NextcloudPi - LetsEncrypt renewal error

Hey,
I try to renewal my LetsEncrypt certificate on my nextcouldpi system since days, but I cannot find the issue of this problem, can someone help:

sudo letsencrypt renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/[myDomain].duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for [myDomain].duckdns.org
Cleaning up challenges
Attempting to renew cert ([myDomain].duckdns.org) from /etc/letsencrypt/renewal/[myDomain].duckdns.org.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for [myDomain].duckdns.org:. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/[myDomain].netlord.de.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for [myDomain].duckdns.org
http-01 challenge for [myDomain].netlord.de
Waiting for verification...
Cleaning up challenges
Attempting to renew cert ([myDomain].netlord.de) from /etc/letsencrypt/renewal/[myDomain].netlord.de.conf produced an unexpected error: Failed authorization procedure. [myDomain].duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://[myDomain].duckdns.org/.well-known/acme-challenge/biR_glH02h6bcaHIDU_K7_bAGzcmeYRa9iAr-SvCNh0: Error getting validation data. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/[myDomain].duckdns.org/fullchain.pem (failure)
  /etc/letsencrypt/live/[myDomain].netlord.de/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/[myDomain].duckdns.org/fullchain.pem (failure)
  /etc/letsencrypt/live/[myDomain].netlord.de/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: [myDomain].duckdns.org
   Type:   connection
   Detail: Fetching
   https://[myDomain].duckdns.org/.well-known/acme-challenge/biR_glH02h6bcaHIDU_K7_bAGzcmeYRa9iAr-SvCNh0:
   Error getting validation data

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

similar questions have already been asked on the forum. pls use the search function to find some yourself.

and don’t forget to re-link the helping answer here…

1 Like

Jep, I know and I red them, but maybe I am not smart enough to see it, BUT I cannot fix the problem.

Edit: Port 80 and 443 are correctly setup and I dont have the 0001 ending problem.

Can you reach the domains manually? (Certbot doesnt it seems)
If so,

  • can try renewing manually, from terminal or ssh/putty, using dns (txt record), or using html (html file).
    I usually remove the certificatr first, with:

sudo certbot delete

then for dns run

sudo certbot -d domain.example.tld --manual --preferred-challenges dns certonly

Or use html instead of dns, and follow instruction from certbot.

Also, It is smart to provide detailed information about what you have tried, stating steps you took, pages (links) you used.

Is not very informative, to say the least, and is likely not going to trigger much interest

2 Likes

Thanks and sorry, thought my Edit gave such informations, but yeah you are right!

I have deleted the entry and tried to create a new one with the command you provided, this time the error is:

Type:   unauthorized
   Detail: Incorrect TXT record "" found at
   _acme-challenge.[mydomain].duckdns.org

Some dns servers are slow in updating records, and they can take long to get propagated to other dns servers.

I always check if my new records is available to the www at https://mxtoolbox.com/TXTLookup.aspx
to verify if the _acme-challenge.[mydomain].duckdns.org is returning the correct value, before hitting enter in the certbot command line.

Depending on dns provider, it can take several minutes, so be patient and try again, it should work in the end.

Thanks for your help! I did the dns update wrong. If some others have the same issue, here I found the answer for duckdns (in german)

1 Like

Good to hear you got to work :sunglasses: