LetsEnrypt not working after Apache error

Hey @Rude.Boy , looks like we are facing the same issue.

i was able to start the apache Service (with “sudo systemctl start apache2”).

In /etc/apache2/sites-enabled/ncp.conf I replaced this:

SSLCertificateFile /etc/letsencrypt/live/nc-hostname/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/nc-hostename/privkey.pem

with that:

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

Now I have access to the WebInterface again. But the initial Problem still exist. Since we have the same problem I will follow the thread of @Martin_Friebe

Hmmm I wonder why the -001 was appended. Never seen that one before in all these years.

You should be able to make it work by specifying the correct path to the certificates with the -001 instead of the snakeoil certs

I tweaked the code to take this situation into account. It seems to be related to duplicated (sub)domains.

Once apache is up, can you please run

sudo ncp-update devel

And then try again running letsencrypt to see if we get the correct path in /etc/apache2/sites-enabled/ncp.conf?

thanks for your Help! at the moment Let’s Encrypt is deactivated and the files (fullchain.pem, privkey.pem) do not exist.
I guess they are automatically deleted when Let’s Encrypt is deactivated
So, to use the certificates i probably have to activate Let’s Encrypt. But trying to do that in the web interface i get the following output in an loop.

Output

Domain
Additional domain
Email
[ letsencrypt ] (Wed Sep 22 08:57:30 CEST 2021)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
System config value trusted_domains => 3 set to string An unhandled exception has been thrown:
RedisException: LOADING Redis is loading the dataset in memory in
Stack trace:
#0
#1
#2
#3
#4
#5
#6
#7
#8
#9
#10
#11
#12 {main}
System config value overwrite.cli.url set to string https://An unhandled exception has been thrown:
RedisException: LOADING Redis is loading the dataset in memory in
Stack trace:
#0
#1
#2
#3
#4
#5
#6
#7
#8
#9
#10
#11
#12 {main}/
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: jha.spdns.de: see Rate Limits - Let's Encrypt
Please see the logfiles in /var/log/letsencrypt for more details.

System config value trusted_proxies => 11 set to string 127.0.0.1
System config value trusted_proxies => 12 set to string ::1
System config value trusted_proxies => 13 set to string An unhandled exception has been thrown:
RedisException: LOADING Redis is loading the dataset in memory in
Stack trace:
#0
#1
#2
#3
#4
#5
#6
#7
#8
#9
#10
#11
#12 {main}
System config value trusted_proxies => 14 set to empty string
✓ redis is configured
🗴 can’t connect to push server: Unable to parse URI: https://An unhandled exception has been thrown:
RedisException: LOADING Redis is loading the dataset in memory in
Stack trace:
#0
#1
#2
#3
#4
#5
#6
#7
#8
#9
#10
#11
#12 {main}/push/test/cookie
System config value trusted_domains => 3 set to string An unhandled exception has been thrown:
RedisException: LOADING Redis is loading the dataset in memory in
Stack trace:
#0
#1
#2
#3
#4
#5
#6
#7
#8
#9
#10
#11
#12 {main}
System config value overwrite.cli.url set to string https://An unhandled exception has been thrown:
RedisException: LOADING Redis is loading the dataset in memory in
Stack trace:
#0
#1
#2
#3
#4
#5
#6
#7
#8
#9
#10
#11
#12 {main}/
System config value trusted_proxies => 11 set to string 127.0.0.1
System config value trusted_proxies => 12 set to string ::1
System config value trusted_proxies => 13 set to string An unhandled exception has been thrown:
RedisException: LOADING Redis is loading the dataset in memory in
Stack trace:
#0
#1
#2
#3
#4
#5
#6
#7
#8
#9
#10
#11
#12 {main}
System config value trusted_proxies => 14 set to empty string
✓ redis is configured
🗴 can’t connect to push server: Unable to parse URI: https://An unhandled exception has been thrown:
RedisException: LOADING Redis is loading the dataset in memory in
Stack trace:
#0
#1
#2
#3
#4
#5
#6
#7
#8
#9
#10
#11
#12 {main}/push/test/cookie
System config value trusted_domains => 3 set to string An unhandled exception has been thrown:
RedisException: LOADING Redis is loading the dataset in memory in
Stack trace:
#0
#1
#2
#3
#4
#5
#6
#7
#8
#9
#10
#11
#12 {main}
System config value overwrite.cli.url set to string https://An unhandled exception has been thrown:
RedisException: LOADING Redis is loading the dataset in memory in
Stack trace:
#0
#1
#2
#3
#4
#5
#6
#7
#8
#9
#10
#11
#12 {main}/
System config value trusted_proxies => 11 set to string 127.0.0.1
System config value trusted_proxies => 12 set to string ::1
System config value trusted_proxies => 13 set to string An unhandled exception has been thrown:
RedisException: LOADING Redis is loading the dataset in memory in
Stack trace:
#0
#1
#2
#3
#4
#5
#6
#7
#8
#9
#10
#11
#12 {main}
System config value trusted_proxies => 14 set to empty string

