NextCloudPi certbot doesn't work

Nextcloud version: 14.0.4.2
Operating system and version: NextCloudPi v1.24.2
Apache or nginx version: Apache/2.4.38 (Raspbian)
PHP version: ??

The certbot doesn’t work. Since I installed NextCloudPi to use Nextcloud:

  1. The certbot did never actualize automatically
  2. Everytime, when I wanted to renew my certificate I have to use other mechanisms, because the old machanism (of renewing the last time) didn’t work anymore
  3. At the moment I’m not able to renew by certificate

So I have two questions:

  1. What is the regular way to make the automatic certificate renew-process working?
  2. What can I do now? I found four different ways for renewing:

What I tried so far and (and what didn’t work) and what the system replied:

  1. renewing certificate within firefox via the URL “http://MY-LOCAL-IP:4443/” → “let’s encrypt” → “apply”. The dot glows green and the reply is:

[ letsencrypt ]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Running deploy-hook command: /etc/letsencrypt/renewal-hooks/deploy/ncp
Error output from ncp:
Nextcloud is in maintenance mode - no apps have been loaded

There are no commands defined in the “notification” namespace.

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/MY_DOMAIN-0001/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/MY_DOMAIN-0001/privkey.pem
    Your cert will expire on 2020-07-24. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”
  • If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: h ttps://letsencrypt.org/donate
Donating to EFF: h ttps://eff.org/donate-le

Nextcloud is in maintenance mode - no apps have been loaded

System config value trusted_domains => 12 set to string MY_DOMAIN
Nextcloud is in maintenance mode - no apps have been loaded

System config value overwrite.cli.url set to string https://MY_DOMAIN

  1. renewing certificate within the NextCloudPi-console via SSH → “$ sudo ncp-config” → “networking” → “letsencrypt” with the following reply:

Running letsencrypt
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
An unexpected error occurred:
Error creating new order :: Cannot issue for “_”: Domain name contains an invalid character
Please see the logfiles in /var/log/letsencrypt for more details.
Done. Press any key…

  1. renewing certificate within the NextCloudPi-console via SSH → “$ sudo certbot renew”

$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/MY-DOMAIN-0001.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/MY-DOMAIN.conf


Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 67, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 444, in init
“file reference”.format(self.configfile))
certbot.errors.CertStorageError: renewal config file {} is missing a required file reference
Renewal configuration file /etc/letsencrypt/renewal/MY-DOMAIN.conf is broken. Skipping.


The following certs are not due for renewal yet:
/etc/letsencrypt/live/MY-DOMAIN-0001/fullchain.pem expires on 2020-07-24 (skipped)
No renewals were attempted.

Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/MY-DOMAIN.conf (parsefail)


0 renew failure(s), 1 parse failure(s)

  1. renewing certificate within the NextCloudPi-console via SSH → “$ cd /etc/letsencrypt” → “$ ./certbot-auto”. (I already tried out the solution at Get Certbot — Certbot 2.7.0.dev0 documentation which was mentioned by the following output, but it didn’t work, too)

$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/MY_DOMAIN-0001.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/MY_DOMAIN.conf


Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 67, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 444, in init
“file reference”.format(self.configfile))
certbot.errors.CertStorageError: renewal config file {} is missing a required file reference
Renewal configuration file /etc/letsencrypt/renewal/MY_DOMAIN.conf is broken. Skipping.


The following certs are not due for renewal yet:
/etc/letsencrypt/live/MY_DOMAIN-0001/fullchain.pem expires on 2020-07-24 (skipped)
No renewals were attempted.

Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/MY_DOMAIN.conf (parsefail)


0 renew failure(s), 1 parse failure(s)
pi@nextcloudpi:~ $ cd /etc/letsencrypt
pi@nextcloudpi:/etc/letsencrypt $ ./certbot-auto
Requesting to rerun ./certbot-auto with root privileges…
Bootstrapping dependencies for Debian-based OSes… (you can skip this with --no-bootstrap)
Hit:1 h ttp://archive.raspberrypi.org/debian buster InRelease
Get:2 h ttp://raspbian.raspberrypi.org/raspbian buster InRelease [15.0 kB]
Get:3 h ttp://raspbian.raspberrypi.org/raspbian buster/main armhf Packages [13.0 MB]
Fetched 13.0 MB in 47s (277 kB/s)
Reading package lists… Done
Reading package lists… Done
Building dependency tree
Reading state information… Done
augeas-lenses is already the newest version (1.11.0-3).
ca-certificates is already the newest version (20190110).
gcc is already the newest version (4:8.3.0-1+rpi2).
libaugeas0 is already the newest version (1.11.0-3).
libffi-dev is already the newest version (3.2.1-9).
python is already the newest version (2.7.16-1).
python-dev is already the newest version (2.7.16-1).
python-virtualenv is already the newest version (15.1.0+ds-2).
virtualenv is already the newest version (15.1.0+ds-2).
libssl-dev is already the newest version (1.1.1d-1+0~20191009.15+debian9~1.gbpd6badf).
openssl is already the newest version (1.1.1d-1+0~20191009.15+debian9~1.gbpd6badf).
0 upgraded, 0 newly installed, 0 to remove and 10 not upgraded.
Creating virtual environment…
Installing Python packages…
Had a problem while installing Python packages.

pip prints the following errors:

