Letsencrypt certificate renewal fails with well hardend Nextcloud 15.04 server

ℹ️ Support
,
21

I just deleted all log files, then ran

certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/my.domain.tld.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for my.domain.tld
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (my.domain.tld) from /etc/letsencrypt/renewal/my.domain.tld.conf produced an unexpected error: Failed authorization procedure. my.domain.tld (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://my.domain.tld/.well-known/acme-challenge/kv-j88f23JWiAM07N_I1-7ExM8lOVrmvkU7A9_hCe9s: Error getting validation data. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/my.domain.tld/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/my.domain.tld/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: my.domain.tld
    Type: connection
    Detail: Fetching
    http://my.domain.tld/.well-known/acme-challenge/kv-j88f23JWiAM07N_I1-7ExM8lOVrmvkU7A9_hCe9s:
    Error getting validation data

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

with the following result in the error log

/etc/httpd/logs/error_log 
[Wed Feb 13 21:49:45.796310 2019] [lbmethod_heartbeat:notice] [pid 19057:tid 140031319456000] AH02282: No slotmem from mod_heartmonitor
[Wed Feb 13 21:49:45.800174 2019] [mpm_event:notice] [pid 19057:tid 140031319456000] AH00489: Apache/2.4.38 (Fedora) OpenSSL/1.1.1a mod_perl/2.0.10 Perl/v5.28.1 configured -- resuming normal operations
[Wed Feb 13 21:49:45.800199 2019] [core:notice] [pid 19057:tid 140031319456000] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Wed Feb 13 21:49:52.307881 2019] [mpm_event:notice] [pid 19057:tid 140031319456000] AH00493: SIGUSR1 received.  Doing graceful restart
[Wed Feb 13 21:49:52.392284 2019] [lbmethod_heartbeat:notice] [pid 19057:tid 140031319456000] AH02282: No slotmem from mod_heartmonitor
[Wed Feb 13 21:49:52.396561 2019] [mpm_event:notice] [pid 19057:tid 140031319456000] AH00489: Apache/2.4.38 (Fedora) OpenSSL/1.1.1a mod_perl/2.0.10 Perl/v5.28.1 configured -- resuming normal operations
[Wed Feb 13 21:49:52.396583 2019] [core:notice] [pid 19057:tid 140031319456000] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
(END)

and the following results in

/var/log/letsencrypt/letsencrypt.log 
[root@wind letsencrypt]# cat letsencrypt.log
2019-02-13 22:01:36,177:DEBUG:certbot.main:certbot version: 0.30.2
2019-02-13 22:01:36,177:DEBUG:certbot.main:Arguments: ['--dry-run']
2019-02-13 22:01:36,177:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-02-13 22:01:36,202:DEBUG:certbot.log:Root logging level set at 20
2019-02-13 22:01:36,202:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-02-13 22:01:36,256:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7fb95533bf28> and installer <certbot.cli._Default object at 0x7fb95533bf28>
2019-02-13 22:01:36,256:DEBUG:certbot.cli:Var dry_run=True (set by user).
2019-02-13 22:01:36,256:DEBUG:certbot.cli:Var server={'dry_run', 'staging'} (set by user).
2019-02-13 22:01:36,256:DEBUG:certbot.cli:Var dry_run=True (set by user).
2019-02-13 22:01:36,257:DEBUG:certbot.cli:Var server={'dry_run', 'staging'} (set by user).
2019-02-13 22:01:36,257:DEBUG:certbot.cli:Var account={'server'} (set by user).
2019-02-13 22:01:36,292:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2019-02-17 00:10:33 UTC.
2019-02-13 22:01:36,293:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2019-02-13 22:01:36,293:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2019-02-13 22:01:36,445:DEBUG:certbot_apache.configurator:Apache version is 2.4.38
2019-02-13 22:01:36,826:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_centos.CentOSConfigurator object at 0x7fb95533f5f8>
Prep: True
2019-02-13 22:01:36,827:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_centos.CentOSConfigurator object at 0x7fb95533f5f8>
Prep: True
2019-02-13 22:01:36,827:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.override_centos.CentOSConfigurator object at 0x7fb95533f5f8> and installer <certbot_apache.override_centos.CentOSConfigurator object at 0x7fb95533f5f8>
2019-02-13 22:01:36,827:INFO:certbot.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2019-02-13 22:01:36,874:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7fb9553ab390>)>), contact=(), agreement='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf', status='valid', terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/5781483', new_authzr_uri=None, terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'), a1b301d8e0e8670600499f3098dbef10, Meta(creation_dt=datetime.datetime(2018, 3, 21, 17, 33, 22, tzinfo=<UTC>), creation_host='wind'))>
2019-02-13 22:01:36,875:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2019-02-13 22:01:36,877:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
2019-02-13 22:01:37,099:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 724
2019-02-13 22:01:37,100:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 724
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 13 Feb 2019 21:01:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 13 Feb 2019 21:01:37 GMT
Connection: keep-alive

