Hi.
I had my box all working but i just moved and now cant access from outside my network because the certificate is no longer valid
I guess because my ip address changed?
how can i update my letsencrypt certificate?
Thanks
how did you install the certificate? certbot? if so try certbot renew
certificates arenât related to ip addresses.
letsencrypt certificate are valid for 90 days.
Thanks,
The certificate was renewing itself for a long time (much more than 90 days) before I moved
The error I get doesnât say âexpiredâ just that, âThe owner of xxxxxxx has configured their website improperlyâ.
I just assumed that this problem was ip related because it only happened after the move - it must be another reason.
I cant remember how I installed the certificate, Iâll have to try to remember.
I tried certbot renew
but got command not found
I have forwarded ports 80 & 443 (TCP/UDP internal and external ranges 80-80 & 443-443, respectively)
I have created a subdomain on my domain and forwarded it to my home networkâs external IP by manually entering an âAâ DNS entry with my home networkâs external IP
In config.php I have
âtrusted_domainsâ =>
array (
0 => âubuntu-standard.localâ,
1 => â192.168.1.73â,
2 => âsubdomainâ,
192.168.1.73 is box internal IP
subdomain is my subdomain
I tried sudo nextcloud.enable-https lets-encrypt
, and entered my subdomain. Although there were errors of the type
ERROR: ld.so: object '/usr/lib/arm-linux-gnueabihf/libarmmem.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
it did say done
at the end
The below is all on my own network:
Trying to access via https://ubuntu-standard.local/ gives a connection is not secure notice with The certificate is only valid for my.sub.domain
Trying to access via the subdomain gives a connection is not secure notice with The certificate is not trusted because it is self-signed. The certificate is only valid for .
Now highly confused and out of my depth
Sorry for the late reply. You didnât specify whether you use a hosting service or not, so Iâm assuming your server is in your house (which is why moving broke your setup).
The problem is likely to be IP related, and probably has nothing to do with your certificate. Your certificate does not contain an IP address.
Youâll need to adjust your DNS. For example, if your real-world (external) IP address in your old house was 123.123.123.123 and your real-world IP address in your new house is 124.124.124.124, the DNS will still be pointing to your old 123.123.123.123 address. Once you update it to point to 124.124.124.124 then it should work again.
If youâre getting a certificate error, itâs probably because youâre now connecting to someone elseâs website and seeing their certificate, but via your web address. That will throw a certificate error.
You need to find out what your new real world IP address is (through something like https://whatismyipaddress.com/ or whatever), and update your DNS service to your current IP. You wonât need to do anything with your certificate.
If you donât update your DNS, you wonât be able to renew your certificate as Letâs Encrypt will be trying to find you at your old IP address.
Your issue isnât cerbot, it isnât anything about your certificate, itâs about your DNS service. Fix that, and everything else should start working again.
Good luck!
An even later reply sorry!
My Nextcloud server is in my house - its an RPi âBoxâ
I have already changed to the new houseâs new IP address via a new DNS A record on my domain providerâs site (and deleted old record)
This site confirmed that the DNS address has properly propagated
I re-did my certificates:
cd /var/snap/nextcloud/current/
sudo mv certs certs1
sudo shutdown -r now
nextcloud.enable-https lets-encrypt
rm -r certs1
Firefox still says:
x.x.x uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for . Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
where x.x.x is my nextcloud subdomain
However, when I try to access via ubuntu-standard.local in Firefox I get the below
ubuntu-standard.local uses an invalid security certificate. The certificate is only valid for x.x.x. Error code: SSL_ERROR_BAD_CERT_DOMAIN
Iâm very confused
PS: I do get the following errors when renewing the certificate - is this normal?
Attempting to obtain certificates⌠done
ERROR: ld.so: object â/usr/lib/arm-linux-gnueabihf/libarmmem.soâ from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object â/usr/lib/arm-linux-gnueabihf/libarmmem.soâ from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object â/usr/lib/arm-linux-gnueabihf/libarmmem.soâ from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object â/usr/lib/arm-linux-gnueabihf/libarmmem.soâ from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object â/usr/lib/arm-linux-gnueabihf/libarmmem.soâ from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object â/usr/lib/arm-linux-gnueabihf/libarmmem.soâ from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
Restarting apache⌠ERROR: ld.so: object â/usr/lib/arm-linux-gnueabihf/libarmmem.soâ from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
done
OK, I think itâs actually all working OK, but âŚ
If I try to access my x.x.x subdomain whilst on my home wifi network (the same one as my RPi Box is on) I get the certificate error and there is no option to accept the âdodgyâ certificate
However, if I access via https://ubuntu-standard.local/ whilst on my home wifi network (the same one as my RPi Box is on) then it all works (I have to accept a certificate problem but then its OK)
If I access my x.x.x subdomain whilst NOT on my home wifi network (the same one as my RPi Box is on), for example on my phone via mobile data, it all works with no certificate errors.
No idea why or if I can remedy this, but maybe this info might help someone with similar problems?
Oh, I understand the problem now.
Real world requests for your domain get directed to your router, which then port forwards the request to your pi. All good.
But within your LAN/WiFi, the real-world DNS still points you to the router, which correctly recognises the request as local, so it doesnât redirect you to the pi.
There are a couple of ways around this.
The first is quick and dirty. Add a line to your machineâs hosts file. Something like:
192.168.1.23 your.sub.domain
Any time you go to your.sub.domain while on WiFi youâll go straight to your pi. It also means that if you do this to a laptop, you wonât be able to access your cloud from outside your WiFi.
The second way is MUCH better, buy also WAY more complex. Run your own internal DNS and DHCP. I run my own DNS server (unbound) and it directs all internal requests correctly, and once Iâm online externally, the real world DNS directs me to my router. (Running my own DNS also allows me to block ads for every machine connected to my WiFi, including guests!!)
Does that sound like it might be the problem? (Itâs always bloody DNS!)
Also, I have no idea what youâre doing there! Why not just âcertbot renewâ? Are you sure your webserver is actually using Letâs Encrypt certs? Theyâre stored in:
/etc/letsencrypt/live/your.domain/
Make sure your webserver is actually pointing to the right certs
Thanks very, very much Steve!
I figured out that it was to put the following line on the machine (my laptop) that was trying to access the Nextcloud RPi on the same wifi network in the /etc/hosts file:
192.168.1.X my.sub.domain
where âXâ is the RPi with the Nextcloud
Now I can sync Enpass again and can finish setting up Joplin sync
Did exactly the same on my Android phone (after finally working out / remembering how to root it).
Thanks again!
Although, as is clear, I donât really know my @rsÂŁ from my elbow in these things, I have a Nextcloud Box and the Nextcloud is the snap version, I think this is why I use the ânextcloud.enable-httpsâ rather than âcertbot renewâ (the latter isnt recognised on my RPi server)
Ha! I didnât know these things when I started either I did it the hard way, trying to configure BIND with absolutely no clue how DNS worked and using linux guides for my FreeBSD machine!
Every time you learn something new, itâs like a jigsaw puzzle piece filling in the big picture. You donât need to know everything straight away, but the more you learn, the easier it is to learn more.
And now I know something I didnât know before!