Can't update nextcloudpi to 1.10.6 from 1.10.4 and issue with letsencrypt certificate

Hello,

I have automatic upgrade for ncp, but it appears to have failed lately. I noticed it because the letsencrypt certificate was outdated, and when ssh in, I got the message: NextCloudPi v1.10.4 is outdated update to v1.10.6 through 'ncp-config' or type 'sudo ncp-update'

Thus, I’ve done:

$ sudo ncp-update
Downloading updates
Performing updates
Config value squareSizes for app previewgenerator set to 32
Config value widthSizes for app previewgenerator set to 128 256 512
Config value heightSizes for app previewgenerator set to 128 256
System config value jpeg_quality set to string 60
Running unattended-upgrades
Unattended upgrades active: yes (autoreboot true)
--2019-03-26 11:27:11--  https://packages.sury.org/php/apt.gpg
Resolving packages.sury.org (packages.sury.org)... 195.154.81.200, 2001:bc8:6006:2023:aa1e:84ff:fef1:23ff
Connecting to packages.sury.org (packages.sury.org)|195.154.81.200|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1769 (1.7K) [application/octet-stream]
Saving to: '/etc/apt/trusted.gpg.d/php.gpg'

/etc/apt/trusted.gp 100%[===================>]   1.73K  --.-KB/s    in 0s      

2019-03-26 11:27:11 (7.92 MB/s) - '/etc/apt/trusted.gpg.d/php.gpg' saved [1769/1769]

Running nc-backup-auto
automatic backups enabled
Running nc-autoupdate-ncp
automatic NextCloudPi updates enabled
Running nc-notify-updates
update web notifications enabled
./update.sh: line 223: /etc/letsencrypt/renewal-hooks/deploy/ncp: No such file or directory

and:

NextCloudPi version  v1.10.4
NextCloudPi image    NextCloudPi_10-05-18
distribution         Raspbian GNU/Linux 9 \n \l
automount            yes
USB devices          sda 
datadir              /media/USBdrive/ncdata
data in SD           no
data filesystem      btrfs
data disk usage      730G/932G
rootfs usage         2.2G/15G
swapfile             /var/swap
dbdir                /var/lib/mysql
Nextcloud check      ok
Nextcloud version    15.0.4.0
HTTPD service        up
PHP service          up
MariaDB service      up
Redis service        up
Postfix service      up
internet check       ok
port check 80        open
port check 443       open
IP                   ***REMOVED SENSITIVE VALUE***
gateway              ***REMOVED SENSITIVE VALUE***
interface            eth0
certificates         ***REMOVED SENSITIVE VALUE***
NAT loopback         no
uptime               1day

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": {
            "0": "localhost",
            "5": "nextcloudpi.local",
            "7": "nextcloudpi",
            "8": "nextcloudpi.lan",
            "1": "192.168.0.4",
            "4": "vercingeto.freeboxos.fr"
        },
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "15.0.4.0",
        "overwrite.cli.url": "https:\/\/vercingeto.freeboxos.fr\/",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "memcache.local": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "timeout": 0,
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "mail_smtpmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "overwriteprotocol": "https",
        "maintenance": false,
        "logfile": "\/media\/USBdrive\/ncdata\/nextcloud.log",
        "loglevel": "2",
        "log_type": "file",
        "theme": "",
        "mail_sendmailmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpsecure": "ssl",
        "mail_smtpauth": 1,
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "twofactor_enforced": "false",
        "twofactor_enforced_groups": [],
        "twofactor_enforced_excluded_groups": [],
        "jpeg_quality": "60"
    }
}

[Tue Mar 26 06:25:03.087041 2019] [ssl:warn] [pid 780:tid 1995895168] AH01909: localhost:4443:0 server certificate does NOT include an ID which matches the server name
[Tue Mar 26 06:25:04.001412 2019] [mpm_event:notice] [pid 780:tid 1995895168] AH00489: Apache/2.4.25 (Raspbian) OpenSSL/1.0.2r configured -- resuming normal operations
[Tue Mar 26 06:25:04.001584 2019] [core:notice] [pid 780:tid 1995895168] AH00094: Command line: '/usr/sbin/apache2'

What should I do ?

