Let's Encrypt Renew Failing - Connection Refused

ℹ️ Support 📦 Appliances (Docker, Snappy, VM, NCP, AIO)
, ,
1
Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version (eg, 12.0.2): 16.0.5
Operating system and version (eg, Ubuntu 17.04): Ubuntu 19.04
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.38/nginx 1.15.9
PHP version (eg, 7.1): 7.2.24

The issue you are facing: My SSL cert through LE is failing to be renewed. It worked when I first set up Nextcloud, however now I’m unable to renew the cert. I keep running into a connection refused error.

root@localhost:~# nextcloud.enable-https lets-encrypt
In order for Let's Encrypt to verify that you actually own the
domain(s) for which you're requesting a certificate, there are a
number of requirements of which you need to be aware:

1. In order to register with the Let's Encrypt ACME server, you must
   agree to the currently-in-effect Subscriber Agreement located
   here:

       https://letsencrypt.org/repository/

   By continuing to use this tool you agree to these terms. Please
   cancel now if otherwise.

2. You must have the domain name(s) for which you want certificates
   pointing at the external IP address of this machine.

3. Both ports 80 and 443 on the external IP address of this machine
   must point to this machine (e.g. port forwarding might need to be
   setup on your router).

Have you met these requirements? (y/n) y
Please enter an email address (for urgent notices or key recovery): [redacted]
Please enter your domain name(s) (space-separated): [redacted].net
Attempting to obtain certificates... error running certbot:

Saving debug log to /var/snap/nextcloud/current/certs/certbot/logs/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for [redacted].net
Using the webroot path /var/snap/nextcloud/current/certs/certbot for all unmatched domains.
Waiting for verification...
Challenge failed for domain [redacted].net
http-01 challenge for [redacted].net
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: [redacted].net
   Type:   connection
   Detail: Fetching
   http://[redacted].net/.well-known/acme-challenge/fKfzMgFrXiXs_AQzTI4oSezxFsTIf13ISi-5qbKt194:
   Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

The full log is here: https://pastebin.com/ud69Ysb3

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

  1. Set up SSL cert with Let’s Encrypt as listed in the docs.
  2. Wait three months.
  3. Try to renew.

The output of your Nextcloud log in Admin > Logging:

n/a

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/snap/nextcloud/current/htdocs/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/snap/nextcloud/current/nextcloud/extra-apps',
      'url' => '/extra-apps',
      'writable' => true,
    ),
  ),
  'supportedDatabases' => 
  array (
    0 => 'mysql',
  ),
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => '/tmp/sockets/redis.sock',
    'port' => 0,
  ),
  'instanceid' => 'oc4rlz5glym1',
  'passwordsalt' => '[redacted]',
  'secret' => '[redacted]',
  'trusted_domains' => 
  array (
    0 => 'localhost',
    1 => '[redacted].net',
  ),
  'datadirectory' => '/var/snap/nextcloud/common/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '16.0.5.1',
  'overwrite.cli.url' => 'http://localhost',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost:/tmp/sockets/mysql.sock',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => '[redacted]',
  'installed' => true,
  'twofactor_enforced' => 'false',
  'twofactor_enforced_groups' => 
  array (
  ),
  'twofactor_enforced_excluded_groups' => 
  array (
  ),
  'maintenance' => false,
  'loglevel' => 2,
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_smtpauthtype' => 'LOGIN',
);

The output of your Apache/nginx/system log in /var/log/____:
(not sure if this is relevant)

