Nextcloud VM (Tech and Me) not auto renewing SSL cert

Hello all…

I have been running the excellent Tech and Me VM for a while now and it has been excellent on my QNAP NAS using Virtualisation Station 3.

But…! (Always a but!)

Every 90 days my Letsencrypt certificate expires and never gets auto-renewed. I get the notice ten days before expiry to renew it but I was wondering what I might be missing or have done wrong in my set up.

To do a renewal I have to run the script activate-ssl.sh and just follow it through. The first time it always fails however, on the second attempt, the script gives me a long random string which I have to deploy as a TXT value on my domains _acme-challenge. Its a simple copy, paste and wait 10 minutes before continuing and it always gets renewed and I’m good to go for another couple of months.

the last warning I get once the renewal has taken place is:

ERROR: Site nextcloud_tls_domain_self_signed does not exist!
Site nextcloud_http_domain_self_signed already disabled
Site 000-default already disabled

I don’t mind doing this as it is a simple task but I’d like it to be auto renewed as it says on the tin.

If anyone can help fix this or point me in the right direction it would, of course, be greatful.

Very best wishes

Dj

Hi,

Most probably it’s due to that you don’t keep port 80 open, I get that all the time: https://docs.hanssonit.se/s/W6fMouPiqQz3_Mog/virtual-machines-vm/d/W6-83ePiqQz3_MrT/publish-your-server-online and https://letsencrypt.org/docs/allow-port-80/

Just download the latest script and run it again, it will overwrite your existing config with the latest and greatest stuff.

You can find it here:

Good luck!

Hi enoch85
Thanks very much for the reply and script. Port 80 is open. I have checked it with a third party app and the activate script when run sees 443 and 80 is open.

i will certainly give this script a try and see how I go…

Again thanks very much.

Dj

Maybe I should mention that you need the RAW file to be able to run it in the VM.

Run it with: sudo bash activate-ssl.sh

What this means is that certbot is failing HTTP domain verification and falling back to DNS verification.

For HTTP verification, it must be able to connect to your server via HTTP (will not work with only HTTPS). Note that doesn’t mean you have to serve the Nextcloud site via HTTP. It can be a dummy site or a redirect, but it has to reach the web server at http://fqdn:80.

DNS verification generally can’t be done automatically, so you want HTTP verification to work. Do you get a specific error when it fails?

This error suggests an issue with the web server configuration.

Hi enoch85

Yep thanks very much. I’ve got the script, I’lll have a go over the weekend.

Have a good weekend yourself

Dj

HI there and thanksk very much for your help…

I think I understand what is being said in your reply, but I’m still stuck. I have check with a couple of third part online “port checkers” and confirmed that 443 and 80 are open. Indeed after entering the _acme-challenge txt into my domain all is good. It just wont do it automatically after the 90 days.

Another thing I’ve noticed is that if I run the Nextcloud security checker that fails as well in that it can’t be reached, so yes there is a set up issue somewhere, everythig works fine though, all my apps, syncing etc… I just can’t gett he auto renew to do the job…

The search continues. I am greatful for your contribution.

have a great weekend

Dj

Auto renew doesn’t work when using DNS validation.

So in other words, it would be better if you fixed your setup so that it could use the HTTP01 challange standalone (first option in the script).