The issue you are facing:
I have NextcloudPi successfully in use now for ~3 months. Now the letsencrypt certificate expired and has not been automatically renewed. A manual renewal using the web interface does not work.
For DynDNS I use the MyFritz service.
I am also running Pihole on a second raspberry, but no relevant domain has been blocked.
Port forwarding for 80 and 443 is activated and working.
[ letsencrypt ] (Mon Aug 3 12:27:12 CEST 2020)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nextcloudpi.XXX.myfritz.net
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. nextcloudpi.XXX.myfritz.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://nextcloudpi.XXX.myfritz.net/.well-known/acme-challenge/JYMCIiJi08yBcV_RFanGntARmY6JHInK9ZUF8_ZAoBE: Error getting validation data
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: nextcloudpi.XXX.myfritz.net
Type: connection
Detail: Fetching
https://nextcloudpi.XXX.myfritz.net/.well-known/acme-challenge/JYMCIiJi08yBcV_RFanGntARmY6JHInK9ZUF8_ZAoBE:
Error getting validation data
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
ummm. I never knew that AVM let’s you define your own 4th level subdomain. Anyways:
How did you apply for it? Maybe directly via some Fritz-Service-feature?
good question, that’s already a couple of weeks ago. If I remeber correctly you have to activate this feature via myfritz.net or via the FritzBox. Then AVM automatically assigns a quite ugly domain to you. The full domain (nextcloudpi.XXX.myfritz.net) will automatically established when activating port forwarding.
Btw I still can access my nextcloud, if the apps don’t care that the certificate is expired.
Also Wireguard VPN works quite well with the MyFritz DynDNS service.
btw: you haven’t deleted all mentions of your URL in your posting… search for Domain
I think that’s correct. But I dunno if you can tell them to auto-update your cert. Usually that should be the case (because why would you want a 3 months certs? - I’m sure AVM-FAQ would know more about it. Or even AVM-support).
And you were accessing your instance always by the given URL? So why not putting thought into getting yourself a free-dynamic dns-account (as there are some providers offering that) and with some of those you even could apply for your own cert. (ncp suggests some of those ddns-providers to you and would take care of the renewing, automatically)
I fully agree here. But in this case I think your existing cert should be renewed by AVM - the question is: why didn’t it happen? So I’d check with the guys from AVM-support
maybe so… but I could see in your cert that it was never prolonged between 4. May and 2. August. Which seems to be strange… Usually auto-renewal does it once/week.
you could check your instance if there are the needed files unter /etc/letsencrypt. But as I’m not really into LE I can’t tell you which files you would need exactly… and how you’d perhaps need to alter your apache-config files.
So if you’d look closely at your Fritzbox… maybe you’re gonna find a valid cert there. This could be imported to your NC-instance… But I dunno if it would help.
I had that in mind as well, but I have no idea where to search.
I tried it not with another dynamic DNS provider and now it seems to work. At least I was able to get a new certificate that lasts for 3 months so let’s see
so what exactly did you do? it would be great if you’d share the steps that led to solve the issue.
just in case someone else would come up with the same or a similar problem…
For whatever reason the MyFritz dynamic DNS service seems to cause the problem. Even tough I was able to get the letsencrypt certificate in the first step.
To solve the problem I simply registered at a free dynamic DNS provider to get a new domain. As @JimmyKater wrote above, some are suggested by NCP and some are also suggested by the FritzBox. Afterwards I used the DynDNS function in the FritzBox to fully set up the service. NCP seems to offer something similar in the admin web interface or via ssh.
Last step was to apply for a new certificate in the NCP letsencrypt menu with the new domain. This time I got a new certificate. Now I have to wait and see, if the auto renewal works as expected.
search for Domain
so let’s see