Hello Friends,
I’m running NextckoudPi 1.38.6 on a Raspberry Pi 4 4GB with Raspberry Pi OS 64bit.
Everything was running well for the past two months, but in the past two weeks I’ve received a few Nextcloud notifications saying the LetsEncrypt SSL renewal failed.
I tried to log into the NCP panel and run the Letsencrypt renewal manually, but I got this error message:
[ letsencrypt ] (Sun Sep 12 14:07:24 IDT 2021)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ********.********.***
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. ********.********.*** (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://********.********.***/.well-known/acme-challenge/jspBZsvex_V1R42Th7E-9RMQ4GyvIy8cI8r0GhdHxHw: Timeout during connect (likely firewall problem)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: ********.********.***
Type: connection
Detail: Fetching
https://********.********.***/.well-known/acme-challenge/jspBZsvex_V1R42Th7E-9RMQ4GyvIy8cI8r0GhdHxHw:
Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
Could be just a dns time-out.
After trying again;
run ncp-report to gather more info and view all logs.
share via plain text file or use pastebin service.
Thank you.
I ran the command, but when I want to scroll back to the output beginning to copy it, the terminal output is cut and I can’t scroll back to the start.
Many thanks, @ZendaiOwl ! Your suggestion solved it also for me
Is it problematic to keep nc-httponly set to OFF, or is it be better to change the setting back to ON after the renewal?
You’re welcome
It’s best to turn it back on after you’ve received the certificate from letsencrypt.
From what I could understand the certbot does a challenge request on port 80 using http which fails when this setting is turned on, so switching it off just for getting the certificate is fine. However for security reasons you should turn it back on so you’re using https/SSL
Guessing here, but NC is just doing an old-fashioned http > https redirect. Really they should exclude certbot from the redirect. From this post, the redirect should read something like:
RewriteEngine On
RewriteRule ^.well-known/acme-challenge/ - [L]
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Or something like this as there are a number of ways of achieving the same thing. This would allow certbot to continue to use port 80 and redirect everything else.
Really is should be filed somewhere as a bug or an enhancement request.
I can confirm it, updated to development branch on version 1.39.16 and running Letsencrypt works flawlessly now.
Code from running command is below
Running letsencrypt
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Running deploy-hook command: /etc/letsencrypt/renewal-hooks/deploy/ncp
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/<my-domain-name>/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/<my-domain-name>/privkey.pem
Your cert will expire on 2021-12-28. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
System config value trusted