How to use http instead of dns challenge with certbot


I am running nextcloupi on an odroid xu4, all up to date.

I am trying to get this to work to get around the need to use port 80 + 443 every month for letsencrypt.

But my domain provider (freedns) doesn’t let me use an subdomain starting with a _

I tried using http instead of dns in this command:
sudo certbot -d yourNCP.domain.tld --manual --preferred-challenges dns certonly
and I got to this step in certbot

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:


And make it available on your web server at this URL:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

So now I need to find my webroot on the odroid, and put the file in the specified location? How exactly would I do that?

Thanks in advance,

When using html instead of dns to challenge:

Your webroot should be


so create folders .well-known/ and acme-challenge/ with

sudo mkdir /var/www/nextcloud/.well-known


sudo mkdir /var/www/nextcloud/.well-known/acme-challenge

Then create the file with

sudo nano /var/www/nextcloud/.well-known/acme-challenge/name-is-name-given-by-certbot-link

And Copy/Paste the code generated by certbot into content of the file, save and exit.

In terminal you can use Ctrl+Shift+C or V to copy/paste the long strings used by certbot for the challenge. Both file name and content are randomly generated strings.

I usually visit the link, to check it works, before hitting enter in terminal.

1 Like

I think it worked, but it returned an error:

Running deploy-hook command: /etc/letsencrypt/renewal-hooks/deploy/ncp
Output from ncp:
Unknown user

Hook command "/etc/letsencrypt/renewal-hooks/deploy/ncp" returned error code 1

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on 2019-06-30. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

Is it fine to proceed anyway? And when checking the link I had to use my <-- reflecting my port forwarding. Does this port have to be used in the certbot command? Or is it fine without it?

I think the


in the path, just means there already was a key and certificate for

You will have to edit NC’s webserver config file to reflect the new locations with

sudo nano /etc/apache2/sites-enabled/nextcloud.conf

and reload webserver with

sudo systemctl reload apache2.service

There is no way to tell certbot to use another port, it uses only default 80(http) and 443(https), but once your certificate and key are generated, the certificate will work regardless of port.

1 Like

According to ncp documentation, the next step is

sudo nano /etc/apache2/sites-enabled/nextcloud.conf
Edit to look like this, certbot provides these locations
SSLCertificateFile /etc/letsencrypt/live/yourNCP.domain.tld/fullchain.pem     
SSLCertificateKeyFile /etc/letsencrypt/keys/0000_key-certbot.pem

So for me that would mean:

SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/keys/0001_key-certbot.pem

In /etc/letsencrypt/live/ there are two entries now,, and Must have happened because I tried multiple times I guess. Is it fine to leave the two of them, and just use

And second, in /etc/letsencrypt/keys/ there are six files 000X_key-certbot.perm (X = 1-6). Which one should I use for SSLCertificateKeyFile?

I would use the path indicated by letsencrypt

Normally the files in the live/ folder are symbolic links to the actual files.

You can list files with -l (long) to view where symlinks point to with

sudo ls -l /etc/letsencrypt/live/

On second thought…It might be better to first backup your letsencrypt folder, and then move all the redacted . com files and folders from redacted . com 0001 to original location. In which case you do not need to edit nextcloud.conf, just reload webserver. Hope @nachoparker finds a moment which best practice fits ncp . :wink:

1 Like

Did it first with the paths indicated by letsencrypt, so my nextcloud.conf looks like this:

SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/

Now apache doesn’t start. I checked, fullchain.pem in both and are indeed empty files.

Apr 01 14:01:55 nextcloudpi systemd[1]: Starting The Apache HTTP Server...
Apr 01 14:01:55 nextcloudpi apachectl[11635]: AH00526: Syntax error on line 5 of /etc/apache2/sites-enabled/ncp.conf:
Apr 01 14:01:55 nextcloudpi apachectl[11635]: SSLCertificateFile: file '/etc/letsencrypt/live/' does not exist or is empty
Apr 01 14:01:55 nextcloudpi apachectl[11635]: Action 'start' failed.
Apr 01 14:01:55 nextcloudpi apachectl[11635]: The Apache error log may have more information.
Apr 01 14:01:55 nextcloudpi systemd[1]: apache2.service: Control process exited, code=exited status=1
Apr 01 14:01:55 nextcloudpi systemd[1]: Failed to start The Apache HTTP Server.
Apr 01 14:01:55 nextcloudpi systemd[1]: apache2.service: Unit entered failed state.
Apr 01 14:01:55 nextcloudpi systemd[1]: apache2.service: Failed with result 'exit-code'.

what is output of

sudo ls -lh /etc/letsencrypt/live/


sudo ls -lh /etc/letsencrypt/archive/

1 Like
fritz@nextcloudpi:~$ sudo ls -lh /etc/letsencrypt/live/
total 12K
-rw-r--r-- 1 root root 692 Mär  5 16:49 README
lrwxrwxrwx 1 root root  58 Apr   1 12:50 cert.pem -> ../../archive/
lrwxrwxrwx 1 root root  59 Apr   1 12:50 chain.pem -> ../../archive/
lrwxrwxrwx 1 root root  63 Apr   1 12:50 fullchain.pem -> ../../archive/
lrwxrwxrwx 1 root root  61 Apr   1 12:50 privkey.pem -> ../../archive/

fritz@nextcloudpi:~$ sudo ls -lh /etc/letsencrypt/archive/
total 32K
-rw-r--r-- 1 root root 2,0K Mär  5 16:49 cert1.pem
-rw-r--r-- 1 root root 2,0K Apr   1 12:50 cert2.pem
-rw-r--r-- 1 root root 1,7K Mär  5 16:49 chain1.pem
-rw-r--r-- 1 root root 1,7K Apr   1 12:50 chain2.pem
-rw-r--r-- 1 root root 3,6K Mär  5 16:49 fullchain1.pem
-rw-r--r-- 1 root root 3,6K Apr   1 12:50 fullchain2.pem
-rw------- 1 root root 1,7K Mär  5 16:49 privkey1.pem
-rw-r--r-- 1 root root 1,7K Apr   1 12:50 privkey2.pem

Dont know why, but links seem to be broken, try using

SSLCertificateFile /etc/letsencrypt/archive/
SSLCertificateKeyFile /etc/letsencrypt/archive/

which are the ones generated today.

and should be able to re-run …

sudo systemctl reload apache2.service

1 Like

Apache wouldn’t start again, had do change the lines in /etc/apache2/sites-enabled/ncp.conf as well.

Now apache started, nextcloud is up and running AND has a valid certificate! Thank you very much Oliver, this would have taken me forever without you!

1 Like

Use below command for use http challenge for ssl

sudo certbot --apache -d --preferred-challenges http