just upgraded my raspberry nextcloudpi to the latest.
somehow my letsencrypt renewal now stopped working?
my certificate has expired?
in ncp-config requesting the new certificate responsRunning letsencrypt
/usr/local/bin/ncp/NETWORKING/letsencrypt.sh: line 62: /etc/letsencrypt/letsencrypt-auto: No such file or directory
Done. Press any keyā¦
tried reinstalling as suggested using this snippet:
/tmp# cat letsencrypt.sh
source /usr/local/etc/library.sh
This is indeed the binary installed manually from GitHub sources AFAIK. An automated renewal job needs to be added manually with this. Not sure how NCP handles this but I suggest you install Certbot from Debian/Raspbian APT repo which allows easier updates. There have been some important updates over the last year that dropped/updated some authentication methods.
For this run: apt install certbot && certbot renew
Actually it cannot be related to the Nextcloud update, since Nextcloud itself has nothing to do with and will never change anything about your webserver and/or SSL configuration. So this must be by chance that both events occur the same time.
Now I see that NCP indeed installs CertBot from GitHub sources and place custom cron job for updating the certificate: [[ -f /etc/cron.weekly/letsencrypt-ncp ]] && run_app letsencrypt
Not sure why it does not rely on the APT package which automates all this and even updates your authentication settings if required on APT upgrade (to match current allowed methods). On Stretch the version is very current: Debian -- Error
@nachoparker
Just a suggestion to rely on APT here. Using GitHub sources requires regular manual updates not only of the binaries but also the authentication methods/modules (e.g. TLS-SNI support drop).
This allows to remove/skip all the manual renewal jobs and rely on the systemd timers that are shipped with the package.
If it for some reason should be assured that CertBot is NOT installed from APT, then apt-get remove -y certbot would be the correct command. letsencrypt is a deprecated transitional package that is rarely listed by any guide and as such when removing certbot, letsencrypt will be automatically removed as well anyway: Debian -- Error
The other way round, certbot stays installed, conflicting or at least doubling the renewal jobs.
thanks for the suggestion. We were using the debian package until January, but we had to move to the git version (with a lot of user pain) because it was using a deprecated method that was going to be disabled in Feb and was not going to make it (apparently) to Stretch.
For this reason we moved to the github version, but canāt wait to go back again to the package based solution
edit: the git version auto-updates itself, but this is more buggy than apt updates
@nachoparker
Which deprecated method do you mean? It was indeed using TLS-SNI with Nginx and Apache modules which was found to have a security issue and thus dropped. Ah I see, the new version (with fix) was indeed shipped in end of January (24., backports earlier): https://deb.debian.org/debian/pool/main/p/python-certbot/
We also faced this issue but a simple solution was to switch to --webroot authentication (away from Apache/Nginx auth modules), which used already HTTP01 authentication with earlier versions. I just (some weeks ago) reverted back to --apache authentication which now (with v0.28) works again.
However it means you could revert to APT . Of course all above only in case TLS-SNI was the issue that made you move away from APT.
Sounds good. Weāll probably change back then but itās a painful migration, thereās always users that skip key updates, I am in the process of improving that but until then itās always painful
@Migimli
Did you now install the APT package or use the NCP method?
What does the following show: certbot renew
And please paste which -a certbot to check whether there are two binaries now.
@nachoparker
AFAIK you can just leave /etc/letsencrypt as is with all certs/keys etc. The APT package will migrate the existing account info etc. Only thing that needs to be removed is in case the certbot binary on $PATH added by the Git installer. AFAIK it is placed in /usr/local/bin/certbot so would override the one from the APT package (/usr/bin/certbot), if present, which might be @Migimli issue.
With the systemd service/timer (provided by the APT package) it is even easier to toggle auto-updates via: systemctl --now enable/disable certbot.timer
tried to fix all and was able to renew a certificate after replacing the letsencrypt with my former letsencrypt-dataā¦
did a shutdown and restart: the machine will not load the web at all
Internal Server Error
The server encountered an internal error and was unable to complete your request.
Please contact the server administrator if this error reappears multiple times, please include the technical details below in your report.
More details can be found in the server log.
[edit]
some time changed my webbrowserā¦ the certificate renewal worked!
I hope Iāve located a suitable topic for this question. My skills are limited. Can you tell me how to solve my problem? I am trying to update from ncp v1.11.2 to v1.12.3. Running nc-update fails, with the following appearing at the end of the dialog:
Reading package lists...
Building dependency tree...
Reading state information...
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
letsencrypt : Depends: certbot but it is not going to be installed
E: Unable to correct problems, you have held broken packages.
I also ran the following:
$ sudo aptitude install letsencrypt
The following NEW packages will be installed:
certbot{a}
letsencrypt
python3-acme{a}
python3-certbot{a}
python3-configargparse{a}
python3-configobj{a}
python3-josepy{a}
python3-mock{a}
python3-parsedatetime{a}
python3-pbr{a}
python3-requests-toolbelt{a}
python3-rfc3339{a}
python3-tz{a}
python3-zope.component{a}
python3-zope.event{a}
python3-zope.hookable{ab}
python3-zope.interface{ab}
0 packages upgraded, 17 newly installed, 0 to remove and 3 not upgraded.
