Letsencrypt acme challenge failing

example

Some or all of the below information will be requested if it isn't supplied; for fastest response please provide as much as you can :heart:

Nextcloud version (eg, 12.0.2): 17
Operating system and version (eg, Ubuntu 17.04):Ubuntu 18.04
Apache or nginx version (eg, Apache 2.4.25): nginx/1.17.7
PHP version (eg, 7.1): PHP 7.3.13-1

The issue you are facing: Having followed the excellent Carsten Rieger installation guide to build a nextcloud server, I am having a problem with the cron job that trys to renew the SSL certificate.
I am getting the following error:

    /home/acmeuser/.acme.sh/acme.sh: line 4322: /var/www/letsencrypt/.well-known/acme-challenge/long string of random characters: Permission denied mywebsite.co.uk:Can not write token to file : /var/www/letsencrypt/.well-known/acme-challenge/long string of random characters

Is this the first time you’ve seen this error? (Y/N): Yes

Steps to replicate it:

1. Follow the server build from the Carsten Rieger Installation Guide

The output of your Nextcloud log in Admin > Logging:

Nothing to report

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'passwordsalt' => '************',
  'secret' => '***************',
  'trusted_domains' => 
  array (
    0 => '*************.uk',
  ),
  'datadirectory' => '/mnt/nextcloud-storage/',
  'dbtype' => 'mysql',
  'version' => '17.0.1.1',
  'overwrite.cli.url' => 'https://***********.uk',
  'dbname' => '********',
  'dbhost' => 'localhost:/var/run/mysqld/mysqld.sock',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => '*************',
  'installed' => true,
  'instanceid' => '***********',
  'activity_expire_days' => 14,
  'auth.bruteforce.protection.enabled' => true,
  'blacklisted_files' => 
  array (
    0 => '.htaccess',
    1 => 'Thumbs.db',
    2 => 'thumbs.db',
  ),
  'cron_log' => true,
  'enable_previews' => true,
  'enabledPreviewProviders' => 
  array (
    0 => 'OC\\Preview\\PNG',
    1 => 'OC\\Preview\\JPEG',
    2 => 'OC\\Preview\\GIF',
    3 => 'OC\\Preview\\BMP',
    4 => 'OC\\Preview\\XBitmap',
    5 => 'OC\\Preview\\Movie',
    6 => 'OC\\Preview\\PDF',
    7 => 'OC\\Preview\\MP3',
    8 => 'OC\\Preview\\TXT',
    9 => 'OC\\Preview\\MarkDown',
  ),
  'filesystem_check_changes' => 0,
  'filelocking.enabled' => 'true',
  'htaccess.RewriteBase' => '/',
  'integrity.check.disabled' => false,
  'knowledgebaseenabled' => false,
  'logfile' => '/var/log/nextcloud/nextcloud.log',
  'loglevel' => 2,
  'logtimezone' => 'Europe/London',
  'log_rotate_size' => 104857600,
  'maintenance' => false,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'overwriteprotocol' => 'https',
  'preview_max_x' => 1024,
  'preview_max_y' => 768,
  'preview_max_scale_factor' => 1,
  'redis' => 
  array (
    'host' => '/var/run/redis/redis-server.sock',
    'port' => 0,
    'timeout' => 0.0,
  ),
  'quota_include_external_storage' => false,
  'share_folder' => '/Shares',
  'skeletondirectory' => '',
  'theme' => '',
  'trashbin_retention_obligation' => 'auto, 7',
  'updater.release.channel' => 'stable',
  'mail_smtpmode' => 'sendmail',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => '******',
  'mail_domain' => '********',
  'mail_smtpsecure' => 'tls',
  'mail_smtpauth' => 1,
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpname' => '**********',
  'mail_smtppassword' => '**************',
  'mail_smtphost' => '********* ',
  'mail_smtpport' => '587',
);

