NCP letsencrypt not renewing the certificate properly

Currently on NextcloudPi 1.21.0. My SSL certificate recently expired after multiple failed renewals. I tried doing it manually and it says its successful, but whenever I try to connect it still has the old certificate installed.

I’ve tried clearing the cache on multiple browsers and devices, but its definitely not renewed. It probably has the old certificate somewhere on the boot drive, just not in the instance.

Is there a way to see exactly what’s going wrong?


i’m afraid we would need log-entries for that to answer

Thanks for helping! I’m still sorta new to to Nextcloud as a whole, sorry. Which logs would you need, and where would they be found?

From terminal (ssh/putty)

sudo cat /var/log/letsencrypt/letsencrypt.log

After renewal reloading webserver may be required

sudo systemctl reload apache2.service

It seems to be successful, though I’m not sure how much of the log to put in since it might have some personal info in there. Here’s the bottom lines:

2020-03-10 08:43:51,901:DEBUG:acme.client:Storing nonce: 0001qECFl-QFYpE3HPgVYQZBNaIvRsL4bS3tw5v5c5Vvhog
2020-03-10 08:43:51, new private key to /etc/letsencrypt/archive/cloud.mycloud.redacted-0001/privkey8.pem.
2020-03-10 08:43:51, certificate to /etc/letsencrypt/archive/cloud.mycloud.redacted-0001/cert8.pem.
2020-03-10 08:43:51, chain to /etc/letsencrypt/archive/cloud.mycloud.redacted-0001/chain8.pem.
2020-03-10 08:43:51, full chain to /etc/letsencrypt/archive/cloud.mycloud.redacted-0001/fullchain8.pem.
2020-03-10 08:43:51,932:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer <certbot.cli._Default object at 0xb563b770>
2020-03-10 08:43:51,953:DEBUG:certbot.cli:Var authenticator=webroot (set by user).
2020-03-10 08:43:51,962:DEBUG:certbot.cli:Var webroot_path=/var/www/nextcloud (set by user).
2020-03-10 08:43:51,962:DEBUG:certbot.cli:Var webroot_path=/var/www/nextcloud (set by user).
2020-03-10 08:43:51,963:DEBUG:certbot.cli:Var webroot_map={'webroot_path'} (set by user).
2020-03-10 08:43:51, new config /etc/letsencrypt/renewal/
2020-03-10 08:43:52,055:INFO:certbot.hooks:Running deploy-hook command: /etc/letsencrypt/renewal-hooks/deploy/ncp
2020-03-10 08:43:53,466:DEBUG:certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at:
Your key file has been saved at:
Your cert will expire on 2020-06-08. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"

I reloaded the webserver and still no dice. It just seems to keep using the old certificate.
Any other ideas? Should I post the whole log to you?

May need to add/check for the -0001 in vhost

sudo nano /etc/apache2/sites-available/nextcloud.conf

then reload apache2 again.

That worked! Took me a while to realise you were on about the directory names. Thanks a bunch!

However I’m still puzzled over why it made an extra certificate in the first place. Could it have anything to do with the recent letsencrypt security flaw?

So it’s been a while now, and I noticed it was still having trouble renewing the certificate. Upon inspection, it seems the issue is still persisting with some odd behavior. Whenever I renew the certificate, it creates one in this new cloud.mycloud.redacted-0001 folder, but the vhost switched back to the original certificate still in the usual cloud.mycloud.redacted folder.

Is there a way to find what’s making the new folder and force it back to the original one?

From terminal run

sudo certbot renew --dry-run

And watch output for errors and check /var/log/letsencrypt/letsencrypt.log

Likely, to fix, you could also
cd /etc/letsencrypt/ and do
sudo mv archive archive_old
do same for /live and /renew

And switch off and back on letsencrypt using ncp-config or ncp-web
or from terminal run
sudo certbot --apache
sudo systemctl reload apache2.service

That fix didn’t work. It only caused more issues, that being it seemed to need those folders to start the apache server.
Is there a config parameter in nextcloudpi that specifies where it saves the certificates?

ncp does not save certificates, letsencrypt does inside its own directory:


The config file in which the locations of cert and key files are set is:


You could re-instate the snakeoil key and cert that were in use to start your instance, before running letsencrypt. You will find those in /etc/ssl/certs and /etc/ssl/keys.

At this point I might just reinstall, since it’s becoming a small hassle. If I was to backup my NCP config and restore it, would it then detect my old ncdata folder on the connected drive? Or would it need to be reformatted and restored separately?