I noticed the other day my two month old NCP installation hadn’t updated its certificate.
No problem - I remembered I had disabled access to port 80 via my router firewall. So I opened it up again and waited another week. Certificate still not refreshed.
So in the ncp web interface I went to letsencrypt and hit ‘apply’. Certificate was applied for and accepted.
However, I then noticed in my browsers (even after clearing caches) that NCP is still using the old certificate which expires in two weeks.
/etc/letsencrypt/live now shoes two directories: (sanitized)
server.mydomain.com and server.mydomain.com-0001 (this was the one created when I hit ‘apply’)
The nextcloud panel on port 4443 shows the certificate I am using is “server.mydomain.com”
Can anyone advise how to correct this so that a) ncp uses the correct certificate and b) I don’t make the same mistake again!
And when I update to new certificates will users get any errors about the certificate changing?
Thank you very much!
Have you tried reloading the webserver or rebooting?
Yes i did - first thing.
What i ultimately found was that the content of server.domain.com.conf in /etc/letsencrypt/renewal was empty. (Although not sure why)
So i took the content of server.domain.com-0001.conf and copied it to server.domain.com.conf (changing all references to server.domain.com-0001 to server.domain.com).
Next (after backing up) i deleted:
Then from /opt/eff.org/certbot/venv/bin I ran:
./certbot renew --dry-run
Once i saw successful output i ran it for real (no --dry-run)
Finally restarted apache2 (systemctl restart apache2)
Still curious why the cert wasn’t renewing in the first place.
Glad you got it sorted @allthings
and thanks for reporting back.
@nachoparker will be interested to know
Well its three months since the above and my cert is about to expire again (in 10 days).
So seeing as it did not auto-renew i went again to run /opt/eff.org/certbot/venv/bin/certbot renew but…
/opt/eff.org/certbot is empty!
Everything from that directory down is no longer there. Did something change in the way nextcloudpi handles renewal? I cannot find the binary for certbot anywhere on the machine now.
I am confused - can anyone help? Many thanks
You can try, moving all folders in /archive /live and /renewal, as in:
sudo mv /etc/letsencrypt/archive/server.domain.com /etc/letsencrypt/archive/server.domain.com-old
sudo mv /etc/letsencrypt/live/server.domain.com /etc/letsencrypt/live/server.domain.com-old
sudo mv /etc/letsencrypt/renewal/name.conf /etc/letsencrypt/renewal/name.conf-old
Then run ncp-update from terminal/ncp-config or ncp-web, to make sure you are on latest version (v1.11.2 currently)
And run letsencrypt again from ncp-web or ncp-config.
Thank you OliverV
I just tried the above - what I am seeing is an issue during the ‘Installing Python packages’ phase.
Lots of pip errors - ending with:
THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
pycparser==2.19 from https://www.piwheels.org/simple/pycparser/pycparser-2.19-py2.py3-none-any.whl#sha256=344870c533812cb119c5475b5aed033ec546118711338ff9b2b78e67098d64e7 (from -r /tmp/tmp.hzGg64yMbt/letsencrypt-auto-requirements.txt (line 105)):
Expected sha256 a988718abfad80b6b157acce7bf130a30876d27603738ac39f140993246b25b3
Certbot has problem setting up the virtual environment.
We were not be able to guess the right solution from your pip
Do you have any thoughts on that? I should point out this is a regular install from the nextcloudpi image - I have always had ncp-update-auto on so have always been current, and no tinkering with the system!
we’ll probably go back to the
apt version. If you are familiar with Linux you can try
apt-get install letsencrypt
Thank you @nachoparker - confirming that worked well.
I pushed a fix to the devel channel, please run
sudo ncp-update devel and check it before I push it to the rest of the users
Just ran ncp-update devel on rpi3b+
Update v1.11.4 seems to run okay
Full output is on pastebin
Cant really test LE as this test instance uses alternate ports and DNS methode to verify.
Confirmed working 1.11.2 -> 1.11.4 / rpi3b+