Letsencrypt cert does not work under my domain but with external

Larwes · January 26, 2025, 1:46pm

I have an issue with the letsencrypt certificate. When I get the certificate via the ncp admin panel it does not work for my domain.

First I followed this guide How to get certificate with Letsencrypt using DNS to verify domain because getting the certificate via ncp admin panel did not worked. After that I could execute it (logs attached).

I use NCP version 1.55.3 with Raspberry Pie 5.

There must be something wrong with my configuration but I can not find it. Can anybody help?

If I curl myExternalIP I get the right certificate:

* Server certificate:
*  subject: CN=nc.myDomain.tld
*  start date: Jan 26 07:12:08 2025 GMT
*  expire date: Apr 26 07:12:07 2025 GMT
*  issuer: C=US; O=Let's Encrypt; CN=E5
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multiplexing

But if I curl nc.myDomain.tld I get the wrong one

* Server certificate:
*  subject: CN=nc.myDomain.tld
*  start date: Jan  1 00:01:13 1970 GMT
*  expire date: Jan 16 00:01:13 2038 GMT
*  issuer: CN=nc.myDomain.tld
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET / HTTP/1.1

The curious thing is that somehow the page I get back is from my FritzBox. (This comes with curl nc.myDomain.tld

<!DOCTYPE html>
<html lang="de">
<head>
.
.
.
  <title>
      FRITZ!Box
  </title>
</head>

npc.log:

Installing template 'nextcloud.conf.sh'...
INFO: Letsencrypt domain is nc.myDomain.tld
INFO: Metrics enabled: no
Apache self check:
Syntax OK
System config value trusted_domains => 11 set to string nc.myDomain.tld
System config value trusted_domains => 3 set to string nc.myDomain.tld
System config value overwrite.cli.url set to string https://nc.myDomain.tld/
System config value trusted_proxies => 11 set to string 127.0.0.1
System config value trusted_proxies => 12 set to string ::1
System config value trusted_proxies => 14 set to string myExternalIP
Setup notify_push (attempt 1/5)
✓ redis is configured
🗴 can't connect to push server: Client error: `GET https://nc.myDomain.tld/push/test/cookie` resulted in a `404 Not Found` response:
<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv=content-type content="text/html; charset=utf-8" />
    <meta http-e (truncated...)

Setup notify_push (attempt 5/5)
✓ redis is configured
🗴 can't connect to push server: Client error: `GET https://nc.myDomain.tld/push/test/cookie` resulted in a `404 Not Found` response:
<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv=content-type content="text/html; charset=utf-8" />
    <meta http-e (truncated...)

letsencrypt.log

2025-01-26 08:10:40,869:DEBUG:acme.client:Storing nonce: KY2mD_AjpWQtXx94MS59a4GAgD_d2z2WA3I6t-3lur1KuRluOsc
2025-01-26 08:10:40,871:DEBUG:certbot._internal.storage:Writing new private key to /etc/letsencrypt/archive/nc.myDomain.tld/privkey8.pem.
2025-01-26 08:10:40,871:DEBUG:certbot._internal.storage:Writing certificate to /etc/letsencrypt/archive/nc.myDomain.tld/cert8.pem.
2025-01-26 08:10:40,871:DEBUG:certbot._internal.storage:Writing chain to /etc/letsencrypt/archive/nc.myDomain.tld/chain8.pem.
2025-01-26 08:10:40,872:DEBUG:certbot._internal.storage:Writing full chain to /etc/letsencrypt/archive/nc.myDomain.tld/fullchain8.pem.
2025-01-26 08:10:40,872:DEBUG:certbot._internal.cli:Var authenticator=webroot (set by user).
2025-01-26 08:10:40,872:DEBUG:certbot._internal.cli:Var webroot_path=/var/www/nextcloud (set by user).
2025-01-26 08:10:40,873:DEBUG:certbot._internal.cli:Var webroot_path=/var/www/nextcloud (set by user).
2025-01-26 08:10:40,873:DEBUG:certbot._internal.cli:Var webroot_map={'webroot_path'} (set by user).
2025-01-26 08:10:40,873:DEBUG:certbot._internal.storage:Writing new config /etc/letsencrypt/renewal/nc.myDomain.tld.conf.new.
2025-01-26 08:10:40,875:INFO:certbot.compat.misc:Running deploy-hook command: /etc/letsencrypt/renewal-hooks/deploy/ncp
2025-01-26 08:10:42,625:DEBUG:certbot._internal.display.obj:Notifying user: 
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/nc.myDomain.tld/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/nc.myDomain.tld/privkey.pem
This certificate expires on 2025-04-26.

