LetsEnrypt not working after Apache error

ℹ️ Support 📦 Appliances (Docker, Snappy, VM, NCP, AIO)
41

oh… that was probably my mistake.
when you said “run letsencrypt again”, i did this on the NCP Panel.

just now i tried to run it from the console:

pi@nextcloudpi:~ $ sudo letsencrypt

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot doesn’t know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run “certbot certonly” to do so. You’ll need to manually configure your web server to use the resulting certificate.

42

yes, I meant from the panel

43

What nextcloudpi version are you performing the tests with?

44

NextCloudPi version v1.42.2

I have just tried again, to run letsencrypt from the panel.

Output:

[ letsencrypt ] (Mon Oct 25 20:44:07 CEST 2021)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for *nc-hostname*
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/*nc-hostname*-0005/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/*nc-hostname*-0005/privkey.pem
Your cert will expire on 2022-01-23. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

INFO: Letsencrypt domain is *nc-hostname*
INFO: Metrics enabled: no
Apache self check:
Syntax OK
WARN: *nc-hostname* will not be included in trusted domains for Nextcloud (maximum reached). It will still be included in the SSL certificate
System config value trusted_domains => 3 set to string *nc-hostname*
System config value overwrite.cli.url set to string https://*nc-hostname*/
System config value trusted_proxies => 11 set to string 127.0.0.1
System config value trusted_proxies => 12 set to string ::1
System config value trusted_proxies => 13 set to string *nc-hostname*
System config value trusted_proxies => 14 set to string *nc-ip*
✓ redis is configured
✓ push server is receiving redis messages
✓ push server can load mount info from database
✓ push server can connect to the Nextcloud server
✓ push server is a trusted proxy
✓ push server is running the same version as the app
configuration saved
AH00526: Syntax error on line 5 of /etc/apache2/sites-enabled/ncp.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/*nc-hostname*/fullchain.pem' does not exist or is empty
Action '-k graceful' failed.
The Apache error log may have more information.

After that, a new folder has been created:
/etc/letsencrypt/live/*nc-hostname*-0005
and the ncp.conf refers to a folder that doesn’t exist (/etc/letsencrypt/live/*nc-hostname*)

here is something else i don’t understand. Although i change the path in the ncp.conf i get an error thrying to do apache2ctl -k graceful


AH00526: Syntax error on line 5 of /etc/apache2/sites-enabled/ncp.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/*nc-hostname*-0005/fullchain.pem' does not exist or is empty
Action '-k graceful' failed.
The Apache error log may have more information.
45

@Rude.Boy that is certainly strange, the file should exist.

What is the output from

set -x
source /usr/local/etc/ncp-templates/nextcloud.conf.sh
46

Apache2 is down, nothing is at the ports so they are kinda closed

47

I can see that something is displayed, but one second after I have entered the command, the SSH Client (PuTTY) is closed. I was not able to copy the output.

48

I see, try this then

bash
set -x
source /usr/local/etc/ncp-templates/nextcloud.conf.sh
49

here it is:

