Expired certificate (Nextcloud AIO)

  • Nextcloud AIO v4.9.0 (all containers are up to date)
  • Running on Raspberry Pi

Hi, the Lets Encrypt certificate has expired and it has not been automatically renewed.

From the Apache log:

{"level":"info","ts":1682675704.6833503,"msg":"[INFO][FileStorage:/mnt/data/caddy] Lock for 'issue_cert_MY_DOMAIN' is stale (created: 2023-04-28 09:36:25.268346873 +0200 CEST, last update: 2023-04-28 11:52:21.275205199 +0200 CEST); removing then retrying: /mnt/data/caddy/locks/issue_cert_MY_DOMAIN.lock"}
{"level":"error","ts":1682675716.9570122,"logger":"http.acme_client","msg":"challenge failed","identifier":"MY_DOMAIN","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"MY_SERVER_IP: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]}}
{"level":"error","ts":1682675716.9572487,"logger":"http.acme_client","msg":"validating authorization","identifier":"MY_DOMAIN","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"MY_SERVER_IP: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/ORDER_NUMBER","attempt":1,"max_attempts":3}
{"level":"error","ts":1682675716.9574673,"logger":"tls.renew","msg":"could not get certificate from issuer","identifier":"MY_DOMAIN","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - MY_SERVER_IP: Timeout during connect (likely firewall problem)"}
{"level":"error","ts":1682675716.9582007,"logger":"tls.renew","msg":"will retry","error":"[MY_DOMAIN] Renew: [MY_DOMAIN] solving challenge: MY_DOMAIN: [MY_DOMAIN] authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - MY_SERVER_IP: Timeout during connect (likely firewall problem) (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":12.26669377,"max_duration":2592000}
  • Things looks like to be set up correctly :
    • ports 80, 443 forwared in router
    • domain is provided by noip.com and it points to my router IP
    • the firewall (UFW in Raspberry OS) is disabled

I don’t know what to do, perhaps could be the certificate renewed by standalone command?

Hi, see What can I do when Nextcloud is not reachable via my domain or if I get `SSL_ERROR_INTERNAL_ERROR_ALERT` when opening my Nextcloud domain? · nextcloud/all-in-one · Discussion #2105 · GitHub

Thanks I have read it, it looks like the issue is somewhere else.

  • the domain type is A (no AAAA or CNAME entry)
  • i don’t use cloudfare
  • ports 80, 443 are forwarded
  • i am not behind CGNat neither DS-Lite (I have a public IP and the domain points to it correctly)

Any other clues?

Unfortunately this site https://portchecker.co says the ports are closed, I have to investigate further (I have no idea what happened, I didnt change any settings…)

1 Like

I want just to confirm that the issue was AIO unrelated. Feel free to delete this topic so as not to clutter up search results.

ISP changed my connection from ADSL to VDSL, and I had to reflect it in port forwarding settings (“WAN Interface”).

1 Like