NCP: problem obtaining letsencrypt certificate

ncp
letsencrypt

#1

Hi, i have a problem obtaining a new certificate. I had ncp (and letsencrypt) running for month without any difficulties. Then I had to replace the sd-card and reinstall ncp. Everything worked out well but the letsencrypt process…
This ist the error message i get every time i try to start/configure letsencrypt (i changes the domain-name here):

Launching letsencrypt
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for my-no-ip-domain
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. my-no-ip-domain (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://my-no-ip-domain.ddns.net/.well-known/acme-challenge/GXvPd4UKGm6BlnuOBa_ds0fgiarKVrM6FoyOyINJq-o:

IMPORTANT NOTES:
The following errors were reported by the server:
Domain: my-no-ip-domain.ddns.net
Type: unauthorized
Detail: Invalid response from
http://my-no-ip-domain.ddns.net/.well-known/acme-challenge

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Done. Press any key…

This is my ncp-report

NextCloudPi diagnostics

NextCloudPi version  v0.56.18
NextCloudPi image    NextCloudPi_05-28-18
distribution         Raspbian GNU/Linux 9 \n \l
automount            yes
USB devices          none
datadir              /var/www/nextcloud/data
data in SD           yes
data filesystem      ext2/ext3
data disk usage      1.9G/15G
rootfs usage         1.9G/15G
swapfile             /var/swap
Nextcloud check      ok
Nextcloud version    13.0.2.1
HTTPD service        up
PHP service          up
MariaDB service      up
Redis service        up
Postfix service      up
internet check       ok
port check 80        open
port check 443       open
IP                   192.168.XXX.XXX
gateway              192.168.XXX.XXX
interface            eth0
certificates         none
NAT loopback         no
uptime               20:43

Nextcloud configuration

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": {
            "0": "localhost",
            "5": "nextcloudpi.local",
            "1": "192.168.178.184",
            "3": "espacelibre.ddns.net"
        },
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/espacelibre.ddns.net",
        "dbtype": "mysql",
        "version": "13.0.2.1",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "memcache.local": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "timeout": 0,
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "mail_smtpmode": "php",
        "mail_smtpauthtype": "LOGIN",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "overwriteprotocol": "https",
        "loglevel": "2",
        "log_type": "file"
    }
}

HTTPd logs

[Wed Apr 18 01:08:20.608663 2018] [ssl:warn] [pid 518:tid 1992101888] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
[Wed Apr 18 01:08:20.618305 2018] [ssl:error] [pid 518:tid 1992101888] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=desktop / issuer: CN=desktop / serial: D49AE04E29EE6545 / notbefore: May 28 15:52:26 2018 GMT / notafter: May 25 15:52:26 2028 GMT]
[Wed Apr 18 01:08:20.618364 2018] [ssl:error] [pid 518:tid 1992101888] AH02604: Unable to configure certificate localhost:443:0 for stapling
[Wed Apr 18 01:08:21.043855 2018] [ssl:warn] [pid 739:tid 1992101888] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
[Wed Apr 18 01:08:21.044245 2018] [ssl:error] [pid 739:tid 1992101888] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=desktop / issuer: CN=desktop / serial: D49AE04E29EE6545 / notbefore: May 28 15:52:26 2018 GMT / notafter: May 25 15:52:26 2028 GMT]
[Wed Apr 18 01:08:21.044280 2018] [ssl:error] [pid 739:tid 1992101888] AH02604: Unable to configure certificate localhost:443:0 for stapling
[Wed Apr 18 01:08:22.003396 2018] [mpm_event:notice] [pid 739:tid 1992101888] AH00489: Apache/2.4.25 (Raspbian) OpenSSL/1.0.2l configured -- resuming normal operations
[Wed Apr 18 01:08:22.003569 2018] [core:notice] [pid 739:tid 1992101888] AH00094: Command line: '/usr/sbin/apache2'
[Sun Jun 10 21:19:04.150340 2018] [authz_core:error] [pid 806:tid 1740633136] [client 66.133.109.36:54200] AH01630: client denied by server configuration: /var/www/ncp-web/.well-known, referer: http://espacelibre.ddns.net/.well-known/acme-challenge/WqGQaep9vCeEa5jSUkUroUNi08Vp6GkcpmYcDuDedco
[Sun Jun 10 21:23:17.548354 2018] [authz_core:error] [pid 806:tid 1723855920] [client 66.133.109.36:50974] AH01630: client denied by server configuration: /var/www/ncp-web/.well-known, referer: http://espacelibre.ddns.net/.well-known/acme-challenge/d-w_s02yLZp8-SXFvZr_2fj3qVGNhzv6DGShK7GfCiU
[Sun Jun 10 21:33:15.783069 2018] [authz_core:error] [pid 807:tid 1681912880] [client 66.133.109.36:49638] AH01630: client denied by server configuration: /var/www/ncp-web/.well-known, referer: http://espacelibre.ddns.net/.well-known/acme-challenge/4Jb9wbIZP1uKM_z82vL8gDIagickODcC5B68gf0nHiU
[Mon Jun 11 03:43:51.846670 2018] [ssl:error] [pid 807:tid 1598026800] AH02031: Hostname \xb2\x0eG\x14\xbb\x01 provided via SNI, but no hostname provided in HTTP request
[Mon Jun 11 06:16:40.669377 2018] [authz_core:error] [pid 806:tid 1673524272] [client 66.133.109.36:54378] AH01630: client denied by server configuration: /var/www/ncp-web/.well-known, referer: http://espacelibre.ddns.net/.well-known/acme-challenge/yuuXBYVr40z0P7x5K7QgeQPMv5lKIjDewwzuHjAQZ-0
[Mon Jun 11 06:21:46.996817 2018] [authz_core:error] [pid 806:tid 1656747056] [client 66.133.109.36:54426] AH01630: client denied by server configuration: /var/www/ncp-web/.well-known, referer: http://espacelibre.ddns.net/.well-known/acme-challenge/w3uBsw7q41nJPiLIzgYKq6eMUg_kkIpT55OX384P-L8
[Mon Jun 11 14:09:29.729803 2018] [authz_core:error] [pid 806:tid 1698690096] [client 184.105.247.195:46620] AH01630: client denied by server configuration: /var/www/ncp-web/
[Mon Jun 11 15:00:20.337150 2018] [authz_core:error] [pid 807:tid 1589638192] [client 178.201.149.206:20631] AH01630: client denied by server configuration: /var/www/ncp-web/
[Mon Jun 11 17:02:14.575202 2018] [authz_core:error] [pid 807:tid 1707078704] [client 66.133.109.36:60404] AH01630: client denied by server configuration: /var/www/ncp-web/.well-known, referer: http://espacelibre.ddns.net/.well-known/acme-challenge/4mCWt9DnLZqe3UZmN2oJ8ZXwIYcArSEI2hedVtS-gHE
[Mon Jun 11 17:07:38.401053 2018] [authz_core:error] [pid 806:tid 1606415408] [client 66.133.109.36:35572] AH01630: client denied by server configuration: /var/www/ncp-web/.well-known, referer: http://espacelibre.ddns.net/.well-known/acme-challenge/giEmX8Zx-xDhnQIl6YctYgw8VNjJu0juHUEPkLUjrXk
[Mon Jun 11 17:10:43.513421 2018] [authz_core:error] [pid 807:tid 1564464176] [client 66.133.109.36:53322] AH01630: client denied by server configuration: /var/www/ncp-web/.well-known, referer: http://espacelibre.ddns.net/.well-known/acme-challenge/4F0bE_f5A4hA9w-B4FqkA_x_EiG54JbSAG4RxPl1Q7Y
[Mon Jun 11 17:25:13.980112 2018] [authz_core:error] [pid 807:tid 1723855920] [client 66.133.109.36:53122] AH01630: client denied by server configuration: /var/www/ncp-web/.well-known, referer: http://espacelibre.ddns.net/.well-known/acme-challenge/7NXJvrQU9yaqP-ENTrTtr39v-crQecdK4Udpfm5MW7Y

Database logs

2018-06-10 21:02:53 1988300800 [Note] InnoDB: Highest supported file format is Barracuda.
2018-06-10 21:02:53 1988300800 [Note] InnoDB: The log sequence numbers 3345017 and 3345017 in ibdata files do not match the log sequence number 3345027 in the ib_logfiles!
2018-06-10 21:02:53 1988300800 [Note] InnoDB: Restoring possible half-written data pages from the doublewrite buffer...
2018-06-10 21:02:54 1988300800 [Note] InnoDB: 128 rollback segment(s) are active.
2018-06-10 21:02:54 1988300800 [Note] InnoDB: Waiting for purge to start
2018-06-10 21:02:54 1988300800 [Note] InnoDB:  Percona XtraDB (http://www.percona.com) 5.6.35-80.0 started; log sequence number 3345027
2018-06-10 21:02:55 1442837312 [Note] InnoDB: Dumping buffer pool(s) not yet started
2018-06-10 21:02:55 1988300800 [Note] Plugin 'FEEDBACK' is disabled.
2018-06-10 21:02:55 1988300800 [Note] Recovering after a crash using tc.log
2018-06-10 21:02:55 1988300800 [Note] Starting crash recovery...
2018-06-10 21:02:55 1988300800 [Note] Crash recovery finished.
2018-06-10 21:02:55 1988300800 [Note] Server socket created on IP: '127.0.0.1'.
2018-06-10 21:02:55 1988300800 [ERROR] mysqld: Table './mysql/user' is marked as crashed and should be repaired
2018-06-10 21:02:55 1988300800 [Warning] Checking table:   './mysql/user'
2018-06-10 21:02:55 1988300800 [ERROR] mysql.user: 1 client is using or hasn't closed the table properly
2018-06-10 21:02:55 1988300800 [ERROR] mysqld: Table './mysql/db' is marked as crashed and should be repaired
2018-06-10 21:02:55 1988300800 [Warning] Checking table:   './mysql/db'
2018-06-10 21:02:55 1988300800 [ERROR] mysql.db: 1 client is using or hasn't closed the table properly
2018-06-10 21:02:55 1988300800 [Note] /usr/sbin/mysqld: ready for connections.
Version: '10.1.23-MariaDB-9+deb9u1'  socket: '/var/run/mysqld/mysqld.sock'  port: 3306  Raspbian 9.0

Nextcloud logs


At this point I have really no clue what is causing the problem. I already checked a few possible solutions mentioned here, but it still won’t work. Has anyone an idea?
Many thanks for your help.


#2

please, do some backup before proceeding, i decline all responsibilities .

  • first thing, delete all old letsencrypt configuration
    rm -R /etc/letsencrypt/*

  • verify port 80,443 are open within your firewall conf

  • if possible, modify your dns zone by adding the following:
    CAA 128 issue "letsencrypt.org"

  • re-use cerbot to create a brand new certificate with command ( one line command ).
    certbot --rsa-key-size 4096 --authenticator standalone --installer apache --pre-hook "apachectl -k stop" --post-hook "apachectl -k start"

This should fix the trick.


#3

actually, it did the trick for me!! Although I don’t know what caused the problem. I had a fresh installation and the same configuration worked before the restart.

Anyway: Thank you very much!


#4

No problem.

Most of the time, cerbot check if any files from an old cert is present. In case, it’s a fatal error.


#5

I am also having an issue getting a cert from letsencrypt:

[ letsencrypt ]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydomain.org
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification…
Challenge failed for domain mydomain.org
http-01 challenge for mydomain.org
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: mydomain.org
Type: connection
Detail: Fetching
http://mydomain.org/.well-known/acme-challenge/9L4n_sK8-XztNsHskPjrkJZsRJB7Scmhp4pz_BzhCvI:
Timeout during connect (likely firewall problem)