pi@nextcloudpi:~ $ bash
pi@nextcloudpi:~ $ set -x
pi@nextcloudpi:~ $ source /usr/local/etc/ncp-templates/nextcloud.conf.sh
+ source /usr/local/etc/ncp-templates/nextcloud.conf.sh
++ set -e
++ source /usr/local/etc/library.sh
+++ export NCPCFG=/usr/local/etc/ncp.cfg
+++ NCPCFG=/usr/local/etc/ncp.cfg
+++ export CFGDIR=/usr/local/etc/ncp-config.d
+++ CFGDIR=/usr/local/etc/ncp-config.d
+++ export BINDIR=/usr/local/bin/ncp
+++ BINDIR=/usr/local/bin/ncp
+++ export NCDIR=/var/www/nextcloud
+++ NCDIR=/var/www/nextcloud
+++ export ncc=/usr/local/bin/ncc
+++ ncc=/usr/local/bin/ncc
+++ TRUSTED_DOMAINS=([ip]=1 [dnsmasq]=2 [nc_domain]=3 [nextcloudpi-local]=5 [docker_overwrite]=6 [nextcloudpi]=7 [nextcloudpi-lan]=8 [public_ip]=11 [letsencrypt_1]=12 [letsencrypt_2]=13 [hostname]=14 [trusted_domain_1]=20 [trusted_domain_2]=21 [trusted_domain_3]=22)
+++ export TRUSTED_DOMAINS
+++ command -v jq
+++ [[ -f /usr/local/etc/ncp.cfg ]]
++++ jq -r .nextcloud_version
+++ NCLATESTVER=21.0.4
++++ jq -r .php_version
+++ PHPVER=7.3
++++ jq -r .release
+++ RELEASE=buster
+++ command -v ncc
++++ ncc status
++++ grep --color=auto version:
++++ awk '{ print $3 }'
+++ NCVER=21.0.4.1
++ [[ '' != \-\-\d\e\f\a\u\l\t\s ]]
++ [[ ! -f /.docker-image ]]
++ [[ '' != \-\-\d\e\f\a\u\l\t\s ]]
+++ [[ -f /.ncp-image ]]
+++ source /usr/local/bin/ncp/NETWORKING/letsencrypt.sh
++++ ncdir=/var/www/nextcloud
++++ nc_vhostcfg=/etc/apache2/sites-available/nextcloud.conf
++++ vhostcfg2=/etc/apache2/sites-available/ncp.conf
++++ letsencrypt=/usr/bin/letsencrypt
+++ tmpl_letsencrypt_domain
+++ . /usr/local/etc/library.sh
++++ export NCPCFG=/usr/local/etc/ncp.cfg
++++ NCPCFG=/usr/local/etc/ncp.cfg
++++ export CFGDIR=/usr/local/etc/ncp-config.d
++++ CFGDIR=/usr/local/etc/ncp-config.d
++++ export BINDIR=/usr/local/bin/ncp
++++ BINDIR=/usr/local/bin/ncp
++++ export NCDIR=/var/www/nextcloud
++++ NCDIR=/var/www/nextcloud
++++ export ncc=/usr/local/bin/ncc
++++ ncc=/usr/local/bin/ncc
++++ TRUSTED_DOMAINS=([ip]=1 [dnsmasq]=2 [nc_domain]=3 [nextcloudpi-local]=5 [docker_overwrite]=6 [nextcloudpi]=7 [nextcloudpi-lan]=8 [public_ip]=11 [letsencrypt_1]=12 [letsencrypt_2]=13 [hostname]=14 [trusted_domain_1]=20 [trusted_domain_2]=21 [trusted_domain_3]=22)
++++ export TRUSTED_DOMAINS
++++ command -v jq
++++ [[ -f /usr/local/etc/ncp.cfg ]]
+++++ jq -r .nextcloud_version
++++ NCLATESTVER=21.0.4
+++++ jq -r .php_version
++++ PHPVER=7.3
+++++ jq -r .release
++++ RELEASE=buster
++++ command -v ncc
+++++ ncc status
+++++ grep --color=auto version:
+++++ awk '{ print $3 }'
++++ NCVER=21.0.4.1
+++ is_active_app letsencrypt
+++ local ncp_app=letsencrypt
+++ local bin_dir=.
+++ local script=./letsencrypt.sh
+++ local cfg_file=/usr/local/etc/ncp-config.d/letsencrypt.cfg
+++ [[ -f ./letsencrypt.sh ]]
++++ find /usr/local/bin/ncp -name letsencrypt.sh
++++ head -1
+++ local script=/usr/local/bin/ncp/NETWORKING/letsencrypt.sh
+++ [[ -f /usr/local/bin/ncp/NETWORKING/letsencrypt.sh ]]
+++ unset is_active
+++ source /usr/local/bin/ncp/NETWORKING/letsencrypt.sh
++++ ncdir=/var/www/nextcloud
++++ nc_vhostcfg=/etc/apache2/sites-available/nextcloud.conf
++++ vhostcfg2=/etc/apache2/sites-available/ncp.conf
++++ letsencrypt=/usr/bin/letsencrypt
++++ type -t is_active
+++ [[ function == function ]]
+++ [[ -f /usr/local/etc/ncp-config.d/letsencrypt.cfg ]]
++++ cat /usr/local/etc/ncp-config.d/letsencrypt.cfg
cat: /usr/local/etc/ncp-config.d/letsencrypt.cfg: Keine Berechtigung
+++ local cfg=
++++ jq '.params | length'
+++ local len=
+++ (( i = 0  ))
+++ (( i < len  ))
+++ is_active
+++ [[ '' == \y\e\s ]]
+++ return 1
++ LETSENCRYPT_DOMAIN=
++ [[ -z '' ]]
++ [[ -f /.ncp-image ]]
++ [[ '' != \-\-\d\e\f\a\u\l\t\s ]]
++ [[ -f /usr/local/bin/ncp/SYSTEM/metrics.sh ]]
+++ source /usr/local/bin/ncp/SYSTEM/metrics.sh
+++ tmpl_metrics_enabled
+++ . /usr/local/etc/library.sh
++++ export NCPCFG=/usr/local/etc/ncp.cfg
++++ NCPCFG=/usr/local/etc/ncp.cfg
++++ export CFGDIR=/usr/local/etc/ncp-config.d
++++ CFGDIR=/usr/local/etc/ncp-config.d
++++ export BINDIR=/usr/local/bin/ncp
++++ BINDIR=/usr/local/bin/ncp
++++ export NCDIR=/var/www/nextcloud
++++ NCDIR=/var/www/nextcloud
++++ export ncc=/usr/local/bin/ncc
++++ ncc=/usr/local/bin/ncc
++++ TRUSTED_DOMAINS=([ip]=1 [dnsmasq]=2 [nc_domain]=3 [nextcloudpi-local]=5 [docker_overwrite]=6 [nextcloudpi]=7 [nextcloudpi-lan]=8 [public_ip]=11 [letsencrypt_1]=12 [letsencrypt_2]=13 [hostname]=14 [trusted_domain_1]=20 [trusted_domain_2]=21 [trusted_domain_3]=22)
++++ export TRUSTED_DOMAINS
++++ command -v jq
++++ [[ -f /usr/local/etc/ncp.cfg ]]
+++++ jq -r .nextcloud_version
++++ NCLATESTVER=21.0.4
+++++ jq -r .php_version
++++ PHPVER=7.3
+++++ jq -r .release
++++ RELEASE=buster
++++ command -v ncc
+++++ ncc status
+++++ grep --color=auto version:
+++++ awk '{ print $3 }'
++++ NCVER=21.0.4.1
++++ find_app_param metrics.sh ACTIVE
++++ local script=metrics.sh
++++ local param_id=ACTIVE
+++++ basename metrics.sh .sh
++++ local ncp_app=metrics
++++ local cfg_file=/usr/local/etc/ncp-config.d/metrics.cfg
+++++ find_app_param_num metrics.sh ACTIVE
+++++ local script=metrics.sh
+++++ local param_id=ACTIVE
++++++ basename metrics.sh .sh
+++++ local ncp_app=metrics
+++++ local cfg_file=/usr/local/etc/ncp-config.d/metrics.cfg
+++++ [[ -f /usr/local/etc/ncp-config.d/metrics.cfg ]]
++++++ cat /usr/local/etc/ncp-config.d/metrics.cfg
cat: /usr/local/etc/ncp-config.d/metrics.cfg: Keine Berechtigung
+++++ local cfg=
++++++ jq '.params | length'
+++++ local len=
+++++ (( i = 0  ))
+++++ (( i < len  ))
+++++ return 1
++++ local p_num=
++++ jq -r '.params[].value'
bash: /usr/local/etc/ncp-config.d/metrics.cfg: Keine Berechtigung
+++ local param_active=
+++ [[ '' == yes ]]
+++ exit 1
+++ echo no
++ METRICS_IS_ENABLED=no
++ echo 'INFO: Metrics enabled: no'
INFO: Metrics enabled: no
++ echo '### DO NOT EDIT! THIS FILE HAS BEEN AUTOMATICALLY GENERATED. CHANGES WILL BE OVERWRITTEN ###'
### DO NOT EDIT! THIS FILE HAS BEEN AUTOMATICALLY GENERATED. CHANGES WILL BE OVERWRITTEN ###
++ echo ''