Any advice @nachoparker @OliverV @JimmyKater ?

This has been fixed already. Please try again

Thanks, so it has been updated to 1.10.7 now. Yet Letsencrypt does not work yet.

Running letsencrypt
Bootstrapping dependencies for Debian-based OSes... (you can skip this with --no-bootstrap)
Hit:1 http://archive.raspberrypi.org/debian stretch InRelease
Get:2 http://raspbian.raspberrypi.org/raspbian stretch InRelease [15.0 kB]
Hit:3 https://packages.sury.org/php stretch InRelease
Fetched 15.0 kB in 2s (6273 B/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
ca-certificates is already the newest version (20161130+nmu1+deb9u1).
python is already the newest version (2.7.13-2).
openssl is already the newest version (1.1.1b-1+0~20190228092419.10+stretch~1.gbp729d89).
openssl set to manually installed.
gcc is already the newest version (4:8.1.0-1).
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 python-dev : Depends: libpython-dev (= 2.7.13-2) but it is not going to be installed
              Depends: python2.7-dev (>= 2.7.13-1~) but it is not going to be installed
E: Unable to correct problems, you have held broken packages.
Done. Press any key...

I think I’ve the issue somewhere else. I’ll try to find it.
Edit: I found it: The following packages have unmet dependencies. Is the last comment the way to go ?

Yes, do the aptitude trick

So I’ve done the aptitude trick, not sure what it did but it reinstall bunch of python lib.

But now it fails to get a certificate although port 80 and 443 are open.

Running letsencrypt

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for myserver.com
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. myserver.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://myserver.com/.well-known/acme-challenge/Yvz15M0XGicEFGZ-kiwIaHVU2dAzwquHnLSgPFUQIAc: Timeout during connect (likely firewall problem)
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: myserver.com
   Type:   connection
   Detail: Fetching
   https://myserver.com/.well-known/acme-challenge/Yvz15M0XGicEFGZ-kiwIaHVU2dAzwquHnLSgPFUQIAc:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
Done. Press any key...

Running letsdebug helped a bit, yet I don’t really understand the gist of the error and what to do about:

AAAANotWorking
Error
myserver.com has an AAAA (IPv6) record (xxx:xxx:xxxx:xxxx::1) but a test request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address. You should either ensure that validation requests to this domain succeed over IPv6, or remove its AAAA record.
A timeout was experienced while communicating with myserver.com/xxx:xxx:xxxx:xxxx::1: Get http://myserver.com/.well-known/acme-challenge/letsdebug-test: context deadline exceeded

Trace:
@0ms: Making a request to http://myserver.com/.well-known/acme-challenge/letsdebug-test (using initial IP 2a01:e35:8bef:89f0::1)
@0ms: Dialing 2a01:e35:8bef:89f0::1
@10000ms: Experienced error: context deadline exceeded 

and

IssueFromLetsEncrypt
Error
A test authorization for myserver.com to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
Fetching https://myserver.com/.well-known/acme-challenge/GBoMmRm1sZwDPlapQT7Tvpgrdd9_7HwA3Gm2zPMLsIA: Timeout during connect (likely firewall problem) 

This is while testing with the HTTP-01 validation method. However, it works with the DNS-01 method. Could we use it with ncp ?

Any idea @nachoparker ?

Thanks

So I raised my problem on letsencrypt forum:

@nachoparker How can I configure Apache so the server knows that IPv6 is used ?

Should I just modify the /etc/apache2/ports.conf or something else ?

Thanks

I don’t really know, never had to do that before. Please let us know when you find a fix if there’s anything that we should add to the NCP config to take this case into consideration.