Let's encrypt renewal failed after updating

Nextcloud version (eg, 20.0.5): 22.2.3
Operating system and version (eg, Ubuntu 20.04): Debian 10
Apache or nginx version (eg, Apache 2.4.25): nginx 1.14.2
PHP version (eg, 7.4): 7.3

The issue you are facing:

not possible to renew the letsencrypt certificat

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

  1. certbot renew

I know it is not a specific problem with nextcloud :frowning:
My server worked well for many years. I have had to update my Debian version to update the PHP version for the last Nextcloud version. All works fine with Nextcloud!

But the process to update the let’s encrypt certificate is now broken (worked with a crontab before, renew all the 3 months without problem for years).

certbot renew --dry

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/XXX.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for XXXX
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (XX) from /etc/letsencrypt/renewal/XXXX.conf produced an unexpected error: Failed authorization procedure. XXXX (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://XXX/login [5.135.166.107]: "\n<html class=“ng-csp” data-placeholder-focus=“false” lang=“en” data-locale=“en” >\n\t<head\n data-requesttoken=“OlJA”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/XXXX/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/XXXX/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain:XXXXX
    Type: unauthorized
    Detail: Invalid response from
    https://XXXXXX/login [5.135.166.107]: "\n<html class=“ng-csp” data-placeholder-focus=“false”
    lang=“en” data-locale=“en” >\n\t<head\n
    data-requesttoken=“OlJA”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

I see that the server redirect the 80 into 443 without respecting the rule for the acme directory. I don’t understand why :frowning:

Help welcome : my certificate will be down tomorrow :frowning:

Thanks

The output of your Nextcloud log in Admin > Logging:

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

upstream php-handler {
server unix:/var/run/nextcloud.sock;
}

server {
listen 80;
listen [::]:80;
server_name XX;
return 301 https://$server_name$request_uri;
}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name XX;

# Path to the root of your installation
root                          /var/www/nextcloud/;
ssl                           on;
ssl_certificate               /etc/letsencrypt/live/XXXX/fullchain.pem;
ssl_certificate_key           /etc/letsencrypt/live/XXX/privkey.pem;
ssl_trusted_certificate       /etc/letsencrypt/live/XXX/chain.pem;
ssl_dhparam                   /etc/ssl/certs/dhparam.pem;

ssl_session_cache             shared:SSL:60m;
ssl_session_timeout           24h;
ssl_buffer_size               16k;
ssl_protocols                 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers                   'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED';
ssl_prefer_server_ciphers     on;
ssl_stapling                  on;
ssl_stapling_verify           on;

# Add headers to serve security related headers
add_header                    X-Content-Type-Options nosniff;
add_header                    X-XSS-Protection "1; mode=block";
add_header                    X-Frame-Options "SAMEORIGIN";
add_header                    X-Robots-Tag none;
add_header                    X-Download-Options noopen;
add_header                    X-Permitted-Cross-Domain-Policies none;
add_header                    Strict-Transport-Security 'max-age=31536000; includeSubDomains;';
add_header                    Referrer-Policy no-referrer always;

location ~ ^/.well-known/acme-challenge {
    allow                     all;
  }


location = /robots.txt {
    allow                     all;
    log_not_found             off;
    access_log                off;
}

location = /.well-known/carddav {
  return                      301 $scheme://$host/remote.php/dav;
}

location = /.well-known/caldav {
  return                      301 $scheme://$host/remote.php/dav;
}

# set max upload size
client_max_body_size          512M;
fastcgi_buffers               32 64K;

# Enable gzip but do not remove ETag headers
gzip                          on;
gzip_vary                     on;
gzip_comp_level               4;
#gzip_min_length               256;
gzip_proxied                  expired no-cache no-store private no_last_modified no_etag auth;
gzip_types                    application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

location / {
    rewrite                   ^ /index.php$uri;
}

location ^~ /.well-known {
# The following 6 rules are borrowed from .htaccess

    location = /.well-known/carddav     { return 301 /remote.php/dav/; }
    location = /.well-known/caldav      { return 301 /remote.php/dav/; }
    # Anything else is dynamically handled by Nextcloud
    location ^~ /.well-known            { return 301 /index.php$uri; }

    try_files $uri $uri/ =404;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
    deny                      all;
}

location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
    deny                      all;
}

