Nextcloud version (eg, 20.0.5): 22.2.3
Operating system and version (eg, Ubuntu 20.04): Debian 10
Apache or nginx version (eg, Apache 2.4.25): nginx 1.14.2
PHP version (eg, 7.4): 7.3
The issue you are facing:
not possible to renew the letsencrypt certificat
Is this the first time you’ve seen this error? (Y/N): Y
Steps to replicate it:
- certbot renew
I know it is not a specific problem with nextcloud
My server worked well for many years. I have had to update my Debian version to update the PHP version for the last Nextcloud version. All works fine with Nextcloud!
But the process to update the let’s encrypt certificate is now broken (worked with a crontab before, renew all the 3 months without problem for years).
certbot renew --dry
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/XXX.conf
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for XXXX
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (XX) from /etc/letsencrypt/renewal/XXXX.conf produced an unexpected error: Failed authorization procedure. XXXX (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://XXX/login [5.135.166.107]: "\n<html class=“ng-csp” data-placeholder-focus=“false” lang=“en” data-locale=“en” >\n\t<head\n data-requesttoken=“OlJA”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/XXXX/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/XXXX/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain:XXXXX
Type: unauthorized
Detail: Invalid response from
https://XXXXXX/login [5.135.166.107]: "\n<html class=“ng-csp” data-placeholder-focus=“false”
lang=“en” data-locale=“en” >\n\t<head\n
data-requesttoken=“OlJA”To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
I see that the server redirect the 80 into 443 without respecting the rule for the acme directory. I don’t understand why
Help welcome : my certificate will be down tomorrow
Thanks
The output of your Nextcloud log in Admin > Logging:
The output of your config.php file in /path/to/nextcloud
(make sure you remove any identifiable information!):
upstream php-handler {
server unix:/var/run/nextcloud.sock;
}
server {
listen 80;
listen [::]:80;
server_name XX;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name XX;
# Path to the root of your installation
root /var/www/nextcloud/;
ssl on;
ssl_certificate /etc/letsencrypt/live/XXXX/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/XXX/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/XXX/chain.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_cache shared:SSL:60m;
ssl_session_timeout 24h;
ssl_buffer_size 16k;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED';
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
# Add headers to serve security related headers
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains;';
add_header Referrer-Policy no-referrer always;
location ~ ^/.well-known/acme-challenge {
allow all;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 32 64K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
#gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
location / {
rewrite ^ /index.php$uri;
}
location ^~ /.well-known {
# The following 6 rules are borrowed from .htaccess
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
# Anything else is dynamically handled by Nextcloud
location ^~ /.well-known { return 301 /index.php$uri; }
try_files $uri $uri/ =404;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+).php(?:$|/) {
fastcgi_split_path_info ^(.+.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_param HTTPS ON;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_read_timeout 3600;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+).php(?:$|/) {
fastcgi_split_path_info ^(.+.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_param HTTPS ON;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_read_timeout 3600;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~* .(?:css|js|woff|svg|gif)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=15778463";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}
location ~* .(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
# Optional: Don't log access to other assets
access_log off;
}
}
The output of your Apache/nginx/system log in /var/log/____
:
18.196.102.134 - - [15/Feb/2022:10:18:45 +0100] “GET /.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ HTTP/1.1” 301 178 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
18.196.102.134 - - [15/Feb/2022:10:18:45 +0100] “GET /.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ HTTP/1.1” 301 178 “http://XXX/.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
18.236.228.243 - - [15/Feb/2022:10:18:45 +0100] “GET /.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ HTTP/1.1” 301 178 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
66.133.109.36 - - [15/Feb/2022:10:18:46 +0100] “GET /.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ HTTP/1.1” 301 178 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
18.196.102.134 - - [15/Feb/2022:10:18:46 +0100] “GET /index.php/.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ HTTP/1.1” 302 5 “https://XXX/.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
66.133.109.36 - - [15/Feb/2022:10:18:47 +0100] “GET /.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ HTTP/1.1” 301 178 “http://XXXX/.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
18.236.228.243 - - [15/Feb/2022:10:18:47 +0100] “GET /.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ HTTP/1.1” 301 178 “http://XXX/.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
18.196.102.134 - - [15/Feb/2022:10:18:47 +0100] “GET /login HTTP/1.1” 200 4217 “https://XXXX/index.php/.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
66.133.109.36 - - [15/Feb/2022:10:18:48 +0100] “GET /index.php/.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ HTTP/1.1” 302 5 “https://XXXX/.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
18.236.228.243 - - [15/Feb/2022:10:18:49 +0100] “GET /index.php/.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ HTTP/1.1” 302 5 “https://XXXX/.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
66.133.109.36 - - [15/Feb/2022:10:18:50 +0100] “GET /login HTTP/1.1” 200 4222 “https://XXXX/index.php/.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
18.236.228.243 - - [15/Feb/2022:10:18:50 +0100] “GET /login HTTP/1.1” 499 0 “https://XXX/index.php/.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”