LetsEncrypt w/ Nextcloud 12 fails (tls-sni-01)

harrypnyce · October 20, 2017, 9:21pm

Nextcloud version (eg, 10.0.2): 12.0.3.3 (stable)
Operating system and version (eg, Ubuntu 16.04): Ubuntu 16.04.3 LTS xenial
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.18 (Ubuntu)
PHP version (eg, 5.6): PHP 7.0.22
Is this the first time you’ve seen this error?: No.

Running the included LetsEncrypt script during post-install results in this error, as well as the following command:

sudo certbot --apache -d domain.com

Using the prebuilt VMware OVA template with ESXi 6.5 i’m unable to set up an SSL certificate using the included LetsEncrypt script. The following error (see below) is presented with various attempts to set up certs. Ports 443 and 80 are both opened on my Edgerouter and have been confirmed using the following tool: Open Port Check Tool - Test Port Forwarding on Your Router

ERROR:

Waiting for verification...
Cleaning up challenges
Failed authorization procedure. domain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: domain.com
   Type:   connection
   Detail: Timeout

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you`re using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

The output of your Nextcloud log in Admin > Logging:

Error PHP Method OC_L10N_String::__toString() must return a string value at /var/www/nextcloud/lib/private/L10N/L10N.php#85 2017-10-20T01:25:39-0400

Error PHP vsprintf(): Too few arguments at /var/www/nextcloud/lib/private/legacy/l10n/string.php#72 2017-10-20T01:25:39-0400

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

Provided upon request.

The output of your Apache/nginx/system log in /var/log/____:

This file is 18932 lines, i wish someone would sift through that.

I’ve been around and around on the web attempting various work arounds, but i’m obviously lacking vast experience. I know just enough to be dangerous and keep ruining my Nextcloud instance and having to restore a snapshot. Thank you for this wonderful product and community support.

EDIT: I’ve been through the process where it will tell me “2 more tries” and so on, but it’s acting as if my port is blocked, or there’s something else i’m potentially doing wrong and just don’t know how to isolate the issue in order to remedy this little dilemma.

OliverV · October 21, 2017, 9:53am

Is your VM using a Bridged Network Adaptor? If not try Bridged.
Is your router NAT configured to forward ports 80 and 443 to internal IP of your VM? If not configure NAT port forwarding.
Make sure your firewall allows ports 80/tcp and 443/tcp.
Also, as letsencrypte suggests, check the A records of your domain and/or if your IP address has changed.

harrypnyce · October 22, 2017, 12:32am

Thank you kindly for the prompt response. Yes, using a bridged network adapter. My Edgerouter is configured using hairpin NAT (also called NAT loopback or NAT reflection) and i have properly forwarded both ports 80 and 443 to my Nextcloud instance and used this tool to confirm that the ports are showing as open: https://www.yougetsignal.com/tools/open-ports/

Are there any alternatives to this LetsEncrypt script? I know it’s acting as if my ports aren’t properly forwarded, but i’m confident that they are, as i can access the service just fine from my domain name. It forwards to my VM, it’s only the SSL cert that is not working properly.

I’m a novice, but lost as to what my next troubleshooting steps should be, or how to begin to work around this. Thanks.

stratacast · October 22, 2017, 12:56am

Couple thoughts:

See if there’s a .well-known directory in your webroot. I have found sometimes the necessary folders are missing and for whatever reason the client cannot create the authentication folders, but can place the file with the challenge key in it if the folder exists.
If I have funny networking going on (like right now I have a reverse proxy handling multiple services on ports 80/443), I have to do it manually with certonly like this:
$ sudo certbot certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.is -d m.thing.is

Hope that helps. Also: get the current version of letsencrypt from the PPAs:
https://launchpad.net/~letsencrypt/+archive/ubuntu/letsencrypt

harrypnyce · October 29, 2017, 5:47am

Complete and total rebuild of everything, from the ground up. Redid my edge device (twice), network is now slightly simplified to isolate any potential problem areas. Updated server firmware, got a fresh IP from my ISP, updated DNS settings at GoDaddy. Reinstalled 12.3.0_1 OVA to my VMware host and now have…

Domain:
Type: connection
Detail: Fetching
https:xxx.xxx.xxx.xxx/.well-known/acme-challenge-SSLla;ksjf;lasdka;lsdkfja;dsfl:
Error getting validation data

This appears a bit better/different. I feel liek i’m further than previous attempts. I also have so little knowledge about this i’m obviously lost. Thank you for the input, will continue trying to research and work through this.

stratacast · October 30, 2017, 11:20pm

I have had funny issues with networking too, I feel your pain my next thought is to create the .well-known folder and…I also want to say there’s another folder the challenge will be placed in, but I forget. Then make sure the www-data user has read and write permissions on the folder(s)