The output of your Apache/nginx/system log in /var/log/____:

cat /var/log/nginx/error.log.1
2019/12/26 12:42:49 [notice] 28025#28025: using inherited sockets from "6;7;8;9;10;"
2019/12/27 00:55:15 [error] 28029#28029: *69 open() "/var/www/letsencrypt/.well-known/acme-challenge/*******************" failed (2: No such file or directory), client: 127.0.0.1, server: 127.0.0.1, request: "GET /.well-known/acme-challenge/******************* HTTP/1.0", host: "**********.uk"
2019/12/27 00:55:16 [error] 28029#28029: *72 open() "/var/www/letsencrypt/.well-known/acme-challenge/***************" failed (2: No such file or directory), client: 127.0.0.1, server: 127.0.0.1, request: "GET /.well-known/acme-challenge/************** HTTP/1.0", host: "*******.uk"
2019/12/27 00:55:16 [error] 28030#28030: *75 open() "/var/www/letsencrypt/.well-known/acme-challenge/********************" failed (2: No such file or directory), client: 127.0.0.1, server: 127.0.0.1, request: "GET /.well-known/acme-challenge/***************** HTTP/1.0", host: "***************.uk"

The server has been running fine for a few months but as the certificate will run out soon, I would like to get this sorted. This is the first time I have used Nginx and the acme client. My other server is running Apache and the certbot client. This combination works well and I am used to just renewing the certificate manually.
The Nginx and acme system I have no experience with and would apprectiate any help, thank you.

Did you check the owner/group of /var/www/letsencrypt including subfolder and the nginx user?

Hello Reiner_Nippes,

Thanks for taking the time to respond to my issue.

Using the ls command I get this response:

sudo ls -lsha /var/www/
4.0K drwxr-x---  3 www-data www-data 4.0K Oct 11 13:21 letsencrypt
4.0K drwxr-x--- 15 www-data www-data 4.0K Dec 11 21:01 nextcloud

If I drill down into these directories they both return the same user and group as above.
If I list the users on the system it returns the following related users:

sudo less /etc/passwd
nginx:x:111:114:nginx user,,,:/nonexistent:/bin/false
acmeuser:x:1001:1002:,,,:/home/acmeuser:/bin/bash

Does this shed any light on what may be causing the certificate renewal to fail?

is the user acmeuser also member of the group www-data?
you can find out with the command: id acmeuser

and there might be an error in the script of @riegerCLOUD. but i’m not sure.

with this line you make /var/www/letsencrypt writeable to members of the group www-data. that should include acmeuser.

grafik994×61 1.48 KB

with that line in the permission skript you revoke that right.

so you may try: sudo chmod -R 775 /var/www/letsencrypt

if that solves your problem add that line also after the find command in the permission skript.

Hello Reiner_Nippes,

Now that is what I call great community support! You are spot on with your suggestion.
I can confirm that the acmeuser is a member of the www-data group. However, the permissions in the script are the issue. I executed:

chmod -R 775 /var/www/letsencrypt /etc/letsencrypt

and ran

.acme.sh/acme.sh --renew-all

as the acmeuser and it renewed the SSL certificates as expected.

Can you confirm that I need to change the permissions script to look like this:

#!/bin/bash
find /var/www/ -type f -print0 | xargs -0 chmod 0640
find /var/www/ -type d -print0 | xargs -0 chmod 0750
chmod -R 775 /var/www/letsencrypt
chown -R www-data:www-data /var/www/

Thank you so much for taking the time to look at this for me, I really appreciate it.

you only need to edit the permisson script if it’s executed again and/or via cron.
but better safe than sorry.

Really quick who is hosting your Nextcloud and is the firewall re-directing port 80 to port 443?

Hello sdeskgeo,

I am self hosting my Nextcloud system and yes, I have a redirect to port 443.
Why do you ask this?

I responded with an email I’m not sure you got it so I’ll respond here to change the port 80 redirect back to port 80 if you’re redirecting it to Port 443 or the challenge will never work give that a try let me know

Did it work?

Hi sdeskgeo,

I got it working by following the advice from Reiner_Nippes. It was a permissions issue with the script.