LetsEnrypt not working after Apache error

Rude.Boy · September 20, 2021, 11:49am

NextCloudPi version v1.39.6
NextCloudPi image NextCloudPi_07-21-19
distribution Raspbian GNU/Linux 10 \n \l
Nextcloud version 21.0.4.1

runs on a Raspberry Pi 4 (4GB)

Hi,
The Let’s Encrypt certificate is apparently not created. I did not have the problem before the update to NC 21.

Here some Infos:

echo | openssl s_client -connect :443 -servername :443 2>/dev/null | awk ‘/Certificate chain/,/—/’

Certificate chain
0 s:CN = archlinux
i:CN = archlinux

log when trying to activate LetsEncrypt

[ letsencrypt ] (Mon Sep 20 12:59:54 CEST 2021)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Running deploy-hook command: /etc/letsencrypt/renewal-hooks/deploy/ncp
IMPORTANT NOTES:

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/nc-hostname-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/nc-hostname-0001/privkey.pem
Your cert will expire on 2021-12-19. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
“certbot renew”

If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: Donate - Let's Encrypt
Donating to EFF: https://eff.org/donate-le

Apache self check:
AH00526: Syntax error on line 5 of /etc/apache2/sites-enabled/ncp.conf:
SSLCertificateFile: file ‘/etc/letsencrypt/live/nc-hostname/fullchain.pem’ does not exist or is empty
Action ‘-t’ failed.
The Apache error log may have more information.
System config value trusted_domains => 22 set to string nc-hostname
System config value trusted_domains => 3 set to string nc-hostname
System config value overwrite.cli.url set to string https://nc-hostname/
System config value trusted_proxies => 11 set to string 127.0.0.1
System config value trusted_proxies => 12 set to string ::1
System config value trusted_proxies => 13 set to string nc-hostname
System config value trusted_proxies => 14 set to string 213.162.146.86
✓ redis is configured
✓ push server is receiving redis messages
✓ push server can load mount info from database
✓ push server can connect to the Nextcloud server
✓ push server is a trusted proxy
✓ push server is running the same version as the app
configuration saved

Apache errorlog:

[Mon Sep 20 11:26:30.786803 2021] [mpm_event:notice] [pid 946:tid 3069370896] AH00493: SIGUSR1 received. Doing graceful restart
[Mon Sep 20 11:26:30.816674 2021] [ssl:warn] [pid 946:tid 3069370896] AH01909: localhost:4443:0 server certificate does NOT include an ID which matches the server name
[Mon Sep 20 11:26:30.818199 2021] [mpm_event:notice] [pid 946:tid 3069370896] AH00489: Apache/2.4.38 (Raspbian) OpenSSL/1.1.1d configured – resuming normal operations
[Mon Sep 20 11:26:30.818228 2021] [core:notice] [pid 946:tid 3069370896] AH00094: Command line: ‘/usr/sbin/apache2’
[Mon Sep 20 11:38:47.467250 2021] [proxy_fcgi:error] [pid 19488:tid 2763224096] [client 192.168.1.22:39540] AH01067: Failed to read FastCGI header
[Mon Sep 20 11:38:47.467358 2021] [proxy_fcgi:error] [pid 19488:tid 2763224096] (104)Connection reset by peer: [client 192.168.1.22:39540] AH01075: Error dispatching request to :4443:
[Mon Sep 20 11:38:48.888050 2021] [mpm_event:notice] [pid 946:tid 3069370896] AH00491: caught SIGTERM, shutting down
[Mon Sep 20 11:39:08.135130 2021] [ssl:warn] [pid 758:tid 3069841984] AH01909: localhost:4443:0 server certificate does NOT include an ID which matches the server name
[Mon Sep 20 11:39:08.170042 2021] [ssl:warn] [pid 985:tid 3069841984] AH01909: localhost:4443:0 server certificate does NOT include an ID which matches the server name
[Mon Sep 20 11:39:08.175960 2021] [mpm_event:notice] [pid 985:tid 3069841984] AH00489: Apache/2.4.38 (Raspbian) OpenSSL/1.1.1d configured – resuming normal operations
[Mon Sep 20 11:39:08.176068 2021] [core:notice] [pid 985:tid 3069841984] AH00094: Command line: ‘/usr/sbin/apache2’
[Mon Sep 20 12:06:14.118296 2021] [mpm_event:notice] [pid 985:tid 3069841984] AH00493: SIGUSR1 received. Doing graceful restart
[Mon Sep 20 12:06:14.151976 2021] [ssl:warn] [pid 985:tid 3069841984] AH01909: localhost:4443:0 server certificate does NOT include an ID which matches the server name
[Mon Sep 20 12:06:14.153516 2021] [mpm_event:notice] [pid 985:tid 3069841984] AH00489: Apache/2.4.38 (Raspbian) OpenSSL/1.1.1d configured – resuming normal operations
[Mon Sep 20 12:06:14.153545 2021] [core:notice] [pid 985:tid 3069841984] AH00094: Command line: ‘/usr/sbin/apache2’

