NCP / Let's Encrypt Renewal Issue

Hi

I noticed the other day my two month old NCP installation hadnā€™t updated its certificate.

No problem - I remembered I had disabled access to port 80 via my router firewall. So I opened it up again and waited another week. Certificate still not refreshed.

So in the ncp web interface I went to letsencrypt and hit ā€˜applyā€™. Certificate was applied for and accepted.

However, I then noticed in my browsers (even after clearing caches) that NCP is still using the old certificate which expires in two weeks.

/etc/letsencrypt/live now shoes two directories: (sanitized)

server.mydomain.com and server.mydomain.com-0001 (this was the one created when I hit ā€˜applyā€™)

The nextcloud panel on port 4443 shows the certificate I am using is ā€œserver.mydomain.comā€

Can anyone advise how to correct this so that a) ncp uses the correct certificate and b) I donā€™t make the same mistake again!

And when I update to new certificates will users get any errors about the certificate changing?

Thank you very much!

Have you tried reloading the webserver or rebooting?

Thanks OliverV

Yes i did - first thing.

What i ultimately found was that the content of server.domain.com.conf in /etc/letsencrypt/renewal was empty. (Although not sure why)

So i took the content of server.domain.com-0001.conf and copied it to server.domain.com.conf (changing all references to server.domain.com-0001 to server.domain.com).

Next (after backing up) i deleted:

/etc/letsencrypt/archive/server.domain.com-0001
/etc/letsencrypt/live/server.domain.com-0001
/etc/letsencrypt/renewal/server.domain.com-0001.conf

Then from /opt/eff.org/certbot/venv/bin I ran:

./certbot renew --dry-run

Once i saw successful output i ran it for real (no --dry-run)

Finally restarted apache2 (systemctl restart apache2)

Solved.

Still curious why the cert wasnā€™t renewing in the first place.

Thanks

1 Like

Glad you got it sorted :smile: @allthings
and thanks for reporting back.
@nachoparker will be interested to know

Hi again!

Well its three months since the above and my cert is about to expire again (in 10 days).

So seeing as it did not auto-renew i went again to run /opt/eff.org/certbot/venv/bin/certbot renew butā€¦

/opt/eff.org/certbot is empty!

Everything from that directory down is no longer there. Did something change in the way nextcloudpi handles renewal? I cannot find the binary for certbot anywhere on the machine now.

I am confused - can anyone help? Many thanks

You can try, moving all folders in /archive /live and /renewal, as in:

sudo mv /etc/letsencrypt/archive/server.domain.com /etc/letsencrypt/archive/server.domain.com-old
sudo mv /etc/letsencrypt/live/server.domain.com /etc/letsencrypt/live/server.domain.com-old
sudo mv /etc/letsencrypt/renewal/name.conf /etc/letsencrypt/renewal/name.conf-old

Then run ncp-update from terminal/ncp-config or ncp-web, to make sure you are on latest version (v1.11.2 currently)
And run letsencrypt again from ncp-web or ncp-config.

Thank you OliverV

I just tried the above - what I am seeing is an issue during the ā€˜Installing Python packagesā€™ phase.

Lots of pip errors - ending with:

THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
pycparser==2.19 from https://www.piwheels.org/simple/pycparser/pycparser-2.19-py2.py3-none-any.whl#sha256=344870c533812cb119c5475b5aed033ec546118711338ff9b2b78e67098d64e7 (from -r /tmp/tmp.hzGg64yMbt/letsencrypt-auto-requirements.txt (line 105)):
Expected sha256 a988718abfad80b6b157acce7bf130a30876d27603738ac39f140993246b25b3
Got 344870c533812cb119c5475b5aed033ec546118711338ff9b2b78e67098d64e7

Certbot has problem setting up the virtual environment.

We were not be able to guess the right solution from your pip
output.


Do you have any thoughts on that? I should point out this is a regular install from the nextcloudpi image - I have always had ncp-update-auto on so have always been current, and no tinkering with the system!

weā€™ll probably go back to the apt version. If you are familiar with Linux you can try apt-get install letsencrypt

Thank you @nachoparker - confirming that worked well.

I pushed a fix to the devel channel, please run sudo ncp-update devel and check it before I push it to the rest of the users

Just ran ncp-update devel on rpi3b+
Update v1.11.4 seems to run okay

Full output is on pastebin

Cant really test LE as this test instance uses alternate ports and DNS methode to verify.

1 Like

Confirmed working 1.11.2 -> 1.11.4 / rpi3b+

https://pastebin.com/bLLmcPMX

1 Like

A post was split to a new topic: Why did automatic renewal of Letā€™s Encrypt fail?