71.134.102\" as host.","userAgent":"python-requests\/2.19.1","version":"13.0.5.2"}
{"reqId":"W2-UmH8AAQEAABixMqsAAACG","level":2,"time":"2018-08-12T06:32:56+00:00","remoteAddr":"37.49.231.93","user":"--","app":"core","method":"GET","url":"\/\/libs\/js\/iframe.js","message":"Trusted domain error. \"37.49.231.93\" tried to access using \"86.71.134.102\" as host.","userAgent":"python-requests\/2.19.1","version":"13.0.5.2"}
{"reqId":"W2-eDH8AAQEAABixMqwAAACA","level":2,"time":"2018-08-12T07:13:16+00:00","remoteAddr":"60.191.38.77","user":"--","app":"core","method":"GET","url":"\/","message":"Trusted domain error. \"60.191.38.77\" tried to access using \"86.71.134.102:443\" as host.","userAgent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko\/20100101 Firefox\/47.0","version":"13.0.5.2"}
{"reqId":"W2-5LH8AAQEAABixMq0AAACI","level":2,"time":"2018-08-12T09:09:00+00:00","remoteAddr":"37.49.231.93","user":"--","app":"core","method":"GET","url":"\/\/libs\/js\/iframe.js","message":"Trusted domain error. \"37.49.231.93\" tried to access using \"86.71.134.102\" as host.","userAgent":"python-requests\/2.19.1","version":"13.0.5.2"}
{"reqId":"W3AFE38AAQEAABixMq4AAACM","level":2,"time":"2018-08-12T09:59:47+00:00","remoteAddr":"60.191.38.77","user":"--","app":"core","method":"GET","url":"\/","message":"Trusted domain error. \"60.191.38.77\" tried to access using \"86.71.134.102:443\" as host.","userAgent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko\/20100101 Firefox\/47.0","version":"13.0.5.2"}
{"reqId":"W3AL8H8AAQEAABixMq8AAACN","level":2,"time":"2018-08-12T10:29:04+00:00","remoteAddr":"37.49.231.93","user":"--","app":"core","method":"GET","url":"\/\/libs\/js\/iframe.js","message":"Trusted domain error. \"37.49.231.93\" tried to access using \"86.71.134.102\" as host.","userAgent":"python-requests\/2.19.1","version":"13.0.5.2"}
{"reqId":"W3Aeen8AAQEAABixMrAAAACO","level":2,"time":"2018-08-12T11:48:10+00:00","remoteAddr":"37.49.231.93","user":"--","app":"core","method":"GET","url":"\/\/libs\/js\/iframe.js","message":"Trusted domain error. \"37.49.231.93\" tried to access using \"86.71.134.102\" as host.","userAgent":"python-requests\/2.19.1","version":"13.0.5.2"}
{"reqId":"W3AxO38AAQEAABixMrEAAACP","level":2,"time":"2018-08-12T13:08:11+00:00","remoteAddr":"37.49.231.93","user":"--","app":"core","method":"GET","url":"\/\/libs\/js\/iframe.js","message":"Trusted domain error. \"37.49.231.93\" tried to access using \"86.71.134.102\" as host.","userAgent":"python-requests\/2.19.1","version":"13.0.5.2"}
{"reqId":"W3BDAH8AAQEAABiwflsAAABO","level":2,"time":"2018-08-12T14:24:00+00:00","remoteAddr":"37.49.231.93","user":"--","app":"core","method":"GET","url":"\/\/libs\/js\/iframe.js","message":"Trusted domain error. \"37.49.231.93\" tried to access using \"86.71.134.102\" as host.","userAgent":"python-requests\/2.19.1","version":"13.0.5.2"}
{"reqId":"W3BOMn8AAQEAABixMrUAAACW","level":2,"time":"2018-08-12T15:11:46+00:00","remoteAddr":"74.82.47.4","user":"--","app":"core","method":"GET","url":"\/","message":"Trusted domain error. \"74.82.47.4\" tried to access using \"86.71.134.102\" as host.","userAgent":"--","version":"13.0.5.2"}
{"reqId":"W3BWMn8AAQEAABixMrwAAACT","level":2,"time":"2018-08-12T15:45:54+00:00","remoteAddr":"37.49.231.93","user":"--","app":"core","method":"GET","url":"\/\/libs\/js\/iframe.js","message":"Trusted domain error. \"37.49.231.93\" tried to access using \"86.71.134.102\" as host.","userAgent":"python-requests\/2.19.1","version":"13.0.5.2"}
{"reqId":"W3BaYH8AAQEAABixMsAAAJgC","level":4,"time":"2018-08-12T16:03:45+00:00","remoteAddr":"77.136.85.238","user":"ncp","app":"webdav","method":"MKCOL","url":"\/remote.php\/webdav\/Photos\/2018\/08","message":"Exception: {\"Exception\":\"Sabre\\\\DAV\\\\Exception\\\\MethodNotAllowed\",\"Message\":\"The resource you tried to create already exists\",\"Code\":0,\"Trace\":\"#0 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/CorePlugin.php(594): Sabre\\\\DAV\\\\Server->createCollection('Photos\\\/2018\\\/08', Object(Sabre\\\\DAV\\\\MkCol))\\n#1 [internal function]: Sabre\\\\DAV\\\\CorePlugin->httpMkcol(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#2 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/sabre\\\/event\\\/lib\\\/EventEmitterTrait.php(105): call_user_func_array(Array, Array)\\n#3 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(479): Sabre\\\\Event\\\\EventEmitter->emit('method:MKCOL', Array)\\n#4 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(254): Sabre\\\\DAV\\\\Server->invokeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#5 \\\/var\\\/www\\\/nextcloud\\\/apps\\\/dav\\\/appinfo\\\/v1\\\/webdav.php(80): Sabre\\\\DAV\\\\Server->exec()\\n#6 \\\/var\\\/www\\\/nextcloud\\\/remote.php(164): require_once('\\\/var\\\/www\\\/nextcl...')\\n#7 {main}\",\"File\":\"\\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php\",\"Line\":1181}","userAgent":"Mozilla\/5.0 (iOS) Nextcloud-iOS\/2.21.3","version":"13.0.5.2"}
{"reqId":"W3BoSH8AAQEAABixMsEAAACX","level":2,"time":"2018-08-12T17:03:04+00:00","remoteAddr":"37.49.231.93","user":"--","app":"core","method":"GET","url":"\/\/libs\/js\/iframe.js","message":"Trusted domain error. \"37.49.231.93\" tried to access using \"86.71.134.102\" as host.","userAgent":"python-requests\/2.19.1","version":"13.0.5.2"}
{"reqId":"W3B47X8AAQEAABiwfmwAAABR","level":2,"time":"2018-08-12T18:14:05+00:00","remoteAddr":"37.49.231.93","user":"--","app":"core","method":"GET","url":"\/\/libs\/js\/iframe.js","message":"Trusted domain error. \"37.49.231.93\" tried to access using \"86.71.134.102\" as host.","userAgent":"python-requests\/2.19.1","version":"13.0.5.2"}

