I am using the official Nextcloud on Ubuntu Core image with auto-update by default.
In September I read there were a let’s encryp change about the process or something i didn’t follow much.
In September I also had the end of my (first, since it was a recent install) certificate (and it was set with sudo nextcloud.enable-https lets-encrypt) so I had to renew it. I thought it would automatic, but it didnt renewed itself.
Before 07th of September https was working well; since this day I have SEC_ERROR_EXPIRED_CERTIFICATE in browsers.
I tried to do it manually (with sudo nextcloud.enable-https lets-encrypt), later in September but nothing happened. I thought (in September) maybe Nextcloud needed some updates to make it work with the new process system from let’s encrypt (like i said, i didn’t followed the news about it, I even maybe misread the title of this news)
… months after that I (now) just ssh to my nexcloud and check snap refresh and it says that everything is up to date.
Then I tried to renew the cert, but even if no errors are shown, my browser (Firefox) doesn’t see the cert, and i see no cert using occ:
xxxxxxxxxx@localhost:~$ sudo nextcloud.enable-https lets-encrypt
In order for Let's Encrypt to verify that you actually own the
domain(s) for which you're requesting a certificate, there are a
number of requirements of which you need to be aware:
1. In order to register with the Let's Encrypt ACME server, you must
agree to the currently-in-effect Subscriber Agreement located
By continuing to use this tool you agree to these terms. Please
cancel now if otherwise.
2. You must have the domain name(s) for which you want certificates
pointing at the external IP address of this machine.
3. Both ports 80 and 443 on the external IP address of this machine
must point to this machine (e.g. port forwarding might need to be
setup on your router).
Have you met these requirements? (y/n) y
Please enter an email address (for urgent notices or key recovery): email@example.com
Please enter your domain name(s) (space-separated): my.domain.org
Attempting to obtain certificates... done
Restarting apache... done
xxxxxxxxxx@localhost:~$ sudo nextcloud.occ security:certificates
| File Name | Common Name | Organization | Valid Until | Issued By |
I tryed to reboot, but nothing.
Note: I once had a folder rights issue after an automatic snap nexcloud update early September (I am recycling a old nextcloud box with ubuntu/nextcloud on the SD card of the raspi, and old the user files on the HDD that i have set to automount and changed the path in nexcloud conf to be set on the HDD) and I had to update the rights/ower on the users file root folder.
I mention this in case the letsencryp script doesn’t return error if had the same right/owner issue in the folder it is supposed to write the cert (in this case what folder it is, and what chmod/chown should i do on it please?)
Additional question: Do we agree sudo nextcloud.enable-https lets-encrypt is supose to auto renew cert ? (if not, ill have more question later on how to do that ^^)
That was successful at fetching a cert. I suspect it has also been renewing just fine. Is it possible that the OS/firefox you’re using to connect simply won’t recognize Let’s Encrypt’s new root? I guess I’d expect an error other than SEC_ERROR_EXPIRED_CERTIFICATE, though. If you don’t mind PMing me your real domain, I can take a quick look at your cert myself.
On chromium it says NET::ERR_CERT_DATE_INVALID and Expires on: 7 sept. 2021 - Current date: 10 déc. 2021
I don’t see the button to PM you but my instance is : subdomain.mydomain.com.
That’s the domain I set when prompted on sudo nextcloud.enable-https lets-encrypt(I just remember that I think before September I added the root domain name + the nextcloud subdomain, then I added a redirection at root domain to a nextcloud’s pico website after the cert was set, and maybe that was one of the error on letsencrypt I had so I disabled for now this redirection from my registrar’s dns and I have this “no error” from letsencrypt but still cert doesnt look well set). EDIT: yep after checking the old cert that firefox shows to me: root + both www + cloud subdomain were set.
Thank in advance for your help !
I’m afraid this is a known issue. When you change the domains used, certbot ends up creating multiple directories there and the snap doesn’t know which one to use. Today it just picks one. I’m sorry, I really need to fix that.