++ cat
<IfModule mod_ssl.c>
  <VirtualHost _default_:443>
    DocumentRoot /var/www/nextcloud
++ [[ '' != \-\-\d\e\f\a\u\l\t\s ]]
++ [[ -n '' ]]
++ '[' -f /etc/ssl/certs/ssl-cert-snakeoil.pem ']'
++ unset LETSENCRYPT_DOMAIN
++ [[ -f /fullchain.pem ]]
++ cat
    CustomLog /var/log/apache2/nc-access.log combined
    ErrorLog  /var/log/apache2/nc-error.log
    SSLEngine on
    SSLProxyEngine on
    SSLCertificateFile   /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

    # For notify_push app in NC21
    ProxyPass /push/ws ws://127.0.0.1:7867/ws
    ProxyPass /push/ http://127.0.0.1:7867/
    ProxyPassReverse /push/ http://127.0.0.1:7867/
++ [[ '' != \-\-\d\e\f\a\u\l\t\s ]]
++ [[ no == yes ]]
++ cat
  </VirtualHost>

  <Directory /var/www/nextcloud/>
    Options +FollowSymlinks
    AllowOverride All
    <IfModule mod_dav.c>
      Dav off
    </IfModule>
    LimitRequestBody 0
    SSLRenegBufferSize 10486000
  </Directory>
  <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
  </IfModule>
</IfModule>
++ [[ -f /.ncp-image ]]
++ echo 'Apache self check:'
bash: /var/log/ncp.log: Keine Berechtigung
50

thanks, I forgot to remind you that this needs to be run as root

sudo bash
set -x
source /usr/local/etc/ncp-templates/nextcloud.conf.sh
51

and one more :slight_smile:

pi@nextcloudpi:~ $ sudo bash
root@nextcloudpi:/home/pi# set -x
root@nextcloudpi:/home/pi# source /usr/local/etc/ncp-templates/nextcloud.conf.sh
+ source /usr/local/etc/ncp-templates/nextcloud.conf.sh
++ set -e
++ source /usr/local/etc/library.sh
+++ export NCPCFG=/usr/local/etc/ncp.cfg
+++ NCPCFG=/usr/local/etc/ncp.cfg
+++ export CFGDIR=/usr/local/etc/ncp-config.d
+++ CFGDIR=/usr/local/etc/ncp-config.d
+++ export BINDIR=/usr/local/bin/ncp
+++ BINDIR=/usr/local/bin/ncp
+++ export NCDIR=/var/www/nextcloud
+++ NCDIR=/var/www/nextcloud
+++ export ncc=/usr/local/bin/ncc
+++ ncc=/usr/local/bin/ncc
+++ TRUSTED_DOMAINS=([ip]=1 [dnsmasq]=2 [nc_domain]=3 [nextcloudpi-local]=5 [doc                                                                                                                                                                                                                                             ker_overwrite]=6 [nextcloudpi]=7 [nextcloudpi-lan]=8 [public_ip]=11 [letsencrypt                                                                                                                                                                                                                                             _1]=12 [letsencrypt_2]=13 [hostname]=14 [trusted_domain_1]=20 [trusted_domain_2]                                                                                                                                                                                                                                             =21 [trusted_domain_3]=22)
+++ export TRUSTED_DOMAINS
+++ command -v jq
+++ [[ -f /usr/local/etc/ncp.cfg ]]
++++ jq -r .nextcloud_version
+++ NCLATESTVER=21.0.4
++++ jq -r .php_version
+++ PHPVER=7.3
++++ jq -r .release
+++ RELEASE=buster
+++ command -v ncc
++++ ncc status
++++ grep version:
++++ awk '{ print $3 }'
+++ NCVER=21.0.4.1
++ [[ '' != \-\-\d\e\f\a\u\l\t\s ]]
++ [[ ! -f /.docker-image ]]
++ [[ '' != \-\-\d\e\f\a\u\l\t\s ]]
+++ [[ -f /.ncp-image ]]
+++ source /usr/local/bin/ncp/NETWORKING/letsencrypt.sh
++++ ncdir=/var/www/nextcloud
++++ nc_vhostcfg=/etc/apache2/sites-available/nextcloud.conf
++++ vhostcfg2=/etc/apache2/sites-available/ncp.conf
++++ letsencrypt=/usr/bin/letsencrypt
+++ tmpl_letsencrypt_domain
+++ . /usr/local/etc/library.sh
++++ export NCPCFG=/usr/local/etc/ncp.cfg
++++ NCPCFG=/usr/local/etc/ncp.cfg
++++ export CFGDIR=/usr/local/etc/ncp-config.d
++++ CFGDIR=/usr/local/etc/ncp-config.d
++++ export BINDIR=/usr/local/bin/ncp
++++ BINDIR=/usr/local/bin/ncp
++++ export NCDIR=/var/www/nextcloud
++++ NCDIR=/var/www/nextcloud
++++ export ncc=/usr/local/bin/ncc
++++ ncc=/usr/local/bin/ncc
++++ TRUSTED_DOMAINS=([ip]=1 [dnsmasq]=2 [nc_domain]=3 [nextcloudpi-local]=5 [do                                                                                                                                                                                                                                             cker_overwrite]=6 [nextcloudpi]=7 [nextcloudpi-lan]=8 [public_ip]=11 [letsencryp                                                                                                                                                                                                                                             t_1]=12 [letsencrypt_2]=13 [hostname]=14 [trusted_domain_1]=20 [trusted_domain_2                                                                                                                                                                                                                                             ]=21 [trusted_domain_3]=22)
++++ export TRUSTED_DOMAINS
++++ command -v jq
++++ [[ -f /usr/local/etc/ncp.cfg ]]
+++++ jq -r .nextcloud_version
++++ NCLATESTVER=21.0.4
+++++ jq -r .php_version
++++ PHPVER=7.3
+++++ jq -r .release
++++ RELEASE=buster
++++ command -v ncc
+++++ ncc status
+++++ grep version:
+++++ awk '{ print $3 }'
++++ NCVER=21.0.4.1
+++ is_active_app letsencrypt
+++ local ncp_app=letsencrypt
+++ local bin_dir=.
+++ local script=./letsencrypt.sh
+++ local cfg_file=/usr/local/etc/ncp-config.d/letsencrypt.cfg
+++ [[ -f ./letsencrypt.sh ]]
++++ find /usr/local/bin/ncp -name letsencrypt.sh
++++ head -1
+++ local script=/usr/local/bin/ncp/NETWORKING/letsencrypt.sh
+++ [[ -f /usr/local/bin/ncp/NETWORKING/letsencrypt.sh ]]
+++ unset is_active
+++ source /usr/local/bin/ncp/NETWORKING/letsencrypt.sh
++++ ncdir=/var/www/nextcloud
++++ nc_vhostcfg=/etc/apache2/sites-available/nextcloud.conf
++++ vhostcfg2=/etc/apache2/sites-available/ncp.conf
++++ letsencrypt=/usr/bin/letsencrypt
++++ type -t is_active
+++ [[ function == function ]]
+++ [[ -f /usr/local/etc/ncp-config.d/letsencrypt.cfg ]]
++++ cat /usr/local/etc/ncp-config.d/letsencrypt.cfg
+++ local 'cfg={
  "id": "letsencrypt",
  "name": "Let'\''s Encrypt, Automatic signed SSL certificates",
  "title": "letsencrypt",
  "description": "Automatic signed SSL certificates. Let’s Encrypt is a free, au                                                                                                                                                                                                                                             tomated, and open Certificate Authority.",
  "info": "Internet access is required for this configuration to complete\nBoth                                                                                                                                                                                                                                              ports 80 and 443 need to be accessible from the internet\n\nYour certificate wil                                                                                                                                                                                                                                             l be automatically renewed every month",
  "infotitle": "Warning",
  "params": [
    {
      "id": "ACTIVE",
      "name": "Active",
      "value": "yes",
      "type": "bool"
    },
    {
      "id": "DOMAIN",
      "name": "Domain",
      "value": "*nc-hostname*",
      "suggest": "mycloud.ownyourbits.com"
    },
    {
      "id": "OTHER_DOMAIN",
      "name": "Additional domain",
      "value": "",
      "suggest": "optional.cloud.ownyourbits.com"
    },
    {
      "id": "EMAIL",
      "name": "Email",
      "value": "",
      "suggest": "mycloud@ownyourbits.com"
    }
  ]
}'
++++ jq '.params | length'
+++ local len=4
+++ (( i = 0  ))
+++ (( i < len  ))
++++ jq -r '.params[0].id'
+++ local var=ACTIVE
++++ jq -r '.params[0].value'
+++ local val=yes
+++ eval ACTIVE=yes
++++ ACTIVE=yes
+++ (( i++  ))
+++ (( i < len  ))
++++ jq -r '.params[1].id'
+++ local var=DOMAIN
++++ jq -r '.params[1].value'
+++ local val=*nc-hostname*
+++ eval DOMAIN=*nc-hostname*
++++ DOMAIN=*nc-hostname*
+++ (( i++  ))
+++ (( i < len  ))
++++ jq -r '.params[2].id'
+++ local var=OTHER_DOMAIN
++++ jq -r '.params[2].value'
+++ local val=
+++ eval OTHER_DOMAIN=
++++ OTHER_DOMAIN=
+++ (( i++  ))
+++ (( i < len  ))
++++ jq -r '.params[3].id'
+++ local var=EMAIL
++++ jq -r '.params[3].value'
+++ local val=
+++ eval EMAIL=
++++ EMAIL=
+++ (( i++  ))
+++ (( i < len  ))
+++ is_active
+++ [[ yes == \y\e\s ]]
++++ find /etc/letsencrypt/live/ -maxdepth 0 -empty
++++ wc -l
+++ [[ 0 == 0 ]]
+++ return 0
+++ find_app_param letsencrypt DOMAIN
+++ local script=letsencrypt
+++ local param_id=DOMAIN
++++ basename letsencrypt .sh
+++ local ncp_app=letsencrypt
+++ local cfg_file=/usr/local/etc/ncp-config.d/letsencrypt.cfg
++++ find_app_param_num letsencrypt DOMAIN
++++ local script=letsencrypt
++++ local param_id=DOMAIN
+++++ basename letsencrypt .sh
++++ local ncp_app=letsencrypt
++++ local cfg_file=/usr/local/etc/ncp-config.d/letsencrypt.cfg
++++ [[ -f /usr/local/etc/ncp-config.d/letsencrypt.cfg ]]
+++++ cat /usr/local/etc/ncp-config.d/letsencrypt.cfg
++++ local 'cfg={
  "id": "letsencrypt",
  "name": "Let'\''s Encrypt, Automatic signed SSL certificates",
  "title": "letsencrypt",
  "description": "Automatic signed SSL certificates. Let’s Encrypt is a free, au                                                                                                                                                                                                                                             tomated, and open Certificate Authority.",
  "info": "Internet access is required for this configuration to complete\nBoth                                                                                                                                                                                                                                              ports 80 and 443 need to be accessible from the internet\n\nYour certificate wil                                                                                                                                                                                                                                             l be automatically renewed every month",
  "infotitle": "Warning",
  "params": [
    {
      "id": "ACTIVE",
      "name": "Active",
      "value": "yes",
      "type": "bool"
    },
    {
      "id": "DOMAIN",
      "name": "Domain",
      "value": "*nc-hostname*",
      "suggest": "mycloud.ownyourbits.com"
    },
    {
      "id": "OTHER_DOMAIN",
      "name": "Additional domain",
      "value": "",
      "suggest": "optional.cloud.ownyourbits.com"
    },
    {
      "id": "EMAIL",
      "name": "Email",
      "value": "",
      "suggest": "mycloud@ownyourbits.com"
    }
  ]
}'
+++++ jq '.params | length'
++++ local len=4
++++ (( i = 0  ))
++++ (( i < len  ))
+++++ jq -r '.params[0].id'
++++ local p_id=ACTIVE
++++ [[ DOMAIN == \A\C\T\I\V\E ]]
++++ (( i++  ))
++++ (( i < len  ))
+++++ jq -r '.params[1].id'
++++ local p_id=DOMAIN
++++ [[ DOMAIN == \D\O\M\A\I\N ]]
++++ echo 1
++++ return 0
+++ local p_num=1
+++ jq -r '.params[1].value'
++ LETSENCRYPT_DOMAIN=*nc-hostname*
++ [[ -z *nc-hostname* ]]
++ echo 'INFO: Letsencrypt domain is *nc-hostname*'
INFO: Letsencrypt domain is *nc-hostname*
++ [[ -f /.ncp-image ]]
++ [[ '' != \-\-\d\e\f\a\u\l\t\s ]]
++ [[ -f /usr/local/bin/ncp/SYSTEM/metrics.sh ]]
+++ source /usr/local/bin/ncp/SYSTEM/metrics.sh
+++ tmpl_metrics_enabled
+++ . /usr/local/etc/library.sh
++++ export NCPCFG=/usr/local/etc/ncp.cfg
++++ NCPCFG=/usr/local/etc/ncp.cfg
++++ export CFGDIR=/usr/local/etc/ncp-config.d
++++ CFGDIR=/usr/local/etc/ncp-config.d
++++ export BINDIR=/usr/local/bin/ncp
++++ BINDIR=/usr/local/bin/ncp
++++ export NCDIR=/var/www/nextcloud
++++ NCDIR=/var/www/nextcloud
++++ export ncc=/usr/local/bin/ncc
++++ ncc=/usr/local/bin/ncc
++++ TRUSTED_DOMAINS=([ip]=1 [dnsmasq]=2 [nc_domain]=3 [nextcloudpi-local]=5 [do                                                                                                                                                                                                                                             cker_overwrite]=6 [nextcloudpi]=7 [nextcloudpi-lan]=8 [public_ip]=11 [letsencryp                                                                                                                                                                                                                                             t_1]=12 [letsencrypt_2]=13 [hostname]=14 [trusted_domain_1]=20 [trusted_domain_2                                                                                                                                                                                                                                             ]=21 [trusted_domain_3]=22)
++++ export TRUSTED_DOMAINS
++++ command -v jq
++++ [[ -f /usr/local/etc/ncp.cfg ]]
+++++ jq -r .nextcloud_version
++++ NCLATESTVER=21.0.4
+++++ jq -r .php_version
++++ PHPVER=7.3
+++++ jq -r .release
++++ RELEASE=buster
++++ command -v ncc
+++++ ncc status
+++++ grep version:
+++++ awk '{ print $3 }'
++++ NCVER=21.0.4.1
++++ find_app_param metrics.sh ACTIVE
++++ local script=metrics.sh
++++ local param_id=ACTIVE
+++++ basename metrics.sh .sh
++++ local ncp_app=metrics
++++ local cfg_file=/usr/local/etc/ncp-config.d/metrics.cfg
+++++ find_app_param_num metrics.sh ACTIVE
+++++ local script=metrics.sh
+++++ local param_id=ACTIVE
++++++ basename metrics.sh .sh
+++++ local ncp_app=metrics
+++++ local cfg_file=/usr/local/etc/ncp-config.d/metrics.cfg
+++++ [[ -f /usr/local/etc/ncp-config.d/metrics.cfg ]]
++++++ cat /usr/local/etc/ncp-config.d/metrics.cfg
+++++ local 'cfg={
  "id": "metrics",
  "name": "System Metrics, that can be collected by an external server",
  "title": "System Metrics",
  "description": "Prometheus (https://prometheus.io) compatible metrics for thin                                                                                                                                                                                                                                             gs like, CPU/memory/disk usage etc.",
  "info": "In order to use these metrics, you will need to setup at least an ext                                                                                                                                                                                                                                             ernal Prometheus instance. You can find a quick and easy way to start at https:/                                                                                                                                                                                                                                             /github.com/theCalcaholic/ncp-monitoring-dashboard",
  "infotitle": "External service required",
  "params": [
    {
      "id": "ACTIVE",
      "name": "Active",
      "value": "no",
      "type": "bool"
    },
    {
      "id": "USER",
      "name": "Metrics User",
      "value": "metrics",
      "suggest": "metrics"
    },
    {
      "id": "PASSWORD",
      "name": "Metrics Password",
      "value": "",
      "type": "password"
    }
  ]
}'
++++++ jq '.params | length'
+++++ local len=3
+++++ (( i = 0  ))
+++++ (( i < len  ))
++++++ jq -r '.params[0].id'
+++++ local p_id=ACTIVE
+++++ [[ ACTIVE == \A\C\T\I\V\E ]]
+++++ echo 0
+++++ return 0
++++ local p_num=0
++++ jq -r '.params[0].value'
+++ local param_active=no
+++ [[ no == yes ]]
+++ exit 1
+++ echo no
++ METRICS_IS_ENABLED=no
++ echo 'INFO: Metrics enabled: no'
INFO: Metrics enabled: no
++ echo '### DO NOT EDIT! THIS FILE HAS BEEN AUTOMATICALLY GENERATED. CHANGES WI                                                                                                                                                                                                                                             LL BE OVERWRITTEN ###'
### DO NOT EDIT! THIS FILE HAS BEEN AUTOMATICALLY GENERATED. CHANGES WILL BE OVE                                                                                                                                                                                                                                             RWRITTEN ###
++ echo ''