Need to get 787 kB of archives. After unpacking 4,188 kB will be used.
The following packages have unmet dependencies:
python3-zope.interface : Depends: python3 (< 3.6) but 3.6.6-1 is installed
python3-zope.hookable : Depends: python3 (< 3.6) but 3.6.6-1 is installed
The following actions will resolve these dependencies:
Keep the following packages at their current version:
1) certbot [Not Installed]
2) letsencrypt [Not Installed]
3) python3-certbot [Not Installed]
4) python3-zope.component [Not Installed]
5) python3-zope.hookable [Not Installed]
6) python3-zope.interface [Not Installed]
Accept this solution? [Y/n/q/?] q
So sorry, I am really green, and out of my league on these issues. I am unable to update from v1.11.2 to v1.13.3
I still seem to have issues with letsencrypt.
Also, should āCannot load Zend OPcache - it was already loadedā be a concern?
Running ncp-update yields the following:
user@host:~ $ sudo ncp-update
Downloading updates
Performing updates
Running nc-autoupdate-nc
automatic Nextcloud updates enabled
Cannot load Zend OPcache - it was already loaded
Config value squareSizes for app previewgenerator set to 32
Cannot load Zend OPcache - it was already loaded
Config value widthSizes for app previewgenerator set to 128 256 512
Cannot load Zend OPcache - it was already loaded
Config value heightSizes for app previewgenerator set to 128 256
Cannot load Zend OPcache - it was already loaded
System config value jpeg_quality set to string 60
Running unattended-upgrades
Unattended upgrades active: yes (autoreboot true)
--2019-06-26 10:42:38-- https://packages.sury.org/php/apt.gpg
Resolving packages.sury.org (packages.sury.org)... 104.31.94.169, 104.31.95.169, 2606:4700:30::681f:5fa9, ...
Connecting to packages.sury.org (packages.sury.org)|104.31.94.169|:443... connec ted.
HTTP request sent, awaiting response... 200 OK
Length: 1769 (1.7K) [application/octet-stream]
Saving to: ā/etc/apt/trusted.gpg.d/php.gpgā
/etc/apt/trusted.gp 100%[===================>] 1.73K --.-KB/s in 0s
2019-06-26 10:42:39 (4.00 MB/s) - ā/etc/apt/trusted.gpg.d/php.gpgā saved [1769/1 769]
Running nc-autoupdate-ncp
automatic NextCloudPi updates enabled
Running nc-notify-updates
update web notifications enabled
Installing nc-backup
Get:1 http://archive.raspberrypi.org/debian stretch InRelease [25.4 kB]
Hit:2 http://raspbian.raspberrypi.org/raspbian stretch InRelease
Hit:3 https://packages.sury.org/php stretch InRelease
Fetched 25.4 kB in 1s (17.3 kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
pigz is already the newest version (2.3.4-1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Installing nc-restore
Installing letsencrypt
Get:1 http://archive.raspberrypi.org/debian stretch InRelease [25.4 kB]
Hit:2 http://raspbian.raspberrypi.org/raspbian stretch InRelease
Hit:3 https://packages.sury.org/php stretch InRelease
Fetched 25.4 kB in 2s (16.1 kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
letsencrypt : Depends: certbot but it is not going to be installed
E: Unable to correct problems, you have held broken packages.
Seeing the dependency issues with letsencrypt, I then tried this (but did not execute):
user@host:~ $ sudo aptitude install letsencrypt
The following NEW packages will be installed:
certbot{a} letsencrypt python3-acme{a} python3-certbot{a} python3-configargparse{a} python3-configobj{a} python3-josepy{a} python3-mock{a} python3-parsedatetime{a}
python3-pbr{a} python3-requests-toolbelt{a} python3-rfc3339{a} python3-tz{a} python3-zope.component{a} python3-zope.event{a} python3-zope.hookable{ab}
python3-zope.interface{ab}
0 packages upgraded, 17 newly installed, 0 to remove and 0 not upgraded.
Need to get 787 kB of archives. After unpacking 4,188 kB will be used.
The following packages have unmet dependencies:
python3-zope.interface : Depends: python3 (< 3.6) but 3.6.6-1 is installed
python3-zope.hookable : Depends: python3 (< 3.6) but 3.6.6-1 is installed
The following actions will resolve these dependencies:
Keep the following packages at their current version:
1) certbot [Not Installed]
2) letsencrypt [Not Installed]
3) python3-certbot [Not Installed]
4) python3-zope.component [Not Installed]
5) python3-zope.hookable [Not Installed]
6) python3-zope.interface [Not Installed]
Accept this solution? [Y/n/q/?]
Any and all assistance is appreciated. As I said, Iām in the dark on this stuff.
According to the system info on the administrative dashboard, I am using an unsupported distro (Buster). Is it true that I should be using Stretch? Does that provide any relevant context for my troubles above?
Probably options 1) and 2) are fine. You might have some issues with Buster, I am not sure since it is not supported yet. I would say you are going to be ok.
Support is on the way though so weāll move to Buster pretty soon.
. Of course all above only in case TLS-SNI was the issue that made you move away from APT.