NCP - Let's Encrypt "can't set attribute" but ports are open.

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can.

The Basics

• Nextcloud Server version (e.g., 29.x.x):
  • 30.0.1.2
• Operating system and version (e.g., Ubuntu 24.04):
  • NextcloudPi version v1.55.4
  • Armbian-unofficial 24.8.2 Bookworm \l . 6.6.45-current-bcm2711 (aarch64)
• Web server and version (e.g, Apache 2.4.25):
  • replace me
• Reverse proxy and version _(e.g. nginx 1.27.2)
  • replace me
• PHP version (e.g, 8.3):
  • replace me
• Is this the first time you’ve seen this error? (Yes / No):
  • replace me
• When did this problem seem to first start?
  • replace me
• Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
  • NCP
• Are you using CloudfIare, mod_security, or similar? (Yes / No)
  • replace me

Summary of the issue you are facing:

I set up my DDNS with FreeDNS (crabdance.com) but I can’t get Let’s Encrypt to issue me a certificate. I did open the 80 and 443 ports from my modem (as confirmed in NCP status page).

Steps to replicate it (hint: details matter!):

Log entries

Nextcloud

Please provide the log entries from your Nextcloud log that are generated during the time of problem (via the Copy raw option from Administration settings->Logging screen or from your nextcloud.log located in your data directory). Feel free to use a pastebin/gist service if necessary.

Apply
[ letsencrypt ] (Tue May 20 21:59:52 UTC 2025)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for ****.crabdance.com
An unexpected error occurred:
AttributeError: can't set attribute
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Web Browser

If the problem is related to the Web interface, open your browser inspector Console and Network tabs while refreshing (reloading) and reproducing the problem. Provide any relevant output/errors here that appear.

PASTE

Web server / Reverse Proxy

The output of your Apache/nginx/system log in /var/log/____:

2025-05-20 11:35:37,739:DEBUG:certbot._internal.main:certbot version: 2.1.0
2025-05-20 11:35:37,740:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2025-05-20 11:35:37,740:DEBUG:certbot._internal.main:Arguments: ['-q', '--no-random-sleep-on-renew']
2025-05-20 11:35:37,741:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nu>2025-05-20 11:35:37,773:DEBUG:certbot._internal.log:Root logging level set at 40
2025-05-20 11:35:37,821:DEBUG:certbot._internal.display.obj:Notifying user:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2025-05-20 11:35:37,822:DEBUG:certbot._internal.display.obj:Notifying user: No renewals were attempted.
2025-05-20 11:35:37,822:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - >2025-05-20 11:35:37,822:DEBUG:certbot._internal.renewal:no renewal failures
2025-05-20 11:46:56,541:DEBUG:certbot._internal.main:certbot version: 2.1.0
2025-05-20 11:46:56,541:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/letsencrypt
2025-05-20 11:46:56,541:DEBUG:certbot._internal.main:Arguments: ['-n', '--cert-name', '****.crabdance.com', '--force-renew', '->2025-05-20 11:46:56,542:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nu>2025-05-20 11:46:56,577:DEBUG:certbot._internal.log:Root logging level set at 30
2025-05-20 11:46:56,629:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2025-05-20 11:46:56,630:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: Authenticator, Plugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0xffff817ef810>
Prep: True
2025-05-20 11:46:56,631:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenti>2025-05-20 11:46:56,632:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2025-05-20 11:47:01,880:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2025-05-20 11:47:01,887:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2025-05-20 11:47:02,409:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 1012
2025-05-20 11:47:02,410:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 20 May 2025 11:47:02 GMT
Content-Type: application/json
Content-Length: 1012

Configuration

Nextcloud

The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):

PASTE HERE

Apps

The output of occ app:list (if possible).

Tips for increasing the likelihood of a response

• Use the preformatted text formatting option in the editor for all log entries and configuration output.
• If screenshots are useful, feel free to include them.
  • If possible, also include key error output in text form so it can be searched for.
• Try to edit log output only minimally (if at all) so that it can be ran through analyzers / formatters by those trying to help you.

What user do you use to aply for certificates?
Is this user able to access, change, create files in the certificates folders?

Edit: in my installation the Let’s Encrypt certificates will be created with a sepcific user letsencrypt and this user must be member of the group www-data.

I am new to NCP so I might have this wrong, but I don’t know how to know:
I can log to the NCP control webUI by navigating to [localIP]:4443 and there I log as “ncp”; there, from the NCP webUI, I can try to enable Let’s Encrypt and get the error above. I did enable SSH so that I could retreive the other log above, but NCP asked me to create a new user for the SSH (that I named “ncp_ssh”), so I don’t really know a way to get a shell for the main “ncp” user and check if it can access the folder.
But, since this is a fresh NCP install I think that the issue should be with something that I set up (or skipped)?

image1470×1043 67.6 KB

I moved from FreeDNS to DuckDNS and now everything seems to work fine, but one thing that came to my mind as a possible reason for the malfunction is that I used an underscor in my FreeDNS sub-domain (that the duck didn’t accept) so maybe that character is not compatible with let’s encrypt?

Nope…

https://community.letsencrypt.org/t/request-certificate-with-underscore-character/201268

…and it’s not allowed with other CAs either, by the way:

https://www.digicert.com/kb/ssl-support/underscores-not-allowed-in-fqdns.htm

Possible workarounds: use a hyphen (-) as a separator or a wildcard certificate (*.yourdomain.tld). In the latter case, an underscore in the subdomain would work.

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.