Let's Encrypt doesn't recreat a certificate but no error shown

Hi,

I am using the official Nextcloud on Ubuntu Core image with auto-update by default.

In September I read there were a let’s encryp change about the process or something i didn’t follow much.
In September I also had the end of my (first, since it was a recent install) certificate (and it was set with sudo nextcloud.enable-https lets-encrypt) so I had to renew it. I thought it would automatic, but it didnt renewed itself.
Before 07th of September https was working well; since this day I have SEC_ERROR_EXPIRED_CERTIFICATE in browsers.

I tried to do it manually (with sudo nextcloud.enable-https lets-encrypt), later in September but nothing happened. I thought (in September) maybe Nextcloud needed some updates to make it work with the new process system from let’s encrypt (like i said, i didn’t followed the news about it, I even maybe misread the title of this news)

… months after that I (now) just ssh to my nexcloud and check snap refresh and it says that everything is up to date.

Then I tried to renew the cert, but even if no errors are shown, my browser (Firefox) doesn’t see the cert, and i see no cert using occ:

xxxxxxxxxx@localhost:~$ sudo nextcloud.enable-https lets-encrypt 
In order for Let's Encrypt to verify that you actually own the
domain(s) for which you're requesting a certificate, there are a
number of requirements of which you need to be aware:

1. In order to register with the Let's Encrypt ACME server, you must
   agree to the currently-in-effect Subscriber Agreement located
   here:

       https://letsencrypt.org/repository/

   By continuing to use this tool you agree to these terms. Please
   cancel now if otherwise.

2. You must have the domain name(s) for which you want certificates
   pointing at the external IP address of this machine.

3. Both ports 80 and 443 on the external IP address of this machine
   must point to this machine (e.g. port forwarding might need to be
   setup on your router).

Have you met these requirements? (y/n) y
Please enter an email address (for urgent notices or key recovery): my@email.com
Please enter your domain name(s) (space-separated): my.domain.org          
Attempting to obtain certificates... done
Restarting apache... done
 
xxxxxxxxxx@localhost:~$ sudo nextcloud.occ security:certificates
+-----------+-------------+--------------+-------------+-----------+
| File Name | Common Name | Organization | Valid Until | Issued By |
+-----------+-------------+--------------+-------------+-----------+
xxxxxxxxxx@localhost:~$ 

I tryed to reboot, but nothing.

Note: I once had a folder rights issue after an automatic snap nexcloud update early September (I am recycling a old nextcloud box with ubuntu/nextcloud on the SD card of the raspi, and old the user files on the HDD that i have set to automount and changed the path in nexcloud conf to be set on the HDD) and I had to update the rights/ower on the users file root folder.
I mention this in case the letsencryp script doesn’t return error if had the same right/owner issue in the folder it is supposed to write the cert (in this case what folder it is, and what chmod/chown should i do on it please?)

Additional question: Do we agree sudo nextcloud.enable-https lets-encrypt is supose to auto renew cert ? (if not, ill have more question later on how to do that ^^)

Absolutely.

That was successful at fetching a cert. I suspect it has also been renewing just fine. Is it possible that the OS/firefox you’re using to connect simply won’t recognize Let’s Encrypt’s new root? I guess I’d expect an error other than SEC_ERROR_EXPIRED_CERTIFICATE, though. If you don’t mind PMing me your real domain, I can take a quick look at your cert myself.

Thanks, that’s a great news !

On chromium it says NET::ERR_CERT_DATE_INVALID and
Expires on: 7 sept. 2021 - Current date: 10 déc. 2021

I don’t see the button to PM you :confused: but my instance is : subdomain.mydomain.com.
That’s the domain I set when prompted on sudo nextcloud.enable-https lets-encrypt (I just remember that I think before September I added the root domain name + the nextcloud subdomain, then I added a redirection at root domain to a nextcloud’s pico website after the cert was set, and maybe that was one of the error on letsencrypt I had so I disabled for now this redirection from my registrar’s dns and I have this “no error” from letsencrypt but still cert doesnt look well set). EDIT: yep after checking the old cert that firefox shows to me: root + both www + cloud subdomain were set.
Thank in advance for your help !

Alright, remove it, I’ll get back to you.

Okay I have a suspicion. Let me see the output of these two commands, please, masking as you see fit. First command:

$ sudo ls -l /var/snap/nextcloud/current/certs/

Second:

$ sudo ls /var/snap/nextcloud/current/certs/certbot/config/live

Based on what you just said, I bet you’ll have multiple results from the second command, and the first will show the live symlink pointing to the wrong one.

1 Like
********@localhost:~$ sudo ls -l /var/snap/nextcloud/current/certs/
total 8
drwx------ 5 root root 4096 Dec 10 17:17 certbot
lrwxrwxrwx 1 root root   68 Dec 10 17:31 live -> /var/snap/nextcloud/current/certs/certbot/config/live/subdomain.mydomain.com
********@localhost:~$ sudo ls /var/snap/nextcloud/current/certs/certbot/config/live
README	subdomain.mydomain.com	subdomain.mydomain.com-0001
********@localhost:~$

(note: replaced occurence of the real value by subdomain.mydomain.com)

it looks like you are right !! (But I’m not sure what should I do, remove manually all file except the README?)

I’m afraid this is a known issue. When you change the domains used, certbot ends up creating multiple directories there and the snap doesn’t know which one to use. Today it just picks one. I’m sorry, I really need to fix that.

I suggest clearing out the certs entirely:

$ sudo rm -rf /var/snap/nextcloud/current/certs/

Then run nextcloud.enable-https again.

1 Like

I tryed with error:

sudo rm -rf /var/snap/nextcloud/current/certs/
sudo nextcloud.enable-https lets-encrypt 

(…)

Attempting to obtain certificates... error running certbot:
/var/snap/nextcloud/current/certs/certbot does not exist or is not a directory

What I did to make it work:

sudo rm -rf /var/snap/nextcloud/current/certs/
sudo mkdir /var/snap/nextcloud/current/certs/
sudo mkdir /var/snap/nextcloud/current/certs/certbot
sudo nextcloud.enable-https lets-encrypt 

Now opening my nextcloud on Firefox just works !
Than you @kyrofa for the help, and for all you work on the project.
Do you need me to open an issue or you got it ?

We have one already, thank you! Glad you’re sorted.

1 Like