Collecting ConfigArgParse==1.0 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 12))
Downloading h ttps://files.pythonhosted.org/packages/66/37/dd9fcb3b19c1dceea450ee994952e311a96dd827bb09ee19169c3427e0d3/ConfigArgParse-1.0.tar.gz (40kB)
Collecting certifi==2019.11.28 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 14))
Downloading h ttps://files.pythonhosted.org/packages/b9/63/df50cac98ea0d5b006c55a399c3bf1db9da7b5a24de7890bc9cfd5dd9e99/certifi-2019.11.28-py2.py3-none-any.whl (156kB)
Collecting cffi==1.13.2 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 17))
Downloading h ttps://files.pythonhosted.org/packages/2d/bf/960e5a422db3ac1a5e612cb35ca436c3fc985ed4b7ed13a1b4879006f450/cffi-1.13.2.tar.gz (460kB)
Collecting chardet==3.0.4 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 51))
Downloading h ttps://files.pythonhosted.org/packages/bc/a9/01ffebfb562e4274b6487b4bb1ddec7ca55ec7510b22e4c51f14098443b8/chardet-3.0.4-py2.py3-none-any.whl (133kB)
Collecting configobj==5.0.6 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 54))
Downloading h ttps://files.pythonhosted.org/packages/64/61/079eb60459c44929e684fa7d9e2fdca403f67d64dd9dbac27296be2e0fab/configobj-5.0.6.tar.gz
Collecting cryptography==2.8 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 56))
Downloading h ttps://files.pythonhosted.org/packages/be/60/da377e1bed002716fb2d5d1d1cab720f298cb33ecff7bf7adea72788e4e4/cryptography-2.8.tar.gz (504kB)
Collecting distro==1.4.0 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 78))
Downloading h ttps://files.pythonhosted.org/packages/ea/35/82f79b92fa4d937146c660a6482cee4f3dfa1f97ff3d2a6f3ecba33e712e/distro-1.4.0-py2.py3-none-any.whl
Collecting enum34==1.1.6 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 81))
Downloading h ttps://files.pythonhosted.org/packages/c5/db/e56e6b4bbac7c4a06de1c50de6fe1ef3810018ae11732a50f15f62c7d050/enum34-1.1.6-py2-none-any.whl
Collecting funcsigs==1.0.2 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 86))
Downloading h ttps://files.pythonhosted.org/packages/69/cb/f5be453359271714c01b9bd06126eaf2e368f1fddfff30818754b5ac2328/funcsigs-1.0.2-py2.py3-none-any.whl
Collecting idna==2.8 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 89))
Downloading h ttps://files.pythonhosted.org/packages/14/2c/cd551d81dbe15200be1cf41cd03869a46fe7226e7450af7a6545bfc474c9/idna-2.8-py2.py3-none-any.whl (58kB)
Collecting ipaddress==1.0.23 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 92))
Downloading h ttps://files.pythonhosted.org/packages/c2/f8/49697181b1651d8347d24c095ce46c7346c37335ddc7d255833e7cde674d/ipaddress-1.0.23-py2.py3-none-any.whl
Collecting josepy==1.2.0 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 95))
Downloading h ttps://files.pythonhosted.org/packages/de/bb/4949857070b6601eacc209478823745cd79d72cf1c0bb8407aebb772677b/josepy-1.2.0-py2.py3-none-any.whl (57kB)
Collecting mock==1.3.0 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 98))
Downloading h ttps://files.pythonhosted.org/packages/b2/50/664a70b87408bb6c14c1af2337efa64eb8d1af80c933531758b8fb41ec25/mock-1.3.0-py2.py3-none-any.whl (56kB)
Collecting parsedatetime==2.5 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 101))
Downloading h ttps://files.pythonhosted.org/packages/4e/26/7612745a21452f6d822c0868ff7168dd8cf592645b2a553a177e1de43901/parsedatetime-2.5-py2-none-any.whl (40kB)
Collecting pbr==5.4.4 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 104))
Downloading h ttps://files.pythonhosted.org/packages/7a/db/a968fd7beb9fe06901c1841cb25c9ccb666ca1b9a19b114d1bbedf1126fc/pbr-5.4.4-py2.py3-none-any.whl (110kB)
Collecting pyOpenSSL==19.1.0 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 107))
Downloading h ttps://files.pythonhosted.org/packages/9e/de/f8342b68fa9e981d348039954657bdf681b2ab93de27443be51865ffa310/pyOpenSSL-19.1.0-py2.py3-none-any.whl (53kB)
Collecting pyRFC3339==1.1 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 110))
Downloading h ttps://files.pythonhosted.org/packages/c1/7a/725f5c16756ec6211b1e7eeac09f469084595513917ea069bc023c40a5e2/pyRFC3339-1.1-py2.py3-none-any.whl
Collecting pycparser==2.19 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 113))
Downloading h ttps://www.piwheels.org/simple/pycparser/pycparser-2.19-py2.py3-none-any.whl (111kB)
Collecting pyparsing==2.4.6 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 115))
Downloading h ttps://files.pythonhosted.org/packages/5d/bc/1e58593167fade7b544bfe9502a26dc860940a79ab306e651e7f13be68c2/pyparsing-2.4.6-py2.py3-none-any.whl (67kB)
Collecting python-augeas==0.5.0 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 118))
Downloading h ttps://files.pythonhosted.org/packages/41/e6/4b6740cb3e31b82252099994cea751c648b846aa7874343c31d68c2215be/python-augeas-0.5.0.tar.gz (90kB)