[Tue Oct 29 01:39:18.053575 2019] [mpm_event:notice] [pid 18562:tid 140060526131072] AH00491: caught SIGTERM, shutting down
[Tue Oct 29 01:39:20.967597 2019] [ssl:warn] [pid 20460:tid 139807152490368] AH01909: ::1:443:0 server certificate does NOT include an ID which matches the server name
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using ::1. Set the 'ServerName' directive globally to suppress this message
[Tue Oct 29 01:39:20.974642 2019] [ssl:warn] [pid 20460:tid 139807152490368] AH01909: ::1:443:0 server certificate does NOT include an ID which matches the server name
[Tue Oct 29 01:39:20.975751 2019] [mpm_event:notice] [pid 20460:tid 139807152490368] AH00489: Apache/2.4.41 (Unix) OpenSSL/1.0.2g configured -- resuming normal operations
[Tue Oct 29 01:39:20.975777 2019] [core:notice] [pid 20460:tid 139807152490368] AH00094: Command line: 'httpd -d /snap/nextcloud/16739 -D EnableHTTPS -D EnableHSTS -D FOREGROUND'
[Tue Oct 29 01:39:20.976656 2019] [unixd:alert] [pid 20463:tid 139807152490368] AH02155: getpwuid: couldn't determine user name from uid 4294967295, you probably need to modify the User directive
[Tue Oct 29 01:39:20.977545 2019] [unixd:alert] [pid 20462:tid 139807152490368] AH02155: getpwuid: couldn't determine user name from uid 4294967295, you probably need to modify the User directive
[Tue Oct 29 01:39:20.978464 2019] [unixd:alert] [pid 20461:tid 139807152490368] AH02155: getpwuid: couldn't determine user name from uid 4294967295, you probably need to modify the User directive
[Tue Oct 29 01:43:44.222383 2019] [unixd:alert] [pid 20834:tid 139807152490368] AH02155: getpwuid: couldn't determine user name from uid 4294967295, you probably need to modify the User directive
2

Moved to NextcloudPi section. Not sure about the implementation in NextcloudPI, normally you have a renew command. So it should be setup that it renews automatically the certificate (https://github.com/nextcloud/nextcloudpi/blob/5924131f6f3e75e10f6b8ff38f65f26b6419a649/bin/ncp/NETWORKING/letsencrypt.sh), if that does not work you could try to run the command manually for more information:

letsencrypt renew

3

Note that this is the snap, not nextcloudpi.

Anyway, 99% of the time this is either a firewall or a proxy issue. Are you using either? Port forwarding setup, perhaps? Note that Let’s Encrypt in the snap requires port 80 to be open and forwarded to the snap.

4

Yes, this is a snap package on a Linode VM.

I don’t believe there’s a firewall/port issue; I was able to get the SSL cert to begin with, after all. There isn’t any port forwarding that I know of. The 80 port also appears to be open:

root@localhost:/var/snap/nextcloud/current/certs/certbot# netstat -tulnp | grep "LISTEN"
tcp        0      0 127.0.0.1:587           0.0.0.0:*               LISTEN      2621/sendmail: MTA: 
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      691/systemd-resolve 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      807/sshd            
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      2621/sendmail: MTA: 
tcp6       0      0 :::80                   :::*                    LISTEN      20460/httpd         
tcp6       0      0 :::443                  :::*                    LISTEN      20460/httpd         
root@localhost:/var/snap/nextcloud/current/certs/certbot# lsof -i tcp:80
COMMAND   PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
httpd   20460 root    4u  IPv6 1657087      0t0  TCP *:http (LISTEN)
httpd   20461 root    4u  IPv6 1657087      0t0  TCP *:http (LISTEN)
httpd   20462 root    4u  IPv6 1657087      0t0  TCP *:http (LISTEN)
httpd   20463 root    4u  IPv6 1657087      0t0  TCP *:http (LISTEN)
httpd   20834 root    4u  IPv6 1657087      0t0  TCP *:http (LISTEN)
5

You’re sure you don’t have a firewall enabled? (e.g. does sudo ufw status show anything?). Barring that, mind PMing me with your domain name so I can poke about a little?

6

UFW was disabled. I tried enabling it and running the renew again, but no dice.

Would you mind exchanging a few more ideas before I hand off the VM to you?

7

Did you also check router’s firewall?

8

The VM is on Linode, which is similar to AWS/Azure/GCP. There isn’t a firewall for me to check there, only in the VM itself.

9

Figured it out. It was the firewall, after all. Specifically, iptables. Allowing everything and running the renew finally worked.

Thanks for the help, everyone.