Rude.Boy · September 20, 2021, 2:05pm

the following seems to be the problem in my opinion:
The file “fullchain.pem” is located in this folder:

/etc/letsencrypt/live/nc-hostname-0001/

But Apache is looking in this folder (which does not exist):

/etc/letsencrypt/live/nc-hostname/

I don’t know where the “0001” comes from. Is it possible to change the name? Or can I make Apache look in the right folder?

EDIT:
after a reboot i am not able to open the nextcloud web interface anymore.
‘apachectl configtest’ says:

AH00526: Syntax error on line 5 of /etc/apache2/sites-enabled/ncp.conf:
SSLCertificateFile: file ‘/etc/letsencrypt/live/nc-hostname/fullchain.pem’ does not exist or is empty
Action ‘configtest’ failed.

‘sudo systemctl restart apache2.service’ says:

Job for apache2.service failed because the control process exited with error code.
See “systemctl status apache2.service” and “journalctl -xe” for details.

nachoparker · September 20, 2021, 9:54pm

hi, can you share the output from sudo ncp-report?

Rude.Boy · September 21, 2021, 6:40am

here is the result:

NextCloudPi diagnostics


NextCloudPi version  v1.39.6
NextCloudPi image    NextCloudPi_07-21-19
distribution         Raspbian GNU/Linux 10 \n \l
automount            yes
USB devices          sda sdb
datadir              /media/ncp_data/data
data in SD           no
data filesystem      btrfs
data disk usage      54G/115G
rootfs usage         6,6G/59G
swapfile             /var/swap
dbdir                /var/lib/mysql
Nextcloud check      ok
Nextcloud version    21.0.4.1
HTTPD service        down
PHP service          up
MariaDB service      up
Redis service        up
HPB service          down
Postfix service      up
internet check       ok
port check 80        closed
port check 443       closed
IP                   ***REMOVED SENSITIVE VALUE***
gateway              ***REMOVED SENSITIVE VALUE***
interface            eth0
certificates         ***REMOVED SENSITIVE VALUE***
NAT loopback         no
uptime               11:03

Nextcloud configuration


{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": {
            "0": "localhost",
            "5": "nextcloudpi.local",
            "7": "nextcloudpi",
            "8": "nextcloudpi.lan",
            "11": "2a01:586:9bda:1:3b2e:ec0d:a6ec:7a93",
            "1": "192.168.1.5",
            "4": "***REMOVED SENSITIVE VALUE***",
            "20": "***REMOVED SENSITIVE VALUE***",
            "22": "***REMOVED SENSITIVE VALUE***",
            "12": "***REMOVED SENSITIVE VALUE***",
            "3": "An unhandled exception has been thrown:\nRedisException: LOADING Redis is loading the dataset in memory in \nStack trace:\n#0 \n#1 \n#2 \n#3 \n#4 \n#5 \n#6 \n#7 \n#8 \n#9 \n#10 \n#11 \n#12 {main}"
        },
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "21.0.4.1",
        "overwrite.cli.url": "https:\/\/An unhandled exception has been thrown:\nRedisException: LOADING Redis is loading the dataset in memory in \nStack trace:\n#0 \n#1 \n#2 \n#3 \n#4 \n#5 \n#6 \n#7 \n#8 \n#9 \n#10 \n#11 \n#12 {main}\/",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "memcache.local": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "timeout": 0,
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "tempdirectory": "\/media\/ncp_data\/data\/tmp",
        "mail_smtpmode": "sendmail",
        "mail_smtpauthtype": "LOGIN",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "overwriteprotocol": "https",
        "loglevel": 0,
        "log_type": "file",
        "maintenance": false,
        "jpeg_quality": "60",
        "htaccess.RewriteBase": "\/",
        "theme": "",
        "app_install_overwrite": [
            "nextcloudpi"
        ],
        "data-fingerprint": "2e45cff06d40074a7d614e931a153ee8",
        "updater.release.channel": "stable",
        "logfile": "\/media\/ncp_data\/data\/nextcloud.log",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "default_phone_region": "DE"
    }
}

interesting, the log says the ports 80 and 443 are closed. But they are not

Martin_Friebe · September 21, 2021, 12:39pm

Hey @Rude.Boy , looks like we are facing the same issue.