/etc/apache2/sites-enabled/000-default.conf

<VirtualHost _default_:80>
  DocumentRoot /var/www/nextcloud
  <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule ^.well-known/acme-challenge/ - [L]
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
  </IfModule>
  <Directory /var/www/nextcloud/>
    Options +FollowSymlinks
    AllowOverride All
    <IfModule mod_dav.c>
      Dav off
    </IfModule>
    LimitRequestBody 0
  </Directory>
</VirtualHost>

/etc/apache2/sites-enabled/001-nextcloud.conf:

<IfModule mod_ssl.c>
  <VirtualHost _default_:443>
    DocumentRoot /var/www/nextcloud
    ServerName nc.myDomain.tld
    CustomLog /var/log/apache2/nc-access.log combined
    ErrorLog  /var/log/apache2/nc-error.log
    SSLEngine on
    SSLProxyEngine on
    SSLCertificateFile   /etc/letsencrypt/live/nc.myDomain.tld/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/nc.myDomain.tld/privkey.pem

    # For notify_push app in NC21
    ProxyPass /push/ws ws://127.0.0.1:7867/ws
    ProxyPass /push/ http://127.0.0.1:7867/
    ProxyPassReverse /push/ http://127.0.0.1:7867/
  </VirtualHost>

ls -lah /etc/letsencrypt/live/nc.myDomain.tld/
total 12K

drwxr-xr-x 2 root root 4.0K Jan 26 08:10 .
drwxrwxr-x 3 root root 4.0K Oct 15 12:16 ..
lrwxrwxrwx 1 root root   48 Jan 26 08:10 cert.pem -> ../../archive/nc.myDomain.tld/cert8.pem
lrwxrwxrwx 1 root root   49 Jan 26 08:10 chain.pem -> ../../archive/nc.myDomain.tld/chain8.pem
lrwxrwxrwx 1 root root   53 Jan 26 08:10 fullchain.pem -> ../../archive/nc.myDomain.tld/fullchain8.pem
lrwxrwxrwx 1 root root   51 Jan 26 08:10 privkey.pem -> ../../archive/nc.myDomain.tld/privkey8.pem

/etc/apache2/sites-enabled/nextcloud.conf

array (
    0 => 'nc.myDomain.tld',
    2 => 'localhost',
    7 => 'nextcloudpi',
    5 => 'nextcloudpi.local',
    8 => 'nextcloudpi.lan',
    3 => 'nc.myDomain.tld',
    11 => 'nc.myDomain.tld',
    1 => '192.168.178.35',
    14 => 'nextcloudpi',
    20 => 'nc.myDomain.tld',
    21 => '192.168.178.35',
    22 => 'myExternalIP',

geoW · January 26, 2025, 3:28pm

Check DNS-Rebind setting in your fritz.box (network settings).

Larwes · January 26, 2025, 6:11pm

Thanks for the help.
Now I can access nextcloud if I am NOT connected to my wifi (where the nextclout is as well). If I am not connected to the wifi I have access to my nextcloud. If go to my domain with connection to my wifi I see the login screen of my fritz.box
Is there a way stay in my wifi and access nextcloud via my domain?

I have dyndns on my fritz.box.

geoW · January 26, 2025, 6:28pm

I think it’s “truncating network devices”, i don’t know how it is done in which windows edition.
If I remember right, in OpenBSD not more than 5 lines in a config file.

Larwes · January 26, 2025, 8:43pm

funny thing. Currently I could access nextcloud under the domain from my pc, but not from my phone (both connected to my wifi).
On my phone I have currently the fritz.box certificate and on my pc I have the correct letsencrypt one. I’m confused.

Mornsgrans · January 26, 2025, 9:38pm

The certificate only works, if you call your server using its public domain name. The internal names - like nextcloudpi.local - cannot be verified, because the certificate doesn’t know them.
So the call via WiFi from internal network and external from internet must be the same.
Check your DNS inside your local network, that your public domain does not aim to the internal server’s address but to the external one.

Larwes · January 28, 2025, 7:32pm

Thank you, I think that must be the problem. The question is how can I check my local DNS? I have a Fritz.box 6660 Cable modem. As far as I see it I can only change the local DNS server. But I want to use the fritz.box one.

Mornsgrans · January 28, 2025, 7:43pm

You only should use one DNS-server in your network.
If you want to use the FritzBox as DNS-server, all computers should aim to it as DNS-server. In that case the DNS-server of your mobile phone also should aim to FritzBox as DNS-server.

I hope, your Nextcloud server’s computername is NOT the domain name.

Larwes · January 28, 2025, 8:00pm

I only have one DNS server. And the server computer name is not the name of the domain

Mornsgrans · January 28, 2025, 8:22pm

Hmmm, I do not understand, why you get the FritzBox login page, if you call your Nextcloud domain. Somewhere the must be an entry aiming to the network-internal IP address of your FritzBox instead of your Nextcloud server.

Are the ports 80 and 443 both forwarded to your Nextcloud server in the portforwarding-settings of your FritzBox?

I have no more idea.

Larwes · January 29, 2025, 9:07am

Yes they are. I changed the subdomain and it works now. I think it is ok that way for me. Thank you for your help anyway. Really appreciate it. You pointed me in the right direction

system · February 6, 2025, 9:07am

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.