Collecting pytz==2019.3 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 120))
Downloading h ttps://files.pythonhosted.org/packages/e7/f9/f0b53f88060247251bf481fa6ea62cd0d25bf1b11a87888e53ce5b7c8ad2/pytz-2019.3-py2.py3-none-any.whl (509kB)
Collecting requests==2.22.0 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 123))
Downloading h ttps://files.pythonhosted.org/packages/51/bd/23c926cd341ea6b7dd0b2a00aba99ae0f828be89d72b2190f27c11d4b7fb/requests-2.22.0-py2.py3-none-any.whl (57kB)
Collecting requests-toolbelt==0.9.1 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 126))
Downloading h ttps://files.pythonhosted.org/packages/60/ef/7681134338fc097acef8d9b2f8abe0458e4d87559c689a8c306d0957ece5/requests_toolbelt-0.9.1-py2.py3-none-any.whl (54kB)
Collecting six==1.14.0 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 129))
Downloading h ttps://files.pythonhosted.org/packages/65/eb/1f97cb97bfc2390a276969c6fae16075da282f5058082d4cb10c6c5c1dba/six-1.14.0-py2.py3-none-any.whl
Collecting urllib3==1.25.8 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 132))
Downloading h ttps://files.pythonhosted.org/packages/e8/74/6e4f91745020f967d09332bb2b8b9b10090957334692eb88ea4afe91b77f/urllib3-1.25.8-py2.py3-none-any.whl (125kB)
Collecting zope.component==4.6 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 135))
Downloading h ttps://www.piwheels.org/simple/zope-component/zope.component-4.6-py2.py3-none-any.whl (70kB)
Collecting zope.deferredimport==4.3.1 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 137))
Downloading h ttps://files.pythonhosted.org/packages/63/e3/05b02057b56cd9c59d848b67aff1cc701e1d2237055ebd0d0c1f44331186/zope.deferredimport-4.3.1-py2.py3-none-any.whl
Collecting zope.deprecation==4.4.0 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 140))
Downloading h ttps://files.pythonhosted.org/packages/f9/26/b935bbf9d27e898b87d80e7873a0200cebf239253d0afe7a59f82fe90fff/zope.deprecation-4.4.0-py2.py3-none-any.whl
Collecting zope.event==4.4 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 143))
Downloading h ttps://files.pythonhosted.org/packages/c5/96/361edb421a077a4c208b4a5c212737d78ae03ce67fbbcd01621c49f332d1/zope.event-4.4-py2.py3-none-any.whl
Collecting zope.hookable==5.0.0 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 146))
Downloading h ttps://files.pythonhosted.org/packages/35/7e/d7ffdd410a9b4aa97d175af1718baa6b741ec6a60baa668354dd3da4e26c/zope.hookable-5.0.0.tar.gz
Collecting zope.interface==4.7.1 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 186))
Downloading h ttps://files.pythonhosted.org/packages/c3/05/bf3130eb799548882ce61b7c3d2dbc5d4d5cc6e821efa8786c5273d56844/zope.interface-4.7.1.tar.gz (151kB)
Collecting zope.proxy==4.3.3 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 226))
Downloading h ttps://files.pythonhosted.org/packages/e2/44/bea546c55488c044351e51ebf23bf440b19876e0069a418cadc1bd5736f7/zope.proxy-4.3.3.tar.gz (44kB)
Collecting letsencrypt==0.7.0 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 274))
Downloading h ttps://files.pythonhosted.org/packages/fd/21/0c6f33829fadec8aca0c1ebb4d6f8101c05899356a58d1b2e506cb77cf18/letsencrypt-0.7.0-py2-none-any.whl
Collecting certbot==1.3.0 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 278))
Downloading h ttps://files.pythonhosted.org/packages/4b/3d/afa627553cdd9b69553637fd15d07bee32f31e9401e5413fd7806367e54a/certbot-1.3.0-py2.py3-none-any.whl (231kB)
Collecting acme==1.3.0 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 281))
Downloading h ttps://files.pythonhosted.org/packages/3d/11/19d48550ad114026657c657a3da6c9b278e7d3d8a53aa2180d5c5216c67a/acme-1.3.0-py2.py3-none-any.whl
Collecting certbot-apache==1.3.0 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 284))
Downloading h ttps://files.pythonhosted.org/packages/80/83/d5ba575061fd936050ee9f87fe008a6802877c6263f3b7958d7b0e5c8bfe/certbot_apache-1.3.0-py2.py3-none-any.whl (86kB)
Collecting certbot-nginx==1.3.0 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 287))
Downloading h ttps://files.pythonhosted.org/packages/aa/62/673bdbf118bd01bddcad887b1ea2134b07f6382477084e32029d57326ba8/certbot_nginx-1.3.0-py2.py3-none-any.whl (45kB)
Requirement already satisfied: setuptools>=1.0 in /opt/eff.org/certbot/venv/lib/python2.7/site-packages (from josepy==1.2.0->-r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 95))
THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
pycparser==2.19 from h ttps://www.piwheels.org/simple/pycparser/pycparser-2.19-py2.py3-none-any.whl#sha256=bc15573b7c6edd24407526dbbc7a0bd33d80d8af44231c37f58d73f56ff9cab6 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 113)):
Expected sha256 a988718abfad80b6b157acce7bf130a30876d27603738ac39f140993246b25b3
Got bc15573b7c6edd24407526dbbc7a0bd33d80d8af44231c37f58d73f56ff9cab6

