Problem with letsencrypt and apache2-nextcloud

Hello Everyone,
I’m pretty new to everything related to linux, networks and webservers in general so I’ll hopefully only ask simple questions after a lot of text.

I used to have a nextcloudpi installed on my RaspberryPi2B, which I needed to reinstall. Therefore I cleanly re-installed Raspbian and tried to get Nextcloudpi again, which failed due to ownyourbits & co being down (at the moment?). Sorry, if there’s a super easy way to circumvent this - I don’t really know what I’m doing on unix.

I then decided to manually install nextcloud(withoutpi) and after several attempts and a lot of googling stuff everything works except the letsencrypt/certbot business to reach the nc via https from the internet.
Maybe someone can help me understand which files I need to edit in which way?

Details on installation/configuration:

I installed nc according to Installing NextCloud on Your Raspberry Pi (2 ways) – RaspberryTips :

sudo apt-get update
sudo apt-get upgrade

sudo apt install apache2 mariadb-server libapache2-mod-php
sudo apt install php-gd php-json php-mysql php-curl php-mbstring php-intl php-imagick php-xml php-zip

cd /var/www/html
sudo wget https://download.nextcloud.com/server/releases/nextcloud-24.0.1.zip
sudo unzip nextcloud-24.0.1.zip
sudo chmod 750 nextcloud -R
sudo chown www-data:www-data nextcloud -R

sudo mysql
CREATE USER “nextcloud” IDENTIFIED BY “passwordxyz”;
CREATE DATABASE nextcloud;
GRANT ALL PRIVILEGES ON nextcloud.* TO “nextcloud”@localhost IDENTIFIED BY “passwordxyz”;
FLUSH PRIVILEGES;
quit

sudo reboot

My data directory is on an external ssd (/media/raspi-nc/nc_data), so i changed the ownership of this dir to www-data, so that apache(?) could write there:
sudo chown www-data /media/raspi-nc
sudo chown www-data /media/raspi-nc/nc_data

In order to reach the nc via the local ipv4 and not end up at the default apache debian html page, I changed:
sudo nano /etc/apache2/sites-available/000-default.conf → attached “/nextcloud” to DocumentRoot

The installation/initial login as admin via the webbrowser (via in my case 192.168.178.21) then works nicely. I can access and setup the cloud with everything related to users, apps, etc…

As a new user in the forum, I unfortunately only can post up to 4 links per post, so I’ll replace my domain TestMe.dynv6.net by domain in the rest of the text:

Now in order to make the NC reachable from outside my home network, i registered a “zone” at dynv6.com, which points to my raspi:

domain
IPv4 Address 192.168.178.21
IPv6 Prefix xxxx:xxxx:xxxx:xxxx::

i found the ipv6 in my (german) avm fritzbox router under “Heimnetz–>Netzwerk–>raspberrypi”

I created an AAAA-record on dynv6 pointing to the ipv6:
AAAA domain xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

Then the fritzbox needs to forward the ports 80 and 443:
Fritzbox → Internet → Freigaben → Portfreigaben
I created a HTTP (80) and HTTPS(443) forwarding:

Bezeichnung Protokoll IP-Adresse im Internet Port extern vergeben
HTTPS-Server TCP 192.168.178.21 443
HTTP-Server TCP 192.168.178.21 80
HTTPS-Server TCP xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx 443
HTTP-Server TCP xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx 80

I then added the domain to the array of trusted domains in my nc in the pi terminal:
sudo nano /var/www/html/nextcloud/config/config.php
1 => “domain”,

Now, i had to enable DynDNS in the fritzbox as well:
Internet → Freigaben → DynDNS
–>Enable DynDNS

Following the instructions on dynv6 I chose a “Benutzerdefiniert” provider and entered the update url WITHOUT the ipv4 part (since my ISP only provides a Dualstack-Lite connection).

dynv6. com/api/update?hostname=<domain>&token=<username>&ipv6=<ip6addr>&ipv6prefix=<ip6lanprefix>* 
with the respective values for <domain>, <username>, <ip6addr> and <ip6lanprefx>

for me it eventually looks like this:
dynv6.com/api/update?hostname=*domain*&token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&ipv6=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx&ipv6prefix=xxxx:xxxx:xxxx:xxxx::/64

Now i can enter domain into any browser and access my nc without ssl:
domain

As final step, I thought I’d install certbot and let it handle all the crazy mumbo-jumbo-network-ssl stuff, but i ran into problems:

sudo apt-get install certbot python3-certbot-apache
sudo certbot --apache

resulted in:

Waiting for verification…
Challenge failed for domain domain
http-01 challenge for domain
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: domain
    Type: connection
    Detail: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx: Fetching
    http://domain/.well-known/acme-challenge/mfbliltl3ulZeGYeEa_arUpGfIR9CjZmm12X0_QURoY:
    Error getting validation data

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

I spent some days googling about which config files in the nc dir to edit, but eventually I think I ran into a dead end. I could use nc without https, but I’m not feeling particularly good with that.

Can someone help me please? Thank you so much in advance :slight_smile:

Letencrypt DNS validation is build around the process when systems from Letsencrypt access your server.

this error explains they could not reach your server. Please check if you created dns record for your Nextcloud and accessible on port 80 and 443 (e.g. port forwarding). Most likely something is wrong with DNS record or port forwarding in the fritzbox (take care IPv4 and IPv6 port forwarding are different settings). as you have no valid IPv4 address (sounds like carrier grade NAT) you don’t need to add this address to your DNS record (192.168.x.x is *private ip address and not routable in the internet). You also need to check if Fritzbox own HTTPS interface is not active - it always takes precedence over other services. Just access your http://domain and https://domain from outside and see which system you reach - if this is your NC then it’s correct if this is fritzbox or nothing something is wrong…

P.S. In general it’s not a good idea to self-host complex software if you are absolute beginner. You could oversee important things and got hacked or simply loose data because of your own mistake. Maybe hosted Nextcloud is better suited for you?

1 Like

Thanks for your tip, I agree - but I’d also love to learn about things like that and what better way than trying to fiddle around at a project until it works. I appreciate the concern, but my data is backed up multiple times. Therefore I’m not too afraid to break things.

I know that the 192.168’s are private addresses, i used to have a “real” ipv4 with my old nc - in fact the change of ISP with no more access to it is more or less the reason for all this hickup.

Anyways, thanks to your help.
I figured, that the DNS record would not be the problem, since the domain to ipv6-translation worked and both linked to the nc. This left the port forwarding as main culprit.
And indeed, whenever I set up the forwarding in the fritzbox, the auto-fill (dropdown menu: pick raspbi) used a wrong ipv6 address. I think this has something to do with the fact that one interface can have multiple ipv6’s which are generated differently, but upon manually changing the entry, certbot worked perfectly and the domain was reachable from e.g. the phone with wifi turned off.
I’ll give it some more testing but I’m already greatly grateful. Thanks a lot!

1 Like

Did you manage to complete the Letsencrypt verification?

If not…


The certbot error you received means either the server is not reachable or you forgot to place the token in the listed directory.

Letsencrypt can be configured to verify DNS records rather than server placed records. I use DNS records rather than server placed tokens. This allows me to renew my certs without worrying about stopping my domain services.

Use the following command to obtain a Letsencrypt cert using DNS verification rather than server placed token verification…

certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --cert-name your.domain --manual --preferred-challenges dns

The process reads your DNS records and generates a token for each record. You place the generated token in your DNS TXT records… don’t worry, certbot gives you directions on how to do that. Once all tokens are entered in your DNS zone, the TXT records are verified and the cert is placed in the Letsencrypt directory on your server.

At the end of the process, you’ll have a valid cert… and then you can muck around with the Internet-wide accessibility of your NC.

For more details on Letsencrypt verification please see their documentation:

https://letsencrypt.org/docs/challenge-types/

3 Likes