LetsEncrypt without port 80

nanu.nanu · March 13, 2021, 1:06am

I have the NextCloudPi up and running but am hitting a wall trying to get LetsEncrypt working. My ISP blocks port 80, hence the app in the Nextcloud Panel app will not succeed. Through doing a little searching I came across this post:

Got through steps 1-4, so I have the certificates in the drive. But step 5 is not for this type of installation.
How do I get the NCP to use these certificates?

das1996 · March 13, 2021, 6:21am

The general advice is to point the webserver to the certs.

The specifics depend on which web server is in use (nginx, apache, etc.).

Which domain registrar are you using?

Reiner_Nippes · March 13, 2021, 11:43am

That will be a bit tricky.

The easy part: You’ll look into ~/.acme.sh/<your-domain>/ add look at the <your-domain.conf> file. And you probably find something like the following:

Le_RealCertPath=''
Le_RealCACertPath=''
Le_RealKeyPath='<some-path>/<your-domain>.key'
Le_ReloadCmd='systemctl reload apache2'
Le_RealFullChainPath='<some-path>/<your-domain>.fullchain.cer'

You have to change the Le_Real<***>Path entries to point to your “nextcloudpi letsencrypt” certs. Probably inside /etc/letsencrypt/live or similar.

And you have to change the “Le_ReloadCmd” to make the nextcloudpi web server to reload it’s config.

Now the problem: You have to permanently disable the builtin certbot in nextcloudpi. (I don’t know nextcloudpi very well.) Probably it’s enough to edit this crontab entry.

github.com

nextcloud/nextcloudpi/blob/master/bin/ncp/NETWORKING/letsencrypt.sh#L68


      
            rm -f /etc/letsencrypt/renewal-hooks/deploy/ncp
            [[ "$DOCKERBUILD" == 1 ]] && update-rc.d letsencrypt disable
            install_template nextcloud.conf.sh "${nc_vhostcfg}"
            local cert_path="$(grep SSLCertificateFile   "${nc_vhostcfg}" | awk '{ print $2 }')"
            local key_path="$(grep SSLCertificateKeyFile "${nc_vhostcfg}" | awk '{ print $2 }')"
            sed -i "s|SSLCertificateFile.*|SSLCertificateFile ${cert_path}|"      "${ncp_vhostcfg}"
            sed -i "s|SSLCertificateKeyFile.*|SSLCertificateKeyFile ${key_path}|" "${ncp_vhostcfg}"
            apachectl -k graceful
            echo "letsencrypt certificates disabled. Using self-signed certificates instead."
            exit 0
          }
          local DOMAIN_LOWERCASE="${DOMAIN,,}"
          
          [[ "$DOMAIN" == "" ]] && { echo "empty domain"; return 1; }
          
          local IFS_BK="$IFS"
          
          # Do it
          local domain_string=""
          for domain in "${DOMAIN}" "${OTHER_DOMAIN}"; do
            [[ "$domain" != "" ]] && {

Alternative: as you can see in the nextcloud/vm scripts certbot is also able to use the dns challange.

github.com

nextcloud/vm/blob/master/lib.sh#L744


      
                  msg_box "Network is NOT OK. You must have a working network connection to run this script.
          If you think that this is a bug, please report it to https://github.com/nextcloud/vm/issues."
                  return 1
              fi
          fi
          print_text_in_color "$IGreen" "Online!"
          return 0
          }
          
          
          # Check that the script can see the external IP (apache fails otherwise), used e.g. in the adminer app script.
          check_external_ip() {
          if [ -z "$WANIP4" ]
          then
              print_text_in_color "$IRed" "WANIP4 is an empty value, Apache will fail on reboot due to this. \
          Please check your network and try again."
              sleep 3
              exit 1
          fi
          }

so you may change the nextcloudpi letsencrypt script to use the dns challange as well.

probably it’s only this line:

github.com

nextcloud/nextcloudpi/blob/master/bin/ncp/NETWORKING/letsencrypt.sh#L65


      
          [[ "${ACTIVE}" != "yes" ]] && {
            rm -rf /etc/letsencrypt/live/*
            rm -f /etc/cron.weekly/letsencrypt-ncp
            rm -f /etc/letsencrypt/renewal-hooks/deploy/ncp
            [[ "$DOCKERBUILD" == 1 ]] && update-rc.d letsencrypt disable
            install_template nextcloud.conf.sh "${nc_vhostcfg}"
            local cert_path="$(grep SSLCertificateFile   "${nc_vhostcfg}" | awk '{ print $2 }')"
            local key_path="$(grep SSLCertificateKeyFile "${nc_vhostcfg}" | awk '{ print $2 }')"
            sed -i "s|SSLCertificateFile.*|SSLCertificateFile ${cert_path}|"      "${ncp_vhostcfg}"
            sed -i "s|SSLCertificateKeyFile.*|SSLCertificateKeyFile ${key_path}|" "${ncp_vhostcfg}"
            apachectl -k graceful
            echo "letsencrypt certificates disabled. Using self-signed certificates instead."
            exit 0
          }
          local DOMAIN_LOWERCASE="${DOMAIN,,}"
          
          [[ "$DOMAIN" == "" ]] && { echo "empty domain"; return 1; }
          
          local IFS_BK="$IFS"
          
          # Do it

check the certbot documentain for more details.

nanu.nanu · March 14, 2021, 2:52am

I am using a free one from duckdns.org. NextcloudPi uses Apache is I am not mistaken.

nanu.nanu · March 14, 2021, 2:53am

Wow! That’s above what I was planning on doing!

Reiner_Nippes · March 14, 2021, 9:54am

@nanu.nanu maybe instead of using acme.sh you may have a look at

and see if you can integrate this into your nextcloudpi.

nanu.nanu · March 14, 2021, 6:58pm

Thank you!

nictronik99 · May 19, 2022, 2:26pm

you have some news? were you able to configure it?

Ved · July 17, 2022, 2:30am

Hey were you able to configure this certbot into your nextcloud? And if so, please let me know because I have the same problem lol.

nictronik99 · September 8, 2022, 7:48pm

no, I opted for a different solution without letsencrypt, certbot and stuff like these. i used cloudflare to create an encrypted tunnel, there are many DBtech videos on youtube which explain very well what to do, some things are different or no longer work but you will see that on google there is everything.in any case, do not hesitate to write here if something is not clear to you.