{
  "LcT-HT3DNPQ": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
2019-02-13 22:01:37,100:INFO:certbot.main:Renewing an existing certificate
2019-02-13 22:01:37,169:DEBUG:acme.client:Requesting fresh nonce
2019-02-13 22:01:37,169:DEBUG:acme.client:Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
2019-02-13 22:01:37,342:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2019-02-13 22:01:37,343:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Replay-Nonce: SizR-C-h3V6Z34QwI8PnpWH_mkw0KB3DgJLJ6t4Q4-Y
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Content-Length: 0
Expires: Wed, 13 Feb 2019 21:01:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 13 Feb 2019 21:01:37 GMT
Connection: keep-alive


2019-02-13 22:01:37,344:DEBUG:acme.client:Storing nonce: SizR-C-h3V6Z34QwI8PnpWH_mkw0KB3DgJLJ6t4Q4-Y
2019-02-13 22:01:37,344:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "my.domain.tld"\n    }\n  ]\n}'
2019-02-13 22:01:37,346:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC81NzgxNDgzIiwgIm5vbmNlIjogIlNpelItQy1oM1Y2WjM0UXdJOFBucFdIX21rdzBLQjNEZ0pMSjZ0NFE0LVkiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIn0",
  "signature": "IQrHL6xohNHfrb0daRSxWWaeyGmbfZF8JN1e-_38QGfu7vkGFLKAxY0ReLToPsFVKseammI0zbn4jdDF8rhhntvJ2rrl49JL7Nf860I10INpfJGAoXGhdIrP6xLQD4Z7DwOLhOskCzE9_B_lId0zqV4chtoDoHlHhk1SczuZ93H0aAm6khRHBWo68DSjIgtIldzOv0NHm_tR5VhmSWTePnkl9uyE1MJwJbEcK0jwys8jmz7QwWqB2NSr_bZAs69hgkOgMNSQvSl4VwP6FTMNUV96hJE48HM7c7l2gwjcp_OKnP_Vk-5KUvh6O8ZonK8VyH911EEschmYNf1qsMxjIQ",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIm1haWVyLmR5bi5jYyIKICAgIH0KICBdCn0"
}
2019-02-13 22:01:37,550:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 383
2019-02-13 22:01:37,552:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 383
Boulder-Requester: 5781483
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/5781483/23407653
Replay-Nonce: vQOBS_cgG2ZQ8ESeRtnaXPx_eMJCy835uWkWHZmfJaI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 13 Feb 2019 21:01:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 13 Feb 2019 21:01:37 GMT
Connection: keep-alive

