[SOLVED] LetsEncrypt renewal error

mjeshurun · September 12, 2021, 11:22am

Hello Friends,
I’m running NextckoudPi 1.38.6 on a Raspberry Pi 4 4GB with Raspberry Pi OS 64bit.
Everything was running well for the past two months, but in the past two weeks I’ve received a few Nextcloud notifications saying the LetsEncrypt SSL renewal failed.
I tried to log into the NCP panel and run the Letsencrypt renewal manually, but I got this error message:

[ letsencrypt ] (Sun Sep 12 14:07:24 IDT 2021)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ********.********.***
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. ********.********.*** (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://********.********.***/.well-known/acme-challenge/jspBZsvex_V1R42Th7E-9RMQ4GyvIy8cI8r0GhdHxHw: Timeout during connect (likely firewall problem)
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: ********.********.***
Type: connection
Detail: Fetching
https://********.********.***/.well-known/acme-challenge/jspBZsvex_V1R42Th7E-9RMQ4GyvIy8cI8r0GhdHxHw:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

I made sure ports 443 and 80 are open.

How should I include the letsencrypt.log file?

Hope someone can help

OliverV · September 12, 2021, 5:00pm

Could be just a dns time-out.
After trying again;
run ncp-report to gather more info and view all logs.
share via plain text file or use pastebin service.

mjeshurun · September 12, 2021, 8:43pm

Thank you, @OliverV
Can you please explain how I should run ncp-report?
I don’t see it as an option in the ncp panel.

OliverV · September 13, 2021, 6:16am

It is not available from ncp-web-panel, only from terminal run:

sudo ncp-report

mjeshurun · September 13, 2021, 9:26am

Thank you.
I ran the command, but when I want to scroll back to the output beginning to copy it, the terminal output is cut and I can’t scroll back to the start.

OliverV · September 13, 2021, 10:15am

sudo ncp-report > ncp-report.txt

mjeshurun · September 13, 2021, 10:36am

Thanks
Here is the full ncp-report:
https://pastebin.com/Dw1vGSe6

ZendaiOwl · September 14, 2021, 8:38pm

I also had troubles with getting the certificate, turning off the nc-https-only when running letsencrypt solved it for me

mjeshurun · September 14, 2021, 8:55pm

Many thanks, @ZendaiOwl ! Your suggestion solved it also for me
Is it problematic to keep nc-httponly set to OFF, or is it be better to change the setting back to ON after the renewal?

ZendaiOwl · September 14, 2021, 8:59pm

You’re welcome
It’s best to turn it back on after you’ve received the certificate from letsencrypt.

From what I could understand the certbot does a challenge request on port 80 using http which fails when this setting is turned on, so switching it off just for getting the certificate is fine. However for security reasons you should turn it back on so you’re using https/SSL

mjeshurun · September 14, 2021, 9:00pm

Excellent. Will do.
Thank you for the explanation and help

nickh · September 16, 2021, 7:01pm

Guessing here, but NC is just doing an old-fashioned http > https redirect. Really they should exclude certbot from the redirect. From this post, the redirect should read something like:

RewriteEngine On
RewriteRule ^.well-known/acme-challenge/ - [L]
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Or something like this as there are a number of ways of achieving the same thing. This would allow certbot to continue to use port 80 and redirect everything else.

Really is should be filed somewhere as a bug or an enhancement request.

nachoparker · September 21, 2021, 6:35pm

Good catch. Funny it never failed in all this years so something must have changed in the way LE does things. I will update the rewrite the rules

nachoparker · September 21, 2021, 6:38pm

Done in devel. Can somebody run

sudo ncp-update devel

And verify that we can now renew while httpsonly is enabled?

Thanks

ZendaiOwl · September 29, 2021, 11:28am

I can confirm it, updated to development branch on version 1.39.16 and running Letsencrypt works flawlessly now.
Code from running command is below

Running letsencrypt
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Running deploy-hook command: /etc/letsencrypt/renewal-hooks/deploy/ncp
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/<my-domain-name>/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/<my-domain-name>/privkey.pem
  Your cert will expire on 2021-12-28. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot
  again. To non-interactively renew *all* of your certificates, run
  "certbot renew"
- If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
  Donating to EFF:                    https://eff.org/donate-le

System config value trusted_domains => 22 set to string <my-domain-name>
System config value trusted_domains => 3 set to string <my-domain-name>
System config value overwrite.cli.url set to string <my-domain-name>