No automatic renewing of Letsencrypt certificate on Nextcloud Box

jean · August 14, 2017, 1:38pm

Hi,

So I have a letsencrypt certificate problem as mentioned in this thread here : renew letsencrypt certificate:

I got a certificate problem on my nextcloud box. “The certificate has expired”.
Effective Date: Tue May 9 12:12:00 2017 GMT
Expiration Date: Mon Aug 7 12:12:00 2017 GMT
Firefox doesn’t allow me to connect to my server because of this, and other apps don’t work as well. The version I have is 11.0.3. It never updated to v. 12, I don’t know if it’s related.
From what I understood, and it seemed to have worked well for the last 9 months, I have nothing to do to renew my certificate.

I’m currently on vacation and don’t have ssh access to the server. What can I do ?

On the Nextcloud desktop client, I have a SSL handshake failed error.
On the Android client I have a socket exception in the Activity panel and I can’t upload anything.

But I have access to my Nextcloud instance with a browser that let me go through the certificate problem.

I’m now back at my place, and I tried to reactivate the certificate with sudo nextcloud.enable-https lets-encrypt but I got the following error saying that it cannot reach my server.

$ sudo nextcloud.enable-https lets-encrypt
ERROR: ld.so: object '/usr/lib/arm-linux-gnueabihf/libarmmem.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object '/usr/lib/arm-linux-gnueabihf/libarmmem.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object '/usr/lib/arm-linux-gnueabihf/libarmmem.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object '/usr/lib/arm-linux-gnueabihf/libarmmem.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object '/usr/lib/arm-linux-gnueabihf/libarmmem.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object '/usr/lib/arm-linux-gnueabihf/libarmmem.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object '/usr/lib/arm-linux-gnueabihf/libarmmem.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
In order for Let's Encrypt to verify that you actually own the
domain(s) for which you're requesting a certificate, there are a
number of requirements of which you need to be aware:

1. In order to register with the Let's Encrypt ACME server, you must
   agree to the currently-in-effect Subscriber Agreement located
   here:

       https://letsencrypt.org/repository/

   By continuing to use this tool you agree to these terms. Please
   cancel now if otherwise.

2. You must have the domain name(s) for which you want certificates
   pointing at the external IP address of this machine.

3. Both ports 80 and 443 on the external IP address of this machine
   must point to this machine (e.g. port forwarding might need to be
   setup on your router).

Have you met these requirements? (y/n) y
Please enter an email address (for urgent notices or key recovery): myaddress@mail.com
Please enter your domain name(s) (space-separated): myserver.host.com
Attempting to obtain certificates... error running certbot:

ERROR: ld.so: object '/usr/lib/arm-linux-gnueabihf/libarmmem.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object '/usr/lib/arm-linux-gnueabihf/libarmmem.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object '/usr/lib/arm-linux-gnueabihf/libarmmem.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object '/usr/lib/arm-linux-gnueabihf/libarmmem.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object '/usr/lib/arm-linux-gnueabihf/libarmmem.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
Saving debug log to /var/snap/nextcloud/current/certs/certbot/logs/letsencrypt.log
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for myserver.host.com
Using the webroot path /var/snap/nextcloud/current/certs/certbot for all domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. myserver.host.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://myserver.host.com/.well-known/acme-challenge/cEWMZEVvune2OzgVYLxWQUK2BhqGQXXX: Timeout
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: myserver.host.com
   Type:   connection
   Detail: Fetching
   http://myserver.host.com/.well-known/acme-challenge/cEWMZEVvune2OzgVYLxWQUK2BhqGQXXX:
   Timeout

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

So it appears that it can’t access my server, it’s not clear why. There is a bunch of ld.so which I don’t understand either, not sure if it has an impact here though.

I used sudo nextcloud.enable-https self-signed, and it worked, but I still have warnings everywhere because I’m not a trusted authority, and it’s kind of annoying.

So I don’t really know what to do, any help would be appreciated. I just like to renew the letsencrypt certificate.
The wiki is rather light on the matter.

Thanks

nuxnix · August 16, 2017, 9:34pm

Something that has been an issue for me before with Lets Encrypt behind a router is that BOTH port 80 and port 443 must resolve from the Internet to your nextcloud box via the fully qualified domain name set at your DNS provider for the acme-challenge to work.

Are those ports forwarded correctly to your box and resolving correctly from the Internet?

I am a while away from first renewal of certs on my 11.03 Nextcloud box so am looking at these threads with interest as I understand it should be automatic.

Angus

jean · August 17, 2017, 7:23am

Yes both port are forwarded to the box. Although I don’t get what you mean by “via the fully qualified domain name set at your DNS provider”. But It worked for 9 months without problem and the certificate already did renew by itself in the past. So unless Letsencrypt changed the way it gives certificates I believe my setup is correct.

I’m like you with NC box 11.0.3, and I understood too that it was automatic.

Thanks

JimmyKater · August 17, 2017, 10:46am

just found that… --> https://github.com/nextcloud/nextcloud-snap/issues

have you been looking here? and if yes, why don’t you post your problem here?

cheers
jimy

jean · May 9, 2018, 1:40pm

Turn’s out that the issue resolved by itself. I switched to NCP in the meantime, but the error was still present.

I updated my nextcloud instance to 13.0.2 this week and tried again to activate the let’s encrypt certificat thing, with little hope, but it worked ! I had a self certificate meanwhile.

I don’t know what happened between August 2017 and April/May 2018, during which I had this issue.

Best
Jean