{
  "status": "pending",
  "expires": "2019-02-20T21:01:37.4354776Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "my.domain.tld"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/5781483/23407653"
}
2019-02-13 22:01:37,552:DEBUG:acme.client:Storing nonce: vQOBS_cgG2ZQ8ESeRtnaXPx_eMJCy835uWkWHZmfJaI
2019-02-13 22:01:37,553:DEBUG:acme.client:JWS payload:
b''
2019-02-13 22:01:37,559:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC81NzgxNDgzIiwgIm5vbmNlIjogInZRT0JTX2NnRzJaUThFU2VSdG5hWFB4X2VNSkN5ODM1dVdrV0habWZKYUkiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHovcWlWZG9GZnRnNlh3d3lUX2lZUEhnbFhwZmlXVUxvM04zMjR1MkhFZ0ZjZyJ9",
  "signature": "Bb4qaSZ-aNl4q9kairT5hg6DxvZ1oNDhuaff5aplszCruhM6TVMtJR3FdP5GerVQrMQtz3qFYGPpEq-DfGcDSil74Hc4QT4QQrqv_9Liv_-MEEnsVCJyVbLt7CM5Dj3cnI60uy5wwzC3ENuZo0Cdjm44ZW-zWP0Lef8zxxQvW9i1KakryHvZNj5e4pLn3XYKyrl4ZL0QsHiqtlTShGjNq5ADNIaaIzksXfqR_iMmvwNeQc0U2_DVu8MfTaZzsBRCZlovOpwchk8eDRswDf83M4pC0YlO9PE6mkaGlAdnaZGj5B5cWcaVdUIzQwEwMJhvdo64bkZld0m6vixE4BPYZg",
  "payload": ""
}
2019-02-13 22:01:37,748:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg HTTP/1.1" 200 925
2019-02-13 22:01:37,748:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 925
Boulder-Requester: 5781483
Replay-Nonce: Rz4Qxlh6VtSIgSGLIzNeFek4_w2n4-iBv9fDbj04dos
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 13 Feb 2019 21:01:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 13 Feb 2019 21:01:37 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "my.domain.tld"
  },
  "status": "pending",
  "expires": "2019-02-20T21:01:37Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg/245543471",
      "token": "okOOTvJoxY_KRrJgl3ibZUoaDrAKUbFodjvaEk0PUmQ"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg/245543472",
      "token": "SB8EO5Hw3FYeB38nWWu4nt62Y9gjM5HvoqfJGDwdW1U"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg/245543473",
      "token": "vc6QMUT_oHywzJ4rKlSJb3cfP00yWjwUswBksa9fsp0"
    }
  ]
}
2019-02-13 22:01:37,749:DEBUG:acme.client:Storing nonce: Rz4Qxlh6VtSIgSGLIzNeFek4_w2n4-iBv9fDbj04dos
2019-02-13 22:01:37,749:INFO:certbot.auth_handler:Performing the following challenges:
2019-02-13 22:01:37,749:INFO:certbot.auth_handler:http-01 challenge for my.domain.tld
2019-02-13 22:01:37,795:DEBUG:certbot_apache.http_01:Adding a temporary challenge validation Include for name: None in: /etc/httpd/conf.d/http_my.conf
2019-02-13 22:01:37,796:DEBUG:certbot_apache.http_01:writing a pre config file with text:
         RewriteEngine on
        RewriteRule ^/\.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]
    
2019-02-13 22:01:37,796:DEBUG:certbot_apache.http_01:writing a post config file with text:
         <Directory /var/lib/letsencrypt/http_challenges>
            Require all granted
        </Directory>
        <Location /.well-known/acme-challenge>
            Require all granted
        </Location>
    
2019-02-13 22:01:37,806:DEBUG:certbot.reverter:Creating backup of /etc/httpd/conf.d/http_my.conf
2019-02-13 22:01:40,995:INFO:certbot.auth_handler:Waiting for verification...
2019-02-13 22:01:40,996:DEBUG:acme.client:JWS payload:
b'{\n  "resource": "challenge",\n  "keyAuthorization": "vc6QMUT_oHywzJ4rKlSJb3cfP00yWjwUswBksa9fsp0.zrqieU9qr0gYnCMun8hMyKi4jlGEBdb6XML5Pj8Cy4E",\n  "type": "http-01"\n}'
2019-02-13 22:01:40,998:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/challenge/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg/245543473:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC81NzgxNDgzIiwgIm5vbmNlIjogIlJ6NFF4bGg2VnRTSWdTR0xJek5lRmVrNF93Mm40LWlCdjlmRGJqMDRkb3MiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGxlbmdlL3FpVmRvRmZ0ZzZYd3d5VF9pWVBIZ2xYcGZpV1VMbzNOMzI0dTJIRWdGY2cvMjQ1NTQzNDczIn0",
  "signature": "QJlBA3hFYOb0aatmCywW-w2D-8Mg13KGjCkKwav7NK18_gzuOnUbHV_h_EqkO9gUS2JdzouM4JnqxKpXY2rFGBZ8z4a6Jld_pdJL7LwmSzR-UZSuhKyuUp7x1sB-626dm_lqIN00My4r3DjRf7hl9n83zUHzdI8dsZvYbUHvzzRqfJ0PN8lE-kFzkaFAHtG1G1Lbe8xhE2ja3Nc5Sw_NfEAbUo0LNwpnA_ye9T-WNwnI4PgTD2fiAnk1ENNH97eXiZyyU3l2Fkv7w1r0PUg7befhWxuie4ucItxAAAXlK9Mu2ZHrw1zAFdMHpbzfKVcqfnoqgW4_HIgtbAtKLB3UBg",
  "payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJrZXlBdXRob3JpemF0aW9uIjogInZjNlFNVVRfb0h5d3pKNHJLbFNKYjNjZlAwMHlXandVc3dCa3NhOWZzcDAuenJxaWVVOXFyMGdZbkNNdW44aE15S2k0amxHRUJkYjZYTUw1UGo4Q3k0RSIsCiAgInR5cGUiOiAiaHR0cC0wMSIKfQ"
}
2019-02-13 22:01:41,189:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/challenge/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg/245543473 HTTP/1.1" 200 230
2019-02-13 22:01:41,190:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 230
Boulder-Requester: 5781483
Link: <https://acme-staging-v02.api.letsencrypt.org/acme/authz/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/challenge/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg/245543473
Replay-Nonce: CNM-Bf1gWE3y53fWUMfkAM5H5rKYHf2rm_1t_TZEe3c
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 13 Feb 2019 21:01:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 13 Feb 2019 21:01:41 GMT
Connection: keep-alive

