Expired certificate (Nextcloud AIO)

sotero · April 28, 2023, 10:26am

Nextcloud AIO v4.9.0 (all containers are up to date)
Running on Raspberry Pi

Hi, the Lets Encrypt certificate has expired and it has not been automatically renewed.

From the Apache log:

{"level":"info","ts":1682675704.6833503,"msg":"[INFO][FileStorage:/mnt/data/caddy] Lock for 'issue_cert_MY_DOMAIN' is stale (created: 2023-04-28 09:36:25.268346873 +0200 CEST, last update: 2023-04-28 11:52:21.275205199 +0200 CEST); removing then retrying: /mnt/data/caddy/locks/issue_cert_MY_DOMAIN.lock"}
{"level":"error","ts":1682675716.9570122,"logger":"http.acme_client","msg":"challenge failed","identifier":"MY_DOMAIN","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"MY_SERVER_IP: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]}}
{"level":"error","ts":1682675716.9572487,"logger":"http.acme_client","msg":"validating authorization","identifier":"MY_DOMAIN","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"MY_SERVER_IP: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/ORDER_NUMBER","attempt":1,"max_attempts":3}
{"level":"error","ts":1682675716.9574673,"logger":"tls.renew","msg":"could not get certificate from issuer","identifier":"MY_DOMAIN","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - MY_SERVER_IP: Timeout during connect (likely firewall problem)"}
{"level":"error","ts":1682675716.9582007,"logger":"tls.renew","msg":"will retry","error":"[MY_DOMAIN] Renew: [MY_DOMAIN] solving challenge: MY_DOMAIN: [MY_DOMAIN] authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - MY_SERVER_IP: Timeout during connect (likely firewall problem) (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":12.26669377,"max_duration":2592000}
...

Things looks like to be set up correctly :
- ports 80, 443 forwared in router
- domain is provided by noip.com and it points to my router IP
- the firewall (UFW in Raspberry OS) is disabled

I don’t know what to do, perhaps could be the certificate renewed by standalone command?

szaimen · April 28, 2023, 11:31am

Hi, see What can I do when Nextcloud is not reachable via my domain or if I get `SSL_ERROR_INTERNAL_ERROR_ALERT` when opening my Nextcloud domain? · nextcloud/all-in-one · Discussion #2105 · GitHub

sotero · April 28, 2023, 1:41pm

Thanks I have read it, it looks like the issue is somewhere else.

the domain type is A (no AAAA or CNAME entry)
i don’t use cloudfare
ports 80, 443 are forwarded
i am not behind CGNat neither DS-Lite (I have a public IP and the domain points to it correctly)

Any other clues?

sotero · April 28, 2023, 1:53pm

Unfortunately this site https://portchecker.co says the ports are closed, I have to investigate further (I have no idea what happened, I didnt change any settings…)

sotero · April 29, 2023, 11:26am

I want just to confirm that the issue was AIO unrelated. Feel free to delete this topic so as not to clutter up search results.

ISP changed my connection from ADSL to VDSL, and I had to reflect it in port forwarding settings (“WAN Interface”).