++ cat
<IfModule mod_ssl.c>
  <VirtualHost _default_:443>
    DocumentRoot /var/www/nextcloud
++ [[ '' != \-\-\d\e\f\a\u\l\t\s ]]
++ [[ -n *nc-hostname* ]]
++ echo '    ServerName *nc-hostname*'
    ServerName *nc-hostname*
++ LETSENCRYPT_CERT_BASE_PATH=/etc/letsencrypt/live/*nc-hostname*
++ [[ -f /etc/letsencrypt/live/*nc-hostname*/fullchain.pem ]]
+++ find /etc/letsencrypt/live -type d -name '*nc-hostname**' -printf '%T@ %p\n'
+++ sort -n
+++ cut -f2 '-d '
+++ tail -1
++ LETSENCRYPT_CERT_BASE_PATH=/etc/letsencrypt/live/*nc-hostname*-0005
++ [[ -f /etc/letsencrypt/live/*nc-hostname*-0005/fullchain.pem ]]
++ [[ -f /etc/letsencrypt/live/*nc-hostname*-0005/fullchain.pem ]]
++ [[ -f /etc/letsencrypt/live/*nc-hostname*-0005/privkey.pem ]]
++ LETSENCRYPT_CERT_PATH=/etc/letsencrypt/live/*nc-hostname*-0005/fullchain.pem
++ LETSENCRYPT_KEY_PATH=/etc/letsencrypt/live/*nc-hostname*-0005/privkey.pem
++ cat
    CustomLog /var/log/apache2/nc-access.log combined
    ErrorLog  /var/log/apache2/nc-error.log
    SSLEngine on
    SSLProxyEngine on
    SSLCertificateFile   /etc/letsencrypt/live/*nc-hostname*-0005/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/*nc-hostname*-0005/privkey.pem