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg/245543473",
  "token": "vc6QMUT_oHywzJ4rKlSJb3cfP00yWjwUswBksa9fsp0"
}
2019-02-13 22:01:41,190:DEBUG:acme.client:Storing nonce: CNM-Bf1gWE3y53fWUMfkAM5H5rKYHf2rm_1t_TZEe3c
2019-02-13 22:01:44,194:DEBUG:acme.client:JWS payload:
b''
2019-02-13 22:01:44,196:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC81NzgxNDgzIiwgIm5vbmNlIjogIkNOTS1CZjFnV0UzeTUzZldVTWZrQU01SDVyS1lIZjJybV8xdF9UWkVlM2MiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHovcWlWZG9GZnRnNlh3d3lUX2lZUEhnbFhwZmlXVUxvM04zMjR1MkhFZ0ZjZyJ9",
  "signature": "IiuwYEyXmt7IQ_QSnbxXGF125hXtbAQz4UGOsnvjomZA9Q4v113bLzs4oBt-9fSNbvBi1JkJ0gw_eEKtqfGtiFmOmgLyZ46Czl8uFfUUWLorMli6Px5_KuxTu7I6tszK3o6jQmiz_Pm9UkOvHdfDcEltAhqtetEuunnUABk5m83gb0njKjDJj6nUzwJQvil-npllZ_bg3JMmImXQPhAxfRsT376Lvuci70VS_hIXBWBWLMfJiqRkSJ18QcxirSUjxi-wCaK_XCzWXSLkOdIHSaNlFGxN303wJ-P0Goa6WoTyr_9OP_6vwTpcuWKFS6Ay6yUi64TdoM2m_scBwmQZiw",
  "payload": ""
}
2019-02-13 22:01:44,391:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg HTTP/1.1" 200 925
2019-02-13 22:01:44,392:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 925
Boulder-Requester: 5781483
Replay-Nonce: F9hfj2hnqJyVOqV2z4xjh7_w4w0A7noQML_sQ8-nx94
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 13 Feb 2019 21:01:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 13 Feb 2019 21:01:44 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "my.domain.tld"
  },
  "status": "pending",
  "expires": "2019-02-20T21:01:37Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg/245543471",
      "token": "okOOTvJoxY_KRrJgl3ibZUoaDrAKUbFodjvaEk0PUmQ"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg/245543472",
      "token": "SB8EO5Hw3FYeB38nWWu4nt62Y9gjM5HvoqfJGDwdW1U"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg/245543473",
      "token": "vc6QMUT_oHywzJ4rKlSJb3cfP00yWjwUswBksa9fsp0"
    }
  ]
}
2019-02-13 22:01:44,392:DEBUG:acme.client:Storing nonce: F9hfj2hnqJyVOqV2z4xjh7_w4w0A7noQML_sQ8-nx94
2019-02-13 22:01:47,395:DEBUG:acme.client:JWS payload:
b''
2019-02-13 22:01:47,396:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC81NzgxNDgzIiwgIm5vbmNlIjogIkY5aGZqMmhucUp5Vk9xVjJ6NHhqaDdfdzR3MEE3bm9RTUxfc1E4LW54OTQiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHovcWlWZG9GZnRnNlh3d3lUX2lZUEhnbFhwZmlXVUxvM04zMjR1MkhFZ0ZjZyJ9",
  "signature": "GrMTwoVl9x2euCAzec3jtdI8rpaNL7naB2VzWWi1i7k7CnKeh5r47KAO2seBMEjMPJJCdZnDGXTcwWnXRzmVGbOo7qEOJ8eV2pL0__Si68QXMsVKJGmMXa8qoHQc3ENTRw7h0CVhBZ_Hdj5tB8n0hMzziwY3MCL_hvNC6CSaUbbDHJ7-u3xiYJ2TfrhS23nMkJ0eiQQyBCSlydIXIHGA_xFdh54pmXCx2AAM_If4Qxet5-wANmXg4cllR0hPQ2DF4mKfZgw3EhlwMWxBP8lXGOjJw3wwTiPuE0CHLbZZq3qhETvew0UkPOSK32oNVUSV-8rhHtAP8bMO9a6smK5C5w",
  "payload": ""
}
2019-02-13 22:01:47,593:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg HTTP/1.1" 200 1527
2019-02-13 22:01:47,594:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1527
Boulder-Requester: 5781483
Replay-Nonce: _iA3lzqcpVmd2fpBYl7Fo3nowmf4jQQivNwlYI_-C_k
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 13 Feb 2019 21:01:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 13 Feb 2019 21:01:47 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "my.domain.tld"
  },
  "status": "invalid",
  "expires": "2019-02-20T21:01:37Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "invalid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg/245543471",
      "token": "okOOTvJoxY_KRrJgl3ibZUoaDrAKUbFodjvaEk0PUmQ"
    },
    {
      "type": "tls-alpn-01",
      "status": "invalid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg/245543472",
      "token": "SB8EO5Hw3FYeB38nWWu4nt62Y9gjM5HvoqfJGDwdW1U"
    },
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "Fetching http://my.domain.tld/.well-known/acme-challenge/vc6QMUT_oHywzJ4rKlSJb3cfP00yWjwUswBksa9fsp0: Error getting validation data",
        "status": 400
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/qiVdoFftg6XwwyT_iYPHglXpfiWULo3N324u2HEgFcg/245543473",
      "token": "vc6QMUT_oHywzJ4rKlSJb3cfP00yWjwUswBksa9fsp0",
      "validationRecord": [
        {
          "url": "http://my.domain.tld/.well-known/acme-challenge/vc6QMUT_oHywzJ4rKlSJb3cfP00yWjwUswBksa9fsp0",
          "hostname": "my.domain.tld",
          "port": "80",
          "addressesResolved": [
            "87.181.165.82"
          ],
          "addressUsed": "87.181.165.82"
        }
      ]
    }
  ]
}
2019-02-13 22:01:47,594:DEBUG:acme.client:Storing nonce: _iA3lzqcpVmd2fpBYl7Fo3nowmf4jQQivNwlYI_-C_k
2019-02-13 22:01:47,595:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: my.domain.tld
Type:   connection
Detail: Fetching http://my.domain.tld/.well-known/acme-challenge/vc6QMUT_oHywzJ4rKlSJb3cfP00yWjwUswBksa9fsp0: Error getting validation data

