NextcloudPi letsencrypt auto renewal crashed after update

Hi,

I have following problem with NextCloudPi:

NextcloudPi version: v1.39.19
Nextcloud version: 21.0.4.1

The issue you are facing:
I just updated my NCP to v1.39.19 and I also figured out that somehow the option ‘active’ was not set for automatic signed SSL certificates via letsencrypt. That’s strange, because I had NCP up and running for quite a while now also with external access via https and I have for sure used this function before. Nevertheless I activated this option again and got an error message. Now I can only reach my NCP from outside the local network anymore, because the cert is not valid.

[ letsencrypt ] (Mon Oct 4 12:13:14 CEST 2021)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Running deploy-hook command: /etc/letsencrypt/renewal-hooks/deploy/ncp
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/XXX-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/XXX-0001/privkey.pem
Your cert will expire on 2022-01-02. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Apache self check:
AH00526: Syntax error on line 5 of /etc/apache2/sites-enabled/ncp.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/XXX/fullchain.pem' does not exist or is empty
Action '-t' failed.
The Apache error log may have more information.
System config value trusted_domains => 22 set to string XXX
System config value trusted_domains => 3 set to string XXX
System config value overwrite.cli.url set to string https://XXX/
System config value trusted_proxies => 11 set to string 127.0.0.1
System config value trusted_proxies => 12 set to string ::1
System config value trusted_proxies => 13 set to string XXX
System config value trusted_proxies => 14 set to string 92.117.137.193
✓ redis is configured
✓ push server is receiving redis messages
✓ push server can load mount info from database
✓ push server can connect to the Nextcloud server
✓ push server is a trusted proxy
✓ push server is running the same version as the app
configuration saved

Does anyone know what to do?

If you need futher, more detailed information, please let me know. Unfortunately I am not an expert.

Thanks
Geko

At least one is lying or the file is really empty. Post content by cut-and-paste and change only the domain name. Also post the apache2 configuration in the affected location.

Thanks for your quick reply!

fullchain.pem does not exist. Also the directory /etc/letsencrypt/live/domain does not exist
Below the content from /etc/apache2/sites-enabled/ncp.conf

Is this all information you need?

Listen 4443
<VirtualHost _default_:4443>
  DocumentRoot /var/www/ncp-web
  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/XXX.XXX.net/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/XXX.XXX.net/privkey.pem

  # 2 days to avoid very big backups requests to timeout
  TimeOut 172800

  <IfModule mod_authnz_external.c>
    DefineExternalAuth pwauth pipe /usr/sbin/pwauth
  </IfModule>

</VirtualHost>
<Directory /var/www/ncp-web/>

  AuthType Basic
  AuthName "ncp-web login"
  AuthBasicProvider external
  AuthExternal pwauth

  SetEnvIf Request_URI "^" noauth
  SetEnvIf Request_URI "^index\.php$" !noauth
  SetEnvIf Request_URI "^/$" !noauth
  SetEnvIf Request_URI "^/wizard/index.php$" !noauth
  SetEnvIf Request_URI "^/wizard/$" !noauth

  <RequireAll>

  <RequireAny>
      Require host localhost
      Require local
      Require ip 192.168
      Require ip 172
      Require ip 10
      Require ip fe80::/10
      Require ip fd00::/8
   </RequireAny>

   <RequireAny>
      Require env noauth
      Require user XXX
   </RequireAny>

  </RequireAll>

</Directory>

Are there more details in var/log/letsencrypt/letsencrypt.log ?
Why is there no error with Lets Encrypt but then no certificate?

same problem with var/log/letsencrypt/letsencrypt.log
Directory ‘var/log/letsencrypt’ does not exist.
I tried to open it with sudo nano var/log/letsencrypt/letsencrypt.log

Hopefulle with /var/log/letsencrypt/letsencrypt.log or in / and as “root” or with “sudo”.

Please post in future cut-and-paste-messages. Thanks.

1.) check that / is not full.
2.) repeat Lets Encrypt certificat creation or renew

Post all command lines and input/output with cut-and-paste. Modify only your domain name.

try with a “/” before var/:

sudo cat /var/log/letsencrypt/letsencrypt.log

also ncp.conf is set to allow access thru LAN only, so you dont need letsencrypt for it. Anyway Letsencrypt does not work with other ports than 80 and 443. ncp.conf listens on 4443.

and

Is a symbolic link to
/etc/letsencrypt/archive/XXX.XXX.net/fullchain#.pem

I had the same.
There is also a forum post about it.
You habe to add the -0001 in the nextcloud.conf
At the Moment it changes back with every letsencrypt renewal to the path without -0001.
Therefore no one is lying the path doesn’t exists and the certificate is there. It isn’t just the old path anymore

Ok I hope this will help then. Can you please be more precise? Where exactly do I have to add the -0001?

SSLCertificateFile /etc/letsencrypt/live/XXX.XXX.net*-0001*/

For both files mentioned in the config.
As written in your second post

ok I tried to add -0001 in the ncp.conf file. No changes after saving the file, so I restarted the Raspberry. Now the web interface does not work anymore. Changing back to without -0001 does not help, still no connection via web. However, SSH connection is still possible.

SSLCertificateFile /etc/letsencrypt/live/XXX.XXX.net-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/XXX.XXX.net-0001/privkey.pem

Also the pathes both pathes do not exist

$ sudo cat /etc/letsencrypt/live/XXX.XXX.net/
cat: /etc/letsencrypt/live/XXX.XXX.net/: No such file or directory
$ sudo cat /etc/letsencrypt/live/XXX.XXX.net-0001/
cat: /etc/letsencrypt/live/XXX.XXX.net-0001/: No such file or directory

it does work with using the /, so that was my fault. But the file has more than 3000 lines. How do I copy them? Using nano to mark and copy all of them does not work :frowning: Sorry, I am not really experienced

What do you mean with 1.) check that / is not full?

ok so for now I got it working with REAPERSbattlecry’s tip. Thanks for that. I think I tried to renew the cert to often, so I had to use -0003.

BUT my Nextcloud desktop app does not trust the cert, I had manually set it as a trusted one. For that reason I tested the cert on SSL Server Test (Powered by Qualys SSL Labs) and it says that everything is ok, but DNS CAA doesn’t work.

grafik

I am not sure, if that’s a big of a deal, but I am quite sure, I did not have this issue before. Any further ideas?

You don’t have to do it and it isn’t a very big deal if you don’t have it (depending on how you use your ncp instance). There is a couple of errors it can lead to if you don’t have it and you can read more about them and CAA here on Letsencrypt’s website :
Letsencrypt Certificate Authority Authorization

There is also a link on their site to check with SSLMate’s CAA page list if your DNS provider has a DNS CAA record and if it can be set or not, and instructions in how to set it

Thanks for your reply! I am using No-IP and according to SSLMate they should have a DNS CAA record.

1 Like

I had a similar problem a coupe of weeks ago.

It turned out that the update script put the new certificate in a directory named
/etc/letsencrypt/live/mydomain-0001/

and not in

/etc/letsencrypt/live/mydomain/ as some programs expected it to be.

sudo ls /etc/letsencrypt/live/
will show you whats on.

In my case I did (as root)
cd /etc/letsencrypt/live/
ln -s mydomain-0001/ mydomain

after restart everything worked