location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+).php(?:$|/) {
    fastcgi_split_path_info   ^(.+.php)(/.*)$;
    include                   fastcgi_params;
    fastcgi_param             SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param             PATH_INFO $fastcgi_path_info;
    fastcgi_param             modHeadersAvailable true;
    fastcgi_param             front_controller_active true;
    fastcgi_param             HTTPS ON;
    fastcgi_pass              php-handler;
    fastcgi_intercept_errors  on;
    fastcgi_request_buffering off;
    fastcgi_read_timeout      3600;
}

location ~ ^/(?:updater|ocs-provider)(?:$|/) {
    try_files                 $uri/ =404;
    index                     index.php;
}


location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+).php(?:$|/) {
    fastcgi_split_path_info   ^(.+.php)(/.*)$;
    include                   fastcgi_params;
    fastcgi_param             SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param             PATH_INFO $fastcgi_path_info;
    fastcgi_param             modHeadersAvailable true;
    fastcgi_param             front_controller_active true;
    fastcgi_param             HTTPS ON;
    fastcgi_pass              php-handler;
    fastcgi_intercept_errors  on;
    fastcgi_request_buffering off;
    fastcgi_read_timeout      3600;
}

location ~ ^/(?:updater|ocs-provider)(?:$|/) {
    try_files                 $uri/ =404;
    index                     index.php;
}

# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~* .(?:css|js|woff|svg|gif)$ {
    try_files                 $uri /index.php$uri$is_args$args;
    add_header                Cache-Control "public, max-age=15778463";
    add_header                X-Content-Type-Options nosniff;
    add_header                X-XSS-Protection "1; mode=block";
    add_header                X-Frame-Options "SAMEORIGIN";
    add_header                X-Robots-Tag none;
    add_header                X-Download-Options noopen;
    add_header                X-Permitted-Cross-Domain-Policies none;
    # Optional: Don't log access to assets
    access_log                off;
}

location ~* .(?:png|html|ttf|ico|jpg|jpeg)$ {
    try_files                 $uri /index.php$uri$is_args$args;
    # Optional: Don't log access to other assets
    access_log                off;
}

}

The output of your Apache/nginx/system log in /var/log/____:

18.196.102.134 - - [15/Feb/2022:10:18:45 +0100] “GET /.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ HTTP/1.1” 301 178 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
18.196.102.134 - - [15/Feb/2022:10:18:45 +0100] “GET /.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ HTTP/1.1” 301 178 “http://XXX/.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
18.236.228.243 - - [15/Feb/2022:10:18:45 +0100] “GET /.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ HTTP/1.1” 301 178 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
66.133.109.36 - - [15/Feb/2022:10:18:46 +0100] “GET /.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ HTTP/1.1” 301 178 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
18.196.102.134 - - [15/Feb/2022:10:18:46 +0100] “GET /index.php/.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ HTTP/1.1” 302 5 “https://XXX/.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
66.133.109.36 - - [15/Feb/2022:10:18:47 +0100] “GET /.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ HTTP/1.1” 301 178 “http://XXXX/.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
18.236.228.243 - - [15/Feb/2022:10:18:47 +0100] “GET /.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ HTTP/1.1” 301 178 “http://XXX/.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
18.196.102.134 - - [15/Feb/2022:10:18:47 +0100] “GET /login HTTP/1.1” 200 4217 “https://XXXX/index.php/.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
66.133.109.36 - - [15/Feb/2022:10:18:48 +0100] “GET /index.php/.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ HTTP/1.1” 302 5 “https://XXXX/.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
18.236.228.243 - - [15/Feb/2022:10:18:49 +0100] “GET /index.php/.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ HTTP/1.1” 302 5 “https://XXXX/.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
66.133.109.36 - - [15/Feb/2022:10:18:50 +0100] “GET /login HTTP/1.1” 200 4222 “https://XXXX/index.php/.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
18.236.228.243 - - [15/Feb/2022:10:18:50 +0100] “GET /login HTTP/1.1” 499 0 “https://XXX/index.php/.well-known/acme-challenge/fD7sjgiy7LgbVD2UBHNAeRhynfNzRZJh8D_7xGKmZVQ” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”

I hope I am not being silly here, but doesn’t cerbot require sudo privileges. I had exactly the same problem, and then realised I was trying to do it as user…

No, I’m really root as typing the command.

1 Like