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2019-02-13 22:01:47,596:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3.7/site-packages/certbot/auth_handler.py", line 161, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3.7/site-packages/certbot/auth_handler.py", line 232, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. my.domain.tld (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://my.domain.tld/.well-known/acme-challenge/vc6QMUT_oHywzJ4rKlSJb3cfP00yWjwUswBksa9fsp0: Error getting validation data

2019-02-13 22:01:47,596:DEBUG:certbot.error_handler:Calling registered functions
2019-02-13 22:01:47,596:INFO:certbot.auth_handler:Cleaning up challenges
2019-02-13 22:01:47,925:WARNING:certbot.renewal:Attempting to renew cert (my.domain.tld) from /etc/letsencrypt/renewal/my.domain.tld.conf produced an unexpected error: Failed authorization procedure. my.domain.tld (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://my.domain.tld/.well-known/acme-challenge/vc6QMUT_oHywzJ4rKlSJb3cfP00yWjwUswBksa9fsp0: Error getting validation data. Skipping.
2019-02-13 22:01:47,926:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/certbot/renewal.py", line 452, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3.7/site-packages/certbot/main.py", line 1192, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/lib/python3.7/site-packages/certbot/main.py", line 116, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3.7/site-packages/certbot/renewal.py", line 310, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/lib/python3.7/site-packages/certbot/client.py", line 353, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3.7/site-packages/certbot/client.py", line 389, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3.7/site-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3.7/site-packages/certbot/auth_handler.py", line 161, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3.7/site-packages/certbot/auth_handler.py", line 232, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. my.domain.tld (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://my.domain.tld/.well-known/acme-challenge/vc6QMUT_oHywzJ4rKlSJb3cfP00yWjwUswBksa9fsp0: Error getting validation data

2019-02-13 22:01:47,927:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2019-02-13 22:01:47,927:ERROR:certbot.renewal:  /etc/letsencrypt/live/my.domain.tld/fullchain.pem (failure)
2019-02-13 22:01:47,927:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.30.2', 'console_scripts', 'certbot')()
  File "/usr/lib/python3.7/site-packages/certbot/main.py", line 1364, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.7/site-packages/certbot/main.py", line 1271, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3.7/site-packages/certbot/renewal.py", line 477, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
[root@wind letsencrypt]#
22

I just tried this a well.
It seems that http://my.domain.tld now opens slighly faster in Firefox than before, but otherwise unfortunately no difference: certbot renewal still fails.

Any idea how to proceed now would be appreciated very much.

23

Without [R] this is expected since the client (browser) is not forced to send a new request. However I believe no real HTTPS connection is established then, since the rewrite is done only server internally then. So that was only for testing reasons.

At least that gave me the chance to check as well that http//:my.domain.tld/ to that dir indeed works well, as long as the file exist. Without file existing /var/www/nextcloud/.htaccess will redirect back to the webroot (login page) via

ErrorDocument 403 /
ErrorDocument 404 /

You might want to try removing those lines, or commenting temporary, but that should not cause in issue actually.

Also try to give the webserver user full R/W access to that dir:
chown -R apache:apache /var/www/nextcloud/.well-known

And I found this one: .htaccess - Reset htacces for sub-folders - Stack Overflow
Test, to disable all parent rewrite rules:
echo -e 'RewriteEngine Off\nRewriteEngine On' > /var/www/nextcloud/.well-known/.htaccess
Or even just the first line should work.

24

They are comments now:

#ErrorDocument 403 /
#ErrorDocument 404 /

This I did immediately when I created the test file. It is unchanged since, see:

ll -R /var/www/nextcloud/.well-known 
ll -R  /var/www/nextcloud/.well-known
/var/www/nextcloud/.well-known:
insgesamt 12
drwxr-xr-x.  3 apache apache 4096 11. Feb 22:28 ./
drwxr-x---. 15 apache apache 4096 11. Feb 22:27 ../
drwxr-xr-x.  2 apache apache 4096 11. Feb 22:28 acme-challenge/

/var/www/nextcloud/.well-known/acme-challenge:
insgesamt 12
drwxr-xr-x. 2 apache apache 4096 11. Feb 22:28 ./
drwxr-xr-x. 3 apache apache 4096 11. Feb 22:28 ../
-rw-r--r--. 1 apache apache   39 11. Feb 22:28 test

Now there is /var/www/nextcloud/.well-known/.htaccess with content:

RewriteEngine Off
RewriteEngine On

Not that it would confuse me, because I can undo the steps above, which were just for testing, but meanwhile we stopped a bit too much of the redirection, I feel. Logging in as admin into Nextcloud I get the following:

Es gibt einige Warnungen bei Deiner Systemkonfiguration.

One trivial question:
Is checking with

certbot renew --dry-run

which still fails, the right thing to do for testing?
According to Letsencrypt my certificate should have been expired yesterday, but I did not add any exception manually and it still works. I’m confused.