Rude.Boy · September 21, 2021, 6:13pm

i was able to start the apache Service (with “sudo systemctl start apache2”).

In /etc/apache2/sites-enabled/ncp.conf I replaced this:

SSLCertificateFile /etc/letsencrypt/live/nc-hostname/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/nc-hostename/privkey.pem

with that:

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

Now I have access to the WebInterface again. But the initial Problem still exist. Since we have the same problem I will follow the thread of @Martin_Friebe

nachoparker · September 21, 2021, 6:21pm

Hmmm I wonder why the -001 was appended. Never seen that one before in all these years.

You should be able to make it work by specifying the correct path to the certificates with the -001 instead of the snakeoil certs

nachoparker · September 21, 2021, 6:33pm

I tweaked the code to take this situation into account. It seems to be related to duplicated (sub)domains.

Once apache is up, can you please run

sudo ncp-update devel

And then try again running letsencrypt to see if we get the correct path in /etc/apache2/sites-enabled/ncp.conf?

Rude.Boy · September 22, 2021, 7:19am

thanks for your Help! at the moment Let’s Encrypt is deactivated and the files (fullchain.pem, privkey.pem) do not exist.
I guess they are automatically deleted when Let’s Encrypt is deactivated
So, to use the certificates i probably have to activate Let’s Encrypt. But trying to do that in the web interface i get the following output in an loop.

Output

Domain
Additional domain
Email
[ letsencrypt ] (Wed Sep 22 08:57:30 CEST 2021)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
System config value trusted_domains => 3 set to string An unhandled exception has been thrown:
RedisException: LOADING Redis is loading the dataset in memory in
Stack trace:
#0
#1
#2
#3
#4
#5
#6
#7
#8
#9
#10
#11
#12 {main}
System config value overwrite.cli.url set to string https://An unhandled exception has been thrown:
RedisException: LOADING Redis is loading the dataset in memory in
Stack trace:
#0
#1
#2
#3
#4
#5
#6
#7
#8
#9
#10
#11
#12 {main}/
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: jha.spdns.de: see Rate Limits - Let's Encrypt
Please see the logfiles in /var/log/letsencrypt for more details.

System config value trusted_proxies => 11 set to string 127.0.0.1
System config value trusted_proxies => 12 set to string ::1
System config value trusted_proxies => 13 set to string An unhandled exception has been thrown:
RedisException: LOADING Redis is loading the dataset in memory in
Stack trace:
#0
#1
#2
#3
#4
#5
#6
#7
#8
#9
#10
#11
#12 {main}
System config value trusted_proxies => 14 set to empty string
✓ redis is configured
🗴 can’t connect to push server: Unable to parse URI: https://An unhandled exception has been thrown:
RedisException: LOADING Redis is loading the dataset in memory in
Stack trace:
#0
#1
#2
#3
#4
#5
#6
#7
#8
#9
#10
#11
#12 {main}/push/test/cookie
System config value trusted_domains => 3 set to string An unhandled exception has been thrown:
RedisException: LOADING Redis is loading the dataset in memory in
Stack trace:
#0
#1
#2
#3
#4
#5
#6
#7
#8
#9
#10
#11
#12 {main}
System config value overwrite.cli.url set to string https://An unhandled exception has been thrown:
RedisException: LOADING Redis is loading the dataset in memory in
Stack trace:
#0
#1
#2
#3
#4
#5
#6
#7
#8
#9
#10
#11
#12 {main}/
System config value trusted_proxies => 11 set to string 127.0.0.1
System config value trusted_proxies => 12 set to string ::1
System config value trusted_proxies => 13 set to string An unhandled exception has been thrown:
RedisException: LOADING Redis is loading the dataset in memory in
Stack trace:
#0
#1
#2
#3
#4
#5
#6
#7
#8
#9
#10
#11
#12 {main}
System config value trusted_proxies => 14 set to empty string
✓ redis is configured
🗴 can’t connect to push server: Unable to parse URI: https://An unhandled exception has been thrown:
RedisException: LOADING Redis is loading the dataset in memory in
Stack trace:
#0
#1
#2
#3
#4
#5
#6
#7
#8
#9
#10
#11
#12 {main}/push/test/cookie
System config value trusted_domains => 3 set to string An unhandled exception has been thrown:
RedisException: LOADING Redis is loading the dataset in memory in
Stack trace:
#0
#1
#2
#3
#4
#5
#6
#7
#8
#9
#10
#11
#12 {main}
System config value overwrite.cli.url set to string https://An unhandled exception has been thrown:
RedisException: LOADING Redis is loading the dataset in memory in
Stack trace:
#0
#1
#2
#3
#4
#5
#6
#7
#8
#9
#10
#11
#12 {main}/
System config value trusted_proxies => 11 set to string 127.0.0.1
System config value trusted_proxies => 12 set to string ::1
System config value trusted_proxies => 13 set to string An unhandled exception has been thrown:
RedisException: LOADING Redis is loading the dataset in memory in
Stack trace:
#0
#1
#2
#3
#4
#5
#6
#7
#8
#9
#10
#11
#12 {main}
System config value trusted_proxies => 14 set to empty string

