Letsencrypt renewal problem

Martin_Friebe · November 8, 2020, 11:52am

Support intro

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can

Nextcloud version (eg, 18.0.2): 19.0.4
Operating system and version (eg, Ubuntu 20.04): Debain Buster
Apache or nginx version (eg, Apache 2.4.25): Apache
PHP version (eg, 7.1):? 7.3.19

The issue you are facing:

i have a problem with letsencrypt. i just changed my fritzbox router, this router comes with a free dyndns. after changing the dyndns a just went to the nextcloudpi dashboard, changed the url of the dyndns end everything went fine.

now i receive errors in “sudo nano /var/log/letsencrypt/letsencrypt.log” that the old cert can not be renewed. The dyndns in the attached Log is not available anymore, why does NCP tries to update this?
grafik

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

change dyndns in NCP Dashboard

The output of your letsencrypt.log file in ` (make sure you remove any identifiable information!):

Server: nginx
Date: Sun, 08 Nov 2020 05:53:23 GMT
Content-Type: application/json
Content-Length: 1048
Connection: keep-alive
Boulder-Requester: 64317239
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 01039AMQ9bbN5i7b2mGZtRtbJ9ZhL16NbroT_Ma20vLzTn8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "spzyvvsefcm8zl4z.myfritz.net"
  },
  "status": "invalid",
  "expires": "2020-11-15T05:53:10Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "Fetching http://spzyvvsefcm8zl4z.myfritz.net/.well-known/acme-challenge/oB-cNMCee5RoW8kJuANHet0LaJb_n2BN5QN0V1FJGcM: Timeout during connect (likely firewall problem)",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/8447375763/AUSHUg",
      "token": "oB-cNMCee5RoW8kJuANHet0LaJb_n2BN5QN0V1FJGcM",
      "validationRecord": [
        {
          "url": "http://spzyvvsefcm8zl4z.myfritz.net/.well-known/acme-challenge/oB-cNMCee5RoW8kJuANHet0LaJb_n2BN5QN0V1FJGcM",
          "hostname": "spzyvvsefcm8zl4z.myfritz.net",
          "port": "80",
          "addressesResolved": [
            "95.90.100.93"
          ],
          "addressUsed": "95.90.100.93"
        }
      ]
    }
  ]
2020-11-08 06:53:23,610:DEBUG:acme.client:Storing nonce: 01039AMQ9bbN5i7b2mGZtRtbJ9ZhL16NbroT_Ma20vLzTn8
2020-11-08 06:53:23,612:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: spzyvvsefcm8zl4z.myfritz.net
Type:   connection
Detail: Fetching http://spzyvvsefcm8zl4z.myfritz.net/.well-known/acme-challenge/oB-cNMCee5RoW8kJuANHet0LaJb_n2BN5QN0V1FJGcM: Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check t$
2020-11-08 06:53:23,618:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. spzyvvsefcm8zl4z.myfritz.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client$

2020-11-08 06:53:23,618:DEBUG:certbot.error_handler:Calling registered functions
2020-11-08 06:53:23,619:INFO:certbot.auth_handler:Cleaning up challenges
2020-11-08 06:53:23,619:DEBUG:certbot.plugins.webroot:Removing /var/www/nextcloud/.well-known/acme-challenge/oB-cNMCee5RoW8kJuANHet0LaJb_n2BN5QN0V1FJGcM
2020-11-08 06:53:23,621:DEBUG:certbot.plugins.webroot:All challenges cleaned up

2020-11-08 06:53:23,637:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 452, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1193, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 310, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. spzyvvsefcm8zl4z.myfritz.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client$

2020-11-08 06:53:23,638:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2020-11-08 06:53:23,638:ERROR:certbot.renewal:  /etc/letsencrypt/live/spzyvvsefcm8zl4z.myfritz.net/fullchain.pem (failure)
2020-11-08 06:53:23,639:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/letsencrypt", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1272, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 477, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2020-11-08 11:20:17,498:DEBUG:certbot.main:certbot version: 0.31.0
2020-11-08 11:20:17,501:DEBUG:certbot.main:Arguments: ['-q']
2020-11-08 11:20:17,501:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-11-08 11:20:17,523:DEBUG:certbot.log:Root logging level set at 30
2020-11-08 11:20:17,524:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-11-08 11:20:17,544:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0xb54c5090> and installer <certbot.cli._Default object at 0xb54c5090>
2020-11-08 11:20:17,562:INFO:certbot.renewal:Cert not yet due for renewal
2020-11-08 11:20:17,564:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None

OliverV · November 8, 2020, 12:24pm

Letsencrypt thinks you are using

NCP uses Apache.
Are you running both? Or your fritzbox?
So we are not getting whole picture, maybe share output of ncp-report via a pastebin service, if need further support.

NCP does not renew certificates, Letsencrypt does, NCP app reports about it in the NC admin panel.
Letsencrypt will automatically try to update regularly, and (try to) renew it when less then 30 days validity is left.

If all else fails…You can always use dns or html files to manually verify a domain interactively from the command line. Search for DNS on docs.nextcloudpi.com if want details.

Martin_Friebe · November 9, 2020, 8:11am

Hello,

i am using the NextcloudPi Image.

Everything is done automaticly, but only until i changed my dyndns.
Now letsencrypt tries to renew the old cert.

Looks like the old dyndns is still lsited as trusted domain: Line 58!!!
Do you know how to remove this? I would expect that this is done by default.

NCP REPORT

Kind regards,
Martin

OliverV · November 9, 2020, 8:22am

To remove a domain run

sudo certbot delete

to remove it from trusted_domains, you have to edit config.php

sudo nano /var/www/nextcloud/config/config.php

Martin_Friebe · November 9, 2020, 3:37pm

Thank you, i did both.
I will check for the next days if any new error will happen and close the ticket.

Update: No Errors today, looks like this is fixed

Kind regards,
Martin

OliverV · November 10, 2020, 4:28pm

Your welcome. Thanks for letting us know, it is fixed.