Any more ideas?
Let me know how to spend some “credits” for you. Haven’t been posting much ever, so I’m not familiar with that.

25

Ah yeah makes sense. /var/www/nextcloud/.well-known/acme-challenge/.htaccess would be better to not break the Cal/CardDAV redirection. But CerBot removes the whole dir as cleanup step after applying the cert, so this would need to be recreated before every renewal.

But it does not work anyway :thinking:, so simply remove the file again. So we are sure now that no rewrite rule is the reason…

Jep that works fine for testing usually:

2019-02-15 01:34:55 root@micha:/tmp# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/my.domain.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for my.domain.org
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/my.domain.org/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/my.domain.org/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Okay I am out of ideas for now. Also checked some guide about Fedora + Apache + Certbot but no special requirement mentioned there: Setting up SSL with certbot with Apache and Fedora – The Chewett blog

You ran certbot reasonably with --apache option. -a webroot -w /var/www/nextcloud is an alternative which could be tried. But most likely this is no solution as well. The main issue is still:

HTTP status code: Request failed (Too many Redirection)

But even with all rewrite rules disabled and no affecting redirect rule, besides the usual HTTP => HTTPS that works (or should) well.

I am still thinking if something from your ISP or dyn DNS provider outside of your server might be the reason.

However until nothing else found, I would go with temporary removing the HTTPS redirection to renew the certificate, if this even works?

Disabling all Apache modules and configs and testing from bare empty Apache would be the hammer method to find the affecting thing :laughing:.

26

I had tried that I think 3 days ago, simply replacing the entire /etc/httpd with a one from a fresh install of Fedora with Apache and removing redirects that I knew of. But it kept ending up in https (due to HSTS??) or I did not catch all redirects - my feeling is there are quite a few - explicit and implcit via defaults…
But we might give it a second try.

a) How does this affect my “production” NC15 install? In general it is used by me and family only, but with quite a few clients. I don’t care for some offline time. But it should be sure to bring back the working state.
b) I guess I would need quite a few instructions. So how much time would it cost roughly? and would you be willing to support?

Or how about switching to acme.sh, which at least postulates to be able to live with port 443?
Would work around the redirection problem, not solving it, right?
And interfere with certbot?
It has the acme-tiny package available in Fedora 29:

Links to acme.sh

https://github.com/Neilpang/acme.sh/blob/master/README.md
with some details here
Using acme.sh script to renew LetsEncrypt certs using non-standard SSL port · GitHub

acme-tiny 
usage: acme-tiny [-h] --account-key ACCOUNT_KEY --csr CSR --acme-dir ACME_DIR
             [--quiet] [--disable-check] [--directory-url DIRECTORY_URL]
             [--ca CA] [--contact [CONTACT [CONTACT ...]]]
acme-tiny: error: the following arguments are required: --account-key, --csr, --acme-dir
27

Sorry for the late reply:

Jep the browser will still end up with HTTPS due to HSTS, however this should not affect Certbot.

a) Of course at first this will break Nextcloud. It would be only the way to debug the “too many redirects” error that most likely breaks Certbot as well. If everything is disabled, so Apache plain HTTP/port 80 is active only, and Certbot still fails then (and “too many redirects” error, if this can be even tested on ssllabs then), then you can be sure that it must be either a local network or ISP/dyn DNS provider issue. If it succeeds, you can then step by step re-enable the required/desired modules/configs to check which one causes the fail.

b) Moving out all conf.d and conf.modules.d to a backup location (which also disables .htaccess files according to httpd.conf defaults) and try to run Certbot should be quick. I am quite sure now (after reviewing all the configs), that it is indeed not a local server config, but network/ISP/dyn DNS provider related issue, so if the test then fails, you don’t need to mess with the Apache configs anyway. Instead then it would be an idea to test connection via external IP (instead of domain). The browser will complain non-matching certificate, but it should be possible to ignore this. Ah but ssllabs and such only accept domain names… Not sure how to check for the “too many redirects” error then :thinking:. Free SSL Web Server Tester • Wormly Monitoring allows to test IPs, but not sure if it shows HTTP connection issues as well.
Here is a list of SSL checkers: 9 Best SSL Checker for Reliable SSL Inspection to Enhance Security

I will go on assist you (perhaps with dome delay) as fast as you have some results.