stratege1401 · August 12, 2018, 8:09pm

First, ports 80 and 443 need to be open, of course.

Posible cause:

server letsencrypt can be down, check status at https://letsencrypt.status.io/

otherwise, try to recreated a nex cert manually using the cerbot manual command:

certbot --rsa-key-size 4096 --authenticator standalone --installer apache  --must-staple --hsts --uir \
--staple-ocsp --strict-permissions --email "$email" --agree-tos --redirect \
  -d "$domainname" --pre-hook "apachectl -k stop" --post-hook "apachectl -k start"

and dont forget small dependency:
source.list
deb http://ftp.debian.org/debian stretch-backports main
and
apt-get install python-certbot-apache -t stretch-backports -y

dunnno · August 12, 2018, 8:14pm

Thanks for the help. I tried my luck disabling all the ports filetring (firewall and alike in the config), no luck.

Should i copy paste your bit of code as is, do i have to change it a bit for my own instance ?

stratege1401 · August 13, 2018, 12:10pm

you must adapt it to your systems and needs !!!

The basic command line is like:

certbot --rsa-key-size 4096 --authenticator standalone --installer apache “apachectl -k stop” --post-hook “apachectl -k start”

after that, toy will have an interractive exchange to procvide yor domain, your mail and so on …

nachoparker · August 13, 2018, 3:05pm

your port 80 is closed. You need that port open for letsencrypt to work.