NCP Problem with Letsencrypt cert renew

ℹ️ Support 📦 Appliances (Docker, Snappy, VM, NCP, AIO)
1

Dear Users,

I have a problem with the renewal of a Letsencrypt certificate. The setup of the certificate once worked without any problems. However, yesterday I got a mail that the certificate expires.
I then tried to renew the certificate via NCP Panel. However, this failed. I received the following error:

 The following errors were reported by the server:
 
    Domain: XXX.myfritz.net
    Type:   unauthorized
    Detail: Invalid response from
    http://XXX.myfritz.net/.well-known/acme-challenge/GNXI75iLy_hSGHXLmXkgPlg525WMKIEUqFMBhdLKDHo
    [79.193.9.115]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
    2.0//EN\">\n<html><head>\n<title>404 Not
    Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

After trying various troubleshooting instructions without success, I then made the mistake of disabling Letsencryt in the NCP panel. This made the problem even worse. After some back and forth, I deleted the certificate using “certbot delete”.
But I still can’t install a new certificate. I still get this error:

 [ letsencrypt ] (Mon Nov 29 12:28:44 CET 2021)
 Saving debug log to /var/log/letsencrypt/letsencrypt.log
 Plugins selected: Authenticator webroot, Installer None
 Obtaining a new certificate
 Performing the following challenges:
 http-01 challenge for 0eyyqqyufqpypran.myfritz.net
 Using the webroot path /var/www/nextcloud for all unmatched domains.
 Waiting for verification...
 Cleaning up challenges
 Failed authorization procedure. XXX.myfritz.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://XXX.myfritz.net/.well-known/acme-challenge/FT89kuKf8y8s56DbzIK80HMtGSHz4AobzhBFlkDrpBg [79.193.9.115]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"
 IMPORTANT NOTES:
 - The following errors were reported by the server:
 
 Domain: 0eyyqqyufqpypran.myfritz.net
 Type: unauthorized
 Detail: Invalid response from
 http://XXX.myfritz.net/.well-known/acme-challenge/FT89kuKf8y8s56DbzIK80HMtGSHz4AobzhBFlkDrpBg
 [79.193.9.115]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
 2.0//EN\">\n<html><head>\n<title>404 Not
 Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

When I call the URl in the browser I am redirected directly to the login page of Nextcloud (https). CURL brings the following output:

 curl http://XXX.myfritz.net/.well-known/acme-challenge/GNXI75iLy_hSGHXLmXkgPlg525WMKIEUqFMBhdLKDHo
 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
 <html><head>
 <title>404 Not Found</title>
 </head><body>
 <h1>Not Found</h1>
 <p>The requested URL was not found on this server.</p>

So I suspect something is wrong with the redirect for “.well-known/acme-challenge/”. Have no idea what though.

Thanks a lot for your hints.

2

You need both ports 80 (http) and 443 (https) to be forwarded.
Looks like you have only port 443 forwarded.

3

Mm, like OliverV wrote

This usually happens when the certbots http challenge request fails on port 80, for whatever reason. There used to be an issue with .well-known/acme-challenge/ previously in that the https-only setting didn’t allow the certbot challenge response request on port 80, however this should be fixed now

Check your port forwards & firewalls (if you have any enabled) so they allow port 80 would be a good place to start, if you are on a older version try disabling the https-only setting

4

If port 80 is blocked, try to use TLS-ALPN-01, e.g.:

sudo certbot --preferred-challenges tls-alpn-01

If you using acme, than

5

Thanks for the quick reply. Ports 80 and 443 are forwarded correctly.
I read the post you pointed out. Disabling “nc-https-only” did not work for me.

But you have led me to the correct path. I apparently had an error in my web server configuration. I had 000-default explicitly assigned port 80. After I set this to any, it worked with Letsencrypt.

I was able to assign a new certificate.

Many thanks for your help!!!

1 Like