    # For notify_push app in NC21
    ProxyPass /push/ws ws://127.0.0.1:7867/ws
    ProxyPass /push/ http://127.0.0.1:7867/
    ProxyPassReverse /push/ http://127.0.0.1:7867/
++ [[ '' != \-\-\d\e\f\a\u\l\t\s ]]
++ [[ no == yes ]]
++ cat
  </VirtualHost>

  <Directory /var/www/nextcloud/>
    Options +FollowSymlinks
    AllowOverride All
    <IfModule mod_dav.c>
      Dav off
    </IfModule>
    LimitRequestBody 0
    SSLRenegBufferSize 10486000
  </Directory>
  <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15768000; includeSubDom                                                                                                                                                                                                                                             ains"
  </IfModule>
</IfModule>
++ [[ -f /.ncp-image ]]
++ echo 'Apache self check:'
++ apache2ctl -t
52

thanks for your patience.

It seems like the right path is found and used

So when after you run letsencrypt that is what should appear in /etc/apache2/sites-enabled/nextcloud.conf, and everything should work.

Is that not the case?

53

so far i have always checked ncp.conf and never nextcloud.conf

you are right, in /etc/apache2/sites-enabled/nextcloud.conf i can find these lines:

SSLCertificateFile   /etc/letsencrypt/live/*nc-hostname*-0005/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/*nc-hostname*-0005/privkey.pem
54

AH, that’s it then. That needs fixing.

Small but important detail, we were looking at the wrong file :smiley:

1 Like
55

Ok, this time we got this, please run

sudo ncp-update devel

and then run letsencrypt one more time from ncp-web or ncp-config.

This time around both nextcloud.conf and ncp.conf should contain the right path (ending in -0005 or whatever)

56

result of sudo ncp-update devel:

pi@nextcloudpi:~ $ sudo ncp-update devel
INFO: updating to development branch 'devel'
Downloading updates
Performing updates
/usr/local/etc/library.sh: Zeile 17: declare: TRUSTED_DOMAINS: Das indizierte Array kann in kein assoziatives Array umgewandelt werden.

output after running letsencrypt:

[ letsencrypt ] (Wed Oct 27 22:35:05 CEST 2021)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/*nc-hostname*-0006/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/*nc-hostname*-0006/privkey.pem
Your cert will expire on 2022-01-25. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