Jep acme.sh is actually a nice alternative to Certbot. At least worth giving a try. However take care that it just renews the cert given from Certbot (inside /etc/letsencrypt/live/my.domain.org/, at least on Debian :wink:). Should be possible to configure this. If it succeeds then you can even have it create a systemd unit or automated renewal similar to Certbot. Then uninstall Certbot, keeping its config files, at least: /etc/letsencrypt/options-ssl-apache.conf which enables some reasonable SSL config defaults.

28

Back again after setting up 2 more Fedora machines and exchanging my Nextcloud 500GB drive by a 2TB SSD :slight_smile:

Tried this yesterday, but it does not work. The conf.d content is inserted via an “Include”, not an "IncludeOptiona"l, in httpd.conf so I had to bring that back, which again loads all Apache modules. Commenting i.e. deactivating them partly did not work, because httpd would not restart complaining about missing “User” and I did not know which of the 30+ modules is responsible for that.

ssl.conf was removed, then certbot complained about a missing VirtualHost for *80. Having that set up, that certbot error was gone, but I was back at the typical certbot error cited above.

I also tried adding /var/www/nextcloud via a <Directory> statement, which does not hurt but not bring any benefit either.

Positive side effect: Using

journalctl -xe

for debugging made me detect a brute force attac from a knownly bad IP on my ssh port, which is now closed - at least for a while.

I had moved the content to /mnt temporarily, but after moving the original content back to /etc/httpd/ I ran into the problem with selinux blocking the restored original files by not giving permission. After

/sbin/restorecon -v -R /etc/httpd/

only httpd and Nextcloud were up and running again. This is quite different from Ubuntu, but actually the first time since initial install of Nextcloud a couple of years ago that I recognized this more strict policy.

This brought me to the idea to give full rights rwxrwxrwx to all /var/www/nextcloud/.well-known and below, without success either.

I might try to set the SELinux status to permissive, maybe that is blocking the writing from external, i.e. certbot?

Otherwise there would be some more options:

  1. Trying the acme.sh, simply did not have time yet to try that.
  2. Copying a httpd config from a fresh Fedora install (where port 80 should be open? At least I remember it was when I first installed Fedora)
  3. Quickly setting up an Ubuntu machine on a free SDD drive to update the certificate and move it to the Fedora Machine to at least fix the current problem. Thunderbird which synchronizes Contacts and Tasks is anoyinly complaining about the invalid certificate - but fortunately there are other mail clients…
  4. Maybe the Letsencrypt / Certbot guys update certbot + one of the Apache modules meanwhile. I remember dark that there was something ongoing, even though I do not having the link…

Let’s see when I have the next free minutes. Might take some or some more days until I can get back to computing. Apart from work there are too many other things with higher prio…

Thanks again for your exceptional support. Keeps me learning lot’s of things :slight_smile:

29

With

curl -IkL -m20 http://my.domain.tld

I meanwhile found out that Port 80 is not blocked by my internet service provider. Just in case this can help anyone else for debugging…

acme.sh manages to use port my 80 but fails also.

I will try get some support in the letsencrypt forum once I find some time (too many other things to do for me currently) and come back here if the post still should be open.

30

certbot support DNS Challenge which sometimes more manipulation but at the end easier

31

@MichaIng & all other supporters:
The problem is finally solved, see here:

The basic problem was that there is a firewall on my Fedora server which i did not know existed at all.
In summary the following needs to work:

  1. Open ports 80 http and 443 https in the router, e.g. FritzBox
  2. Same, but in the firewall. In Fedora firewall port 443 seems to be open by default, but port 80 is not open by default.
  3. A VirtualHost for *:80 and for *:443 with 80 redirected via RewriteRule to 443.

At the linked page you can also find the necessary commands and the final Apache *.conf files.

Meanwhile it is NC16 on Fedora 29 with Letsencrypt certbot 0.34.2 to fix a Fedora related bug.

Thanks again

1 Like
32

@ubuntiger
Happy to hear you finally solved it. Ayayay finally it’s always the most obvious issue, however uncommon for a Linux distro to ship an active firewall by default :thinking:.