also
sudo ncp-update devel
didn’t changed the ncp.conf

EDIT:
i cannot activate LE because i have reached the limit of 5 per week

vascocb · September 22, 2021, 10:08am

I tested 1.39.10 and after run letsencrypt again, the apache server continue to use the self-signed certificate

vascocb · September 22, 2021, 10:12am

After a reboot stoped to work.

nachoparker · September 22, 2021, 3:24pm

Ok, unfortunately you have hit another bug that has also been recently fixed.

Your config.php contains junk right now. In order to fix type

source /usr/local/etc/library.sh
set-nc-domain <your_domain>

Then, please verify that there is no more junk in config.php.

Once you are able to run Letsencrypt you should be good, make sure to update to the latest version where my fixes are now online.

nachoparker · September 22, 2021, 3:42pm

Actually you can do that, or you can update to the latest version and reboot. I added some code to try to fix this situation automatically during a reboot.

Rude.Boy · September 22, 2021, 6:11pm

Awsome! everything looks good, but i still have to wait for a new Let’sEnrypt certificate. Thank you very much.

nachoparker · September 22, 2021, 6:41pm

good! so can you confirm that there is no junk in config.php overwrite.cli.url? (just your hostname or domain name or IP)

Rude.Boy · September 22, 2021, 6:55pm

i can confirm. This is what it looks like now. i just did a reboot to be sure.

config.php

[…]
‘trusted_domains’ =>
array (
0 => ‘localhost’,
5 => ‘nextcloudpi.local’,
7 => ‘nextcloudpi’,
8 => ‘nextcloudpi.lan’,
11 => ‘2a01:586:89a:1:887b:b203:1c09:1af6’,
1 => ‘192.168.1.5’,
4 => ‘nc-hostname’,
20 => ‘nc-hostname’,
22 => ‘nc-hostname’,
12 => ‘nc-hostname’,
3 => ‘nc-hostname’,
),
[…]

nachoparker · September 22, 2021, 10:12pm

perfect, thanks

vascocb · September 22, 2021, 11:11pm

Everything is working as expected.

Thanks @nachoparker

luke81 · September 24, 2021, 9:12am

Hello all
I thing I have a similar issue.
Before the last ncp version everything was OK with the 1.39.13 I cant acces to my cloud in https.
II’m able to connect in ssh and tried to change ncp-https to no and I have the message below:
running nc-httpsonly
System config value overwriteprotocol set to string https
AH00526: Syntax error on line 5 of /etc/apache2/sites-enabled/ncp.conf:
SSLCertificateFile: file ‘/etc/letsencrypt/live/xxxxxx.ddns.net/fullchain.pem’ does not exist or is empty
Action ‘-k graceful’ failed.
The Apache error log may have more information.
Forcing HTTPS Off

How can I fix it ?
Thanks for your help.

sven1234 · September 26, 2021, 2:56pm

If you have the same issue as this thread desribes you just have to edit the ncp.conf. Upgrading to NC21 on docker fails to add docker IP to trusted proxies - HPB cannot be enabled · Issue #1345 · nextcloud/nextcloudpi · GitHub