Letsencrypt & duckdns - EXPIRED

powerpolly · July 30, 2022, 1:14pm

hi,
I’m struggling with certificates and could need some help pls.
1.) snap install nextcloud works fine. letsencrypt keys were also provided during the snap install routine. I was able to access my nextcloud instance via internet for quite some time. now https is refused due to expired keys. http works fine (I blocked portforwarding to port 80, only turn on during certificate debugging)
2.) these are my current keys

Certificate Name: diepollys.duckdns.org
    Serial Number: 479d5ba668e832fd3f2039a58785c62cb84
    Key Type: RSA
    Domains: diepollys.duckdns.org
    Expiry Date: 2021-07-07 18:30:47+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/diepollys.duckdns.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/diepollys.duckdns.org/privkey.pem

3.) trying to renew the certificate (sudo nextcloud.enable-https lets-encrypt) results in a failure:

Attempting to obtain certificates... error running certbot:

Saving debug log to /var/snap/nextcloud/current/certs/certbot/logs/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for diepollys.duckdns.org
Using the webroot path /var/snap/nextcloud/current/certs/certbot for all unmatched domains.
Waiting for verification...
Challenge failed for domain diepollys.duckdns.org
http-01 challenge for diepollys.duckdns.org
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: diepollys.duckdns.org
   Type:   None
   Detail: no valid A records found for diepollys.duckdns.org; no
   valid AAAA records found for diepollys.duckdns.org

I was playing around some time, even reinstalled several new nextcloud instances and it’s possible that I mixed up some things now. for example I see a TXT record for my domain with “mUaljNJG7YRRqIp__QQiWCoIfAcH0xfy9-1dcuGtMLA”
as I use duckdns I assume they’re registering A and TXT records. I can clear and set new ones. but how do I get new TXT key when the command for key renewal does not run till the end?

I searched thousands of pages already, maybe someone can give me the golden hint?! thanks!

just · July 30, 2022, 3:25pm

Try searching the errors you are seeing as keywords. Are you sure you’ve properly configured your router to

assign static ip or dhcp reservation to the nextcloud machine
port forward 80 and 443 for nextcloud machine
Let’s encrypt requires both steps in order to work

You can also search the letsencrypt community forum.

powerpolly · July 30, 2022, 5:50pm

solved it that way:

simply deleted all certificates:

sudo certbot delete --cert-name diepollys.duckdns.org

then I recreated them again:

matthias@nextcloud:~$ sudo nextcloud.enable-https lets-encrypt
In order for Let's Encrypt to verify that you actually own the
domain(s) for which you're requesting a certificate, there are a
number of requirements of which you need to be aware:

1. In order to register with the Let's Encrypt ACME server, you must
   agree to the currently-in-effect Subscriber Agreement located
   here:

       https://letsencrypt.org/repository/

   By continuing to use this tool you agree to these terms. Please
   cancel now if otherwise.

2. You must have the domain name(s) for which you want certificates
   pointing at the external IP address of this machine.

3. Both ports 80 and 443 on the external IP address of this machine
   must point to this machine (e.g. port forwarding might need to be
   setup on your router).

Have you met these requirements? (y/n) y
Please enter an email address (for urgent notices or key recovery): m.xxxxx@xx.at
Please enter your domain name(s) (space-separated): diepollys.duckdns.org
Attempting to obtain certificates... done
Restarting apache... done
matthias@nextcloud:~$

this solved my problem…