INFO: Letsencrypt domain is *nc-hostname*
INFO: Metrics enabled: no
Apache self check:
AH00526: Syntax error on line 5 of /etc/apache2/sites-enabled/ncp.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/*nc-hostname*/fullchain.pem' does not exist or is empty
Action '-t' failed.
The Apache error log may have more information.
System config value trusted_domains => 12 set to string *nc-hostname*
System config value trusted_domains => set to string *nc-hostname*
System config value overwrite.cli.url set to string https://*nc-hostname*/
System config value trusted_proxies => 11 set to string 127.0.0.1
System config value trusted_proxies => 12 set to string ::1
System config value trusted_proxies => 13 set to string *nc-hostname*
System config value trusted_proxies => 14 set to string *nc-ip*
✓ redis is configured
✓ push server is receiving redis messages
✓ push server can load mount info from database
✓ push server can connect to the Nextcloud server
✓ push server is a trusted proxy
✓ push server is running the same version as the app
configuration saved
AH00526: Syntax error on line 5 of /etc/apache2/sites-enabled/ncp.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/*nc-hostname*/fullchain.pem' does not exist or is empty
Action '-k graceful' failed.
The Apache error log may have more information.

it is -0006 now

nextcloud.conf: :slight_smile:

SSLCertificateFile   /etc/letsencrypt/live/*nc-hostname*-0006/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/*nc-hostname*-0006/privkey.pem

ncp.conf: :frowning_face:

SSLCertificateFile /etc/letsencrypt/live/*nc-hostname*/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/*nc-hostname*/privkey.pem
57

your update to devel didn’t go through, please try again

58

it is -0007 now

nextcloud.conf: :slight_smile:
ncp.conf: :slight_smile:

correct path in both files

59

gosh, thanks, that took way longer than it should have

Many thanks for the help. I’ll push the fix

1 Like
60

I fear that the problem has not yet been completely solved.

Apart from the fact that the name of the folder is incremented with each manual update, it works without problems :+1:
But the automatic update seems to cause problems.

Today i got this notification on the web interface:

SSL renewal error
SSL certificate renewal failed. See /var/log/letsencrypt.log

here is the content of letsencrypt.log:

GNU nano 3.2 /var/log/letsencrypt/letsencrypt.log

2021-11-14 03:46:04,062:DEBUG:certbot.main:certbot version: 0.31.0
2021-11-14 03:46:04,063:DEBUG:certbot.main:Arguments: [’-q’]
2021-11-14 03:46:04,063:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-11-14 03:46:04,088:DEBUG:certbot.log:Root logging level set at 30
2021-11-14 03:46:04,089:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-11-14 03:46:04,094:WARNING:certbot.renewal:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 68, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 463, in init
self._check_symlinks()
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 522, in _check_symlinks
“expected {0} to be a symlink”.format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/nc-hostname-0001/cert.pem to be a symlink
2021-11-14 03:46:04,099:WARNING:certbot.renewal:Renewal configuration file /etc/letsencrypt/renewal/nc-hostname-0001.conf is broken. Skipping.
2021-11-14 03:46:04,100:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 68, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 463, in init
self._check_symlinks()
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 522, in _check_symlinks
“expected {0} to be a symlink”.format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/nc-hostname-0001/cert.pem to be a symlink

2021-11-14 03:46:04,103:WARNING:certbot.renewal:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 68, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 463, in init
self._check_symlinks()
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 522, in _check_symlinks
“expected {0} to be a symlink”.format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/nc-hostname-0002/cert.pem to be a symlink
2021-11-14 03:46:04,103:WARNING:certbot.renewal:Renewal configuration file /etc/letsencrypt/renewal/nc-hostname-0002.conf is broken. Skipping.
2021-11-14 03:46:04,104:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 68, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 463, in init
self._check_symlinks()
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 522, in _check_symlinks
“expected {0} to be a symlink”.format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/nc-hostname-0002/cert.pem to be a symlink

2021-11-14 03:46:04,124:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0xb5910830> and installer <certbot.cli._Default object at 0xb5910830>
2021-11-14 03:46:04,143:INFO:certbot.renewal:Cert not yet due for renewal
2021-11-14 03:46:04,145:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2021-11-14 03:46:04,154:INFO:certbot.renewal:Cert not yet due for renewal
2021-11-14 03:46:04,156:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2021-11-14 03:46:04,166:INFO:certbot.renewal:Cert not yet due for renewal
2021-11-14 03:46:04,167:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2021-11-14 03:46:04,177:INFO:certbot.renewal:Cert not yet due for renewal
2021-11-14 03:46:04,179:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2021-11-14 03:46:04,188:INFO:certbot.renewal:Cert not yet due for renewal
2021-11-14 03:46:04,190:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2021-11-14 03:46:04,200:INFO:certbot.renewal:Cert not yet due for renewal
2021-11-14 03:46:04,201:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2021-11-14 03:46:04,204:WARNING:certbot.renewal:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 68, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 463, in init
self._check_symlinks()
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 522, in _check_symlinks
“expected {0} to be a symlink”.format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/nc-hostname/cert.pem to be a symlink
2021-11-14 03:46:04,205:WARNING:certbot.renewal:Renewal configuration file /etc/letsencrypt/renewal/nc-hostname.conf is broken. Skipping.
2021-11-14 03:46:04,205:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 68, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)