NCP: Letsencrypt : Failed authorization procedure

I’m having a problem renewing my Letsencrypt certificate.
I’m using NCP 1.20.1 NC 17.0.2 running on a Pi3, and I’ve moved the root folder to nextcloud (i.e. www.MYDOMAIN.no-ip.org/nextcloud).

I recently upgraded my home network which caused the internal IP address of the pi to change from 192.168.0.66 to 192.168.1.66, This is the first renewal since that change and I have checked that both port 80 and 443 are being redirected to the Pi

When I try to renew the certificate from the NCP web interface I get the following

[ letsencrypt ]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for MYDOMAIN.no-ip.org
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. MYDOMAIN.no-ip.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://MYDOMAIN.no-ip.org/.well-known/acme-challenge/0EFuCTdtzizZOXJtbIEIor2CzfjQBbnKKUPjpnruj8k [86.168.116.151]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: MYDOMAIN.no-ip.org
Type: unauthorized
Detail: Invalid response from
https://MYDOMAIN.no-ip.org/.well-known/acme-challenge/0EFuCTdtzizZOXJtbIEIor2CzfjQBbnKKUPjpnruj8k
[86.168.116.151]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>404 Not
Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

I have checked the forums for a solution and tried a suggestion of moving /etc/letsencrypt

sudo mv /etc/letsencrypt/ /etc/letsencrypt_old/

then regenerating the cert

sudo certbot --rsa-key-size 4096 --authenticator standalone --installer apache --pre-hook "apachectl -k stop" --post-hook "apachectl -k start"

But this gives the error

Saving debug log to /var/log/letsencrypt/letsencrypt.log 
The requested apache plugin does not appear to be installed

Does anyone have any other suggestions as to how I can fix this?
Or what I missed in the suggested solution?

I finally seem to have sorted this out.

The following is what I did in case anyone else has similar problems.
However I am a novice stumbling in the dark here so for all I know may have broken something behind the scenes.
Note: In the following I have redacted my real domain name and used <MYDOMAIN> instead.

I decided to try everything from scratch so I removed (renamed) my lets encrypt gfolder

sudo mv /etc/letsencrypt/ /etc/letsencrypt_old/

I then commented out the following lines in

/etc/apache2/sites-enabled/ncp.conf and /etc/apache2/sites-enabled/nextcloud.conf

#  SSLEngine on
#  SSLCertificateFile /etc/letsencrypt/live/<MYDOMAIN>.no-ip.org/fullchain.pem
#  SSLCertificateKeyFile /etc/letsencrypt/live/<MYDOMAIN>.no-ip.org/privkey.pem

I actually think commenting out SSLEngine on was unnecessary (see later), but I’m mentioning it here since it is what I did, and I’m not sure if it had an effect.

Once I did this I tried renewing from the web interface, but again it failed with the error

[ letsencrypt ]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for <MYDOMAIN>.no-ip.org
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. <MYDOMAIN>.no-ip.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://<MYDOMAIN>.no-ip.org/.well-known/acme-challenge/dFUctN_RPx57HJAF8UObIWAkGYrIPXJyyoCqpw3kHnY [86.168.116.151]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: <MYDOMAIN>.no-ip.org
Type: unauthorized
Detail: Invalid response from
https://<MYDOMAIN>.no-ip.org/.well-known/acme-challenge/dFUctN_RPx57HJAF8UObIWAkGYrIPXJyyoCqpw3kHnY
[86.168.116.151]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>404 Not
Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.

So I removed the newly created /etc/letsencrypt/ folder and tried installing the cert manually from scratch.

Going to https://certbot.eff.org/ I clicked on “Get Certbot Instructions” and followed the instructions for Debian Stretch on Apache (https://certbot.eff.org/lets-encrypt/debianstretch-apache)

Which were

sudo apt-get install certbot python-certbot-apache
sudo certbot --apache

I then followed the instructions on screen and answered the questions they asked.

For the questions “Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.” I chose “Redirect - Make all requests redirect to secure HTTPS access.”

Following this I checked and /etc/letsencrypt/ had been recreated and /etc/apache2/sites-enabled/nextcloud.conf had reinstated the lines

SSLCertificateFile /etc/letsencrypt/live/<MYDOMAIN>.no-ip.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/<MYDOMAIN>.no-ip.org/privkey.pem

However
SSLEngine on

was still commented out - which is why I am not sure If I needed to comment this out in the first place, but I put it back since my original config used to work (until the renewal suddenly failed for unknown reasons).

Also the commented out lines had not been replaced in /etc/apache2/sites-enabled/ncp.conf, so again I restored them since they had been there before.

I then rebooted and thus far all my devices are again able to connect without complaining about certificates.

I’m not sure if my manual fix will prevent NCP from updating the certs in the future, I guess I will see in 90 days the certbot webpage did have instructions about setting up a cron job to auto renew. I will wait until April to see if this is needed.

I hope that helped anyone with the same, or similar problems.

Once again I am a novice at all this, so YMMV, remember to backup etc…

DAve