also
sudo ncp-update devel
didn’t changed the ncp.conf

EDIT:
i cannot activate LE because i have reached the limit of 5 per week :frowning:

I tested 1.39.10 and after run letsencrypt again, the apache server continue to use the self-signed certificate

After a reboot stoped to work.

Ok, unfortunately you have hit another bug that has also been recently fixed.

Your config.php contains junk right now. In order to fix type

source /usr/local/etc/library.sh
set-nc-domain <your_domain>

Then, please verify that there is no more junk in config.php.

Once you are able to run Letsencrypt you should be good, make sure to update to the latest version where my fixes are now online.

2 Likes

Actually you can do that, or you can update to the latest version and reboot. I added some code to try to fix this situation automatically during a reboot.

Awsome! everything looks good, but i still have to wait for a new Let’sEnrypt certificate. Thank you very much.

1 Like

good! so can you confirm that there is no junk in config.php overwrite.cli.url? (just your hostname or domain name or IP)

i can confirm. This is what it looks like now. i just did a reboot to be sure.

config.php

[…]
‘trusted_domains’ =>
array (
0 => ‘localhost’,
5 => ‘nextcloudpi.local’,
7 => ‘nextcloudpi’,
8 => ‘nextcloudpi.lan’,
11 => ‘2a01:586:89a:1:887b:b203:1c09:1af6’,
1 => ‘192.168.1.5’,
4 => ‘nc-hostname’,
20 => ‘nc-hostname’,
22 => ‘nc-hostname’,
12 => ‘nc-hostname’,
3 => ‘nc-hostname’,
),
[…]

1 Like

perfect, thanks

Everything is working as expected.

Thanks @nachoparker

1 Like

Hello all
I thing I have a similar issue.
Before the last ncp version everything was OK with the 1.39.13 I cant acces to my cloud in https.
II’m able to connect in ssh and tried to change ncp-https to no and I have the message below:
running nc-httpsonly
System config value overwriteprotocol set to string https
AH00526: Syntax error on line 5 of /etc/apache2/sites-enabled/ncp.conf:
SSLCertificateFile: file ‘/etc/letsencrypt/live/xxxxxx.ddns.net/fullchain.pem’ does not exist or is empty
Action ‘-k graceful’ failed.
The Apache error log may have more information.
Forcing HTTPS Off

How can I fix it ?
Thanks for your help.

If you have the same issue as this thread desribes you just have to edit the ncp.conf. Upgrading to NC21 on docker fails to add docker IP to trusted proxies - HPB cannot be enabled · Issue #1345 · nextcloud/nextcloudpi · GitHub

if the instructions from sven1234 don’t help you, maybe THIS will bring you acces to your cloud in https.
But this is not a good solution. To solve the Letsencrypt problem you should update NextcloudPi

Today i was able to optain a new Let’s Encrypt Certificate. I got the following output:

[...]