zope.component==4.6 from https://www.piwheels.org/simple/zope-component/zope.component-4.6-py2.py3-none-any.whl#sha256=74f55521dec189c08d98341edce929eba6bb2404662d1878f1b289af46f6f6a5 (from -r /tmp/tmp.316WXSnu4g/letsencrypt-auto-requirements.txt (line 135)):
    Expected sha256 ec2afc5bbe611dcace98bb39822c122d44743d635dafc7315b9aef25097db9e6
         Got        74f55521dec189c08d98341edce929eba6bb2404662d1878f1b289af46f6f6a5

=====================================================

Certbot has problem setting up the virtual environment.

We were not be able to guess the right solution from your pip
output.

Consult h ttps://certbot.eff.org/docs/install.html#problems-with-python-virtual-environment
for possible solutions.
You may also find some support resources at h ttps://certbot.eff.org/support/ .

Sadly, nothing of this brought my Nextcloud back.

I want to mention another point, but I’m not sure if there is an relation to the issue that I described: When I visit the admin overview page at “https://MY_IP:4443/” I am told that my “port check 443” would be “closed”. I don’t have any explanation for it. I was running the NextCloudPi-wizard and told him to open the ports, additionaly I created the appropriate rules within the router (The 4443 port, which I opened in the same way like the 443 port works and is told to be “open”!)

I’m not sure, if I misunderstand the whole certbot system, or if that is only bad luck. So I would be very glad, if someone could show me the solution - and - the best way would be - if the solution is the regular solution, which will auto-renew my Cloud in the future in the common way.

Info: I was not allowed to send this post as it had to much links…as a result I changed all “https” to “h ttps” (I didn’t find another way to de-link this)

Kind regards
Ruettelplatte

I didn’t read all the debug messages, but a basic rule of thumb is that you need to keep port 80 open for everything to work.

You last option would be using the DNS validation, but I don’t know if that’s available in the NPi.

Thanks for your rely.

The admin section at “https://MY_IP:4443/” sais “port check 80 open”.
I don’t know, what a DNS validation is, but I think there have to be more options! It worked 3 times in the past (everytime by another mechanism)

as well as 443 TCP

Your system must have port 80 reachable from the internet for certbot to use automatic HTTP validation, even if your Nextcloud instance isn’t served on that port.

Can you confirm if this is the case?

By the way, Nextcloud 14 is no longer supported.

Thanks, as I already told:

If there is something that I have to do additionaly, then I don’t know how, do you?

Having a port in listening state locally and having it open to the internet are two very different things. So, can you reach port 80 of your device from off-network?

I’m not sure: When I try to reach

“MY_DOMAIN:443” with firefox, then it changes automatically to “https://MY_DOMAIN” (which is not accessible because of the missing certificate).

Is there another way to check it?

Why could this be a problem this time and not before?

You can use an online port scanner if you aren’t sure. For example http://www.t1shopper.com/tools/port-scan/

You can scan ports 80 and 443 and confirm if they are open from outside.

This seems to be OK, since the out put is:

MY_IP is responding on port 80 (http).
MY_IP is responding on port 443 (https).

You can try, moving the relevant letsencrypt folders in /archive /live and /renewal, as in:

sudo mv /etc/letsencrypt/archive/server.domain.com /etc/letsencrypt/archive/server.domain.com-old
sudo mv /etc/letsencrypt/live/server.domain.com /etc/letsencrypt/live/server.domain.com-old
sudo mv /etc/letsencrypt/renewal/name.conf /etc/letsencrypt/renewal/name.conf-old

Then run ncp-update from terminal/ncp-config or ncp-web, make sure you are on latest version (v1.25.0 currently) run sudo ncp-update first if not.
And run letsencrypt again from ncp-web or ncp-config.

That is if you want it to generate a new certificate and auto renew in future.
If not you can just point/edit values for cert and key in /etc/apache2/sites-enabled/nextcloud.conf to use the MY-DOMAIN-0001 key and cert.