Nextcloud letsencrypt certificate doesnt renew

ncp
#1

hi,

just upgraded my raspberry nextcloudpi to the latest.
somehow my letsencrypt renewal now stopped working?
my certificate has expired?

in ncp-config requesting the new certificate responsRunning letsencrypt
/usr/local/bin/ncp/NETWORKING/letsencrypt.sh: line 62: /etc/letsencrypt/letsencrypt-auto: No such file or directory
Done. Press any key…

tried reinstalling as suggested using this snippet:
/tmp# cat letsencrypt.sh
source /usr/local/etc/library.sh

[[ -f /etc/letsencrypt/certbot-auto ]] || {

[[ -f /.docker-image ]] && mv "$(readlink /etc/letsencrypt)" /etc/letsencrypt-old
[[ -f /.docker-image ]] || mv /etc/letsencrypt /etc/letsencrypt-old
rm -f /etc/letsencrypt
apt-get remove -y letsencrypt
apt-get autoremove -y
install_app letsencrypt
[[ -f /etc/letsencrypt-old/live ]] && cp -raT /etc/letsencrypt-old/live /etc/letsencrypt/live
[[ -d /etc/letsencrypt/archive ]] || \

cp -ravT /etc/letsencrypt-old/archive /etc/letsencrypt/archive &>/dev/null
[[ -f /.docker-image ]] && persistent_cfg /etc/letsencrypt
[[ -f /etc/cron.weekly/letsencrypt-ncp ]] && run_app letsencrypt
}

any suggestions getting my nextcloud back into safety?

reagards

#2

This is indeed the binary installed manually from GitHub sources AFAIK. An automated renewal job needs to be added manually with this. Not sure how NCP handles this but I suggest you install Certbot from Debian/Raspbian APT repo which allows easier updates. There have been some important updates over the last year that dropped/updated some authentication methods.

For this run: apt install certbot && certbot renew

#3

thanks… will look into this. somehow the latest move from V14 towards V15 seems to have broken this :frowning:

#4

Actually it cannot be related to the Nextcloud update, since Nextcloud itself has nothing to do with and will never change anything about your webserver and/or SSL configuration. So this must be by chance that both events occur the same time.

Now I see that NCP indeed installs CertBot from GitHub sources and place custom cron job for updating the certificate: [[ -f /etc/cron.weekly/letsencrypt-ncp ]] && run_app letsencrypt
Not sure why it does not rely on the APT package which automates all this and even updates your authentication settings if required on APT upgrade (to match current allowed methods). On Stretch the version is very current: https://packages.debian.org/stretch/certbot

@nachoparker
Just a suggestion to rely on APT here. Using GitHub sources requires regular manual updates not only of the binaries but also the authentication methods/modules (e.g. TLS-SNI support drop).

This allows to remove/skip all the manual renewal jobs and rely on the systemd timers that are shipped with the package.

If it for some reason should be assured that CertBot is NOT installed from APT, then apt-get remove -y certbot would be the correct command. letsencrypt is a deprecated transitional package that is rarely listed by any guide and as such when removing certbot, letsencrypt will be automatically removed as well anyway: https://packages.debian.org/stretch/letsencrypt
The other way round, certbot stays installed, conflicting or at least doubling the renewal jobs.

#5

thanks for the suggestion. We were using the debian package until January, but we had to move to the git version (with a lot of user pain) because it was using a deprecated method that was going to be disabled in Feb and was not going to make it (apparently) to Stretch.

For this reason we moved to the github version, but can’t wait to go back again to the package based solution

edit: the git version auto-updates itself, but this is more buggy than apt updates

#6

@nachoparker
Which deprecated method do you mean? It was indeed using TLS-SNI with Nginx and Apache modules which was found to have a security issue and thus dropped. Ah I see, the new version (with fix) was indeed shipped in end of January (24., backports earlier): https://deb.debian.org/debian/pool/main/p/python-certbot/

We also faced this issue but a simple solution was to switch to --webroot authentication (away from Apache/Nginx auth modules), which used already HTTP01 authentication with earlier versions. I just (some weeks ago) reverted back to --apache authentication which now (with v0.28) works again.

However it means you could revert to APT :smiley:. Of course all above only in case TLS-SNI was the issue that made you move away from APT.

#7

Sounds good. We’ll probably change back then but it’s a painful migration, there’s always users that skip key updates, I am in the process of improving that but until then it’s always painful

Thanks

#8

somehow I have broken the letsencrypt completely. is there a way to reinstall these and create a certificate for my nextcloud site?

tried the code snippet: didn’t fix now get empty responses

#9

@Migimli
Did you now install the APT package or use the NCP method?
What does the following show:
certbot renew
And please paste which -a certbot to check whether there are two binaries now.

@nachoparker
AFAIK you can just leave /etc/letsencrypt as is with all certs/keys etc. The APT package will migrate the existing account info etc. Only thing that needs to be removed is in case the certbot binary on $PATH added by the Git installer. AFAIK it is placed in /usr/local/bin/certbot so would override the one from the APT package (/usr/bin/certbot), if present, which might be @Migimli issue.

With the systemd service/timer (provided by the APT package) it is even easier to toggle auto-updates via: systemctl --now enable/disable certbot.timer

#10

feel i broke the certificates:
root@TheThing:/home/pi# certbot -renew

usage:

certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] …

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,

it will attempt to use a webserver both for obtaining and installing the

certificate.

certbot: error: unrecognized arguments: -renew

root@TheThing:/home/pi#
root@TheThing:/home/pi# which -a certbot

/usr/bin/certbot

root@TheThing:/home/pi#

#11

Okay that is the APT binary, so fine.

It must be without dash, so just: certbot renew

#12

think i lost the whole config:
oot@TheThing:/var/log/letsencrypt# certbot renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log


No renewals were attempted.


root@TheThing:/var/log/letsencrypt#

#13

tried to fix all and was able to renew a certificate after replacing the letsencrypt with my former letsencrypt-data…

did a shutdown and restart: the machine will not load the web at all
Internal Server Error

The server encountered an internal error and was unable to complete your request.
Please contact the server administrator if this error reappears multiple times, please include the technical details below in your report.
More details can be found in the server log.

[edit]
some time changed my webbrowser… the certificate renewal worked!

#14

FYI we already changed back to the apt version

1 Like
#15

I hope I’ve located a suitable topic for this question. My skills are limited. Can you tell me how to solve my problem? I am trying to update from ncp v1.11.2 to v1.12.3. Running nc-update fails, with the following appearing at the end of the dialog:

Reading package lists...
Building dependency tree...
Reading state information...

Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
letsencrypt : Depends: certbot but it is not going to be installed
E: Unable to correct problems, you have held broken packages.

I also ran the following:

$ sudo aptitude install letsencrypt

The following NEW packages will be installed:
  	certbot{a} 
	letsencrypt 
	python3-acme{a} 
	python3-certbot{a} 
	python3-configargparse{a} 
	python3-configobj{a} 
	python3-josepy{a} 
	python3-mock{a}
  	python3-parsedatetime{a} 
	python3-pbr{a} 
	python3-requests-toolbelt{a} 
	python3-rfc3339{a} 
	python3-tz{a} 
	python3-zope.component{a}
  	python3-zope.event{a} 
	python3-zope.hookable{ab} 
	python3-zope.interface{ab}

0 packages upgraded, 17 newly installed, 0 to remove and 3 not upgraded.

Need to get 787 kB of archives. After unpacking 4,188 kB will be used.
The following packages have unmet dependencies:
 python3-zope.interface : Depends: python3 (< 3.6) but 3.6.6-1 is installed
 python3-zope.hookable : Depends: python3 (< 3.6) but 3.6.6-1 is installed
The following actions will resolve these dependencies:

     Keep the following packages at their current version:
1)     certbot [Not Installed]
2)     letsencrypt [Not Installed]
3)     python3-certbot [Not Installed]
4)     python3-zope.component [Not Installed]
5)     python3-zope.hookable [Not Installed]
6)     python3-zope.interface [Not Installed]

Accept this solution? [Y/n/q/?] q

Thoughts?

Best.

#16

Try this