IMPORTANT NOTES:

-Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/nc-hostname-0003/fullchain.pem

Your key file has been saved at:
/etc/letsencrypt/live/nc-hostname-0003/privkey.pem
[…]

the path (with “-0003”) actually exists, but unfortunately, ncp.conf contains the wrong path again:

SSLCertificateFile /etc/letsencrypt/live/nc-hostname/fullchain.pem

Looks like you must have several folders with certificates. I added some tweaks to the code to pick the most recent one. Please run sudo ncp-update devel and try again.

NextcloudPi was successfully updated to v1.40.6
after that I have run Let’s Encrypt again. I got the following output:

[ letsencrypt ] (Wed Oct 13 20:42:30 CEST 2021) + [[ yes != \y\e\s ]] + local DOMAIN_LOWERCASE=*nc-hostname* + local OTHER_DOMAINS_ARRAY + [[ *nc-hostname* == '' ]] + local 'IFS_BK= ' + IFS=', ' + OTHER_DOMAINS_ARRAY=(${OTHER_DOMAIN}) + IFS=' ' + local domain_string= + for domain in $DOMAIN "${OTHER_DOMAINS_ARRAY[@]}" + [[ *nc-hostname* != '' ]] + [[ '' == '' ]] + domain_string+=*nc-hostname* + /usr/bin/letsencrypt certonly -n --force-renew --no-self-upgrade --webroot -w /var/www/nextcloud --hsts --agree-tos -m '' -d *nc-hostname* Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Renewing an existing certificate Running deploy-hook command: /etc/letsencrypt/renewal-hooks/deploy/ncp IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/*nc-hostname*-0003/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/*nc-hostname*-0003/privkey.pem Your cert will expire on 2022-01-11. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

  • cat
  • chmod 755 /etc/cron.weekly/letsencrypt-ncp
  • mkdir -p /etc/letsencrypt/renewal-hooks/deploy
  • cat
  • chmod +x /etc/letsencrypt/renewal-hooks/deploy/ncp
  • install_template nextcloud.conf.sh /etc/apache2/sites-available/nextcloud.conf
  • local template=nextcloud.conf.sh
  • local target=/etc/apache2/sites-available/nextcloud.conf
    ++ mktemp
  • local bkp=/tmp/tmp.1Dq4vnf2Cm
  • [[ -f /etc/apache2/sites-available/nextcloud.conf ]]
  • cp -a /etc/apache2/sites-available/nextcloud.conf /tmp/tmp.1Dq4vnf2Cm
  • [[ ‘’ == --\d\e\f\a\u\l\t\s ]]
  • bash /usr/local/etc/ncp-templates/nextcloud.conf.sh
    INFO: Letsencrypt domain is nc-hostname
    INFO: Metrics enabled: no
    Apache self check:
    AH00526: Syntax error on line 11 of /etc/apache2/sites-enabled/nextcloud.conf:
    SSLCertificateFile: file ‘/fullchain.pem’ does not exist or is empty
    Action ‘-t’ failed.
    The Apache error log may have more information.
  • [[ ‘’ == --\a\l\l\o\w-\f\a\l\l\b\a\c\k ]]
  • rm /tmp/tmp.1Dq4vnf2Cm
  • sed -i ‘s|SSLCertificateFile.*|SSLCertificateFile /etc/letsencrypt/live/nc-hostname/fullchain.pem|’ /etc/apache2/sites-available/ncp.conf
  • sed -i ‘s|SSLCertificateKeyFile.*|SSLCertificateKeyFile /etc/letsencrypt/live/nc-hostname/privkey.pem|’ /etc/apache2/sites-available/ncp.conf
  • local domain_index=22
  • for dom in $DOMAIN “${OTHER_DOMAINS_ARRAY[@]}”
  • [[ nc-hostname != ‘’ ]]
  • [[ 22 -lt 20 ]]
  • echo ‘WARN: nc-hostname will not be included in trusted domains for Nextcloud (maximum reached).’ ‘It will still be included in the SSL certificate’
    WARN: nc-hostname will not be included in trusted domains for Nextcloud (maximum reached). It will still be included in the SSL certificate
  • continue
  • set-nc-domain nc-hostname
  • local domain=nc-hostname
    ++ sed ‘s|http.?://||;s|(/.*)||’
  • domain=nc-hostname
  • ping -c1 -w1 -q nc-hostname
  • [[ nc-hostname == ‘’ ]]
  • is_an_ip nc-hostname
  • local ip_or_domain=nc-hostname
  • grep -oPq ‘\d{1,3}(.\d{1,3}){3}’
  • local proto
    ++ ncc config:system:get overwriteprotocol
  • proto=https
  • [[ https == ‘’ ]]
  • local url=https://nc-hostname
  • [[ ‘’ == --\n\o-\t\r\u\s\t\e\d-\d\o\m\a\i\n ]]
  • ncc config:system:set trusted_domains 3 --value=nc-hostname
    System config value trusted_domains => 3 set to string nc-hostname
  • ncc config:system:set overwrite.cli.url --value=https://nc-hostname/
    System config value overwrite.cli.url set to string https://nc-hostname/
  • is_ncp_activated
  • a2query -s ncp-activation -q
  • is_app_enabled notify_push
  • local app=notify_push
  • ncc app:list
  • sed ‘0,/Disabled/!d’
  • grep -q notify_push
  • ncc config:system:set trusted_proxies 11 --value=127.0.0.1
    System config value trusted_proxies => 11 set to string 127.0.0.1
  • ncc config:system:set trusted_proxies 12 --value=::1
    System config value trusted_proxies => 12 set to string ::1
  • ncc config:system:set trusted_proxies 13 --value=nc-hostname
    System config value trusted_proxies => 13 set to string nc-hostname
    ++ dig +short nc-hostname
  • ncc config:system:set trusted_proxies 14 --value=nc-ip
    System config value trusted_proxies => 14 set to string nc-ip
  • sleep 5
  • ncc notify_push:setup https://nc-hostname/push
    ✓ redis is configured
    ✓ push server is receiving redis messages
    ✓ push server can load mount info from database
    ✓ push server can connect to the Nextcloud server
    ✓ push server is a trusted proxy
    ✓ push server is running the same version as the app
    configuration saved
  • apachectl -k graceful
    AH00526: Syntax error on line 6 of /etc/apache2/sites-enabled/ncp.conf:
    SSLCertificateFile: file ‘/etc/letsencrypt/live/nc-hostname/fullchain.pem’ does not exist or is empty
    Action ‘-k graceful’ failed.
    The Apache error log may have more information.
  • rm -rf /var/www/nextcloud/.well-known
  • is_docker
  • [[ -f /.dockerenv ]]
  • [[ ‘’ == 1 ]]
  • return 0

the path (with “-0003”) still exists, and ncp.conf contains the wrong path:
SSLCertificateFile /etc/letsencrypt/live/*nc-hostname*/fullchain.pem

after a reboot NCP is not going to start.
Even if i change the path in ncp.conf to the *-0003 folder.
And even if if change the hole path to

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
and
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

that helped last time at least to have access to the web interface.
But now the Web interface wont start no madder what i do. this is a little frustrating

apachectl configtest alway says something like this:

AH00526: Syntax error on line 5 of /etc/apache2/sites-enabled/ncp.conf: SSLCertificateFile: file '/etc/letsencrypt/live/*nc-hostname*-0003/fullchain.pem' does not exist or is empty Action 'configtest' failed. The Apache error log may have more information. pi@nextcloudpi:~ $

by the way, /etc/letsencrypt/live/*nc-hostname*-0003/fullchain.pem exists and nc-hostname-0003 is the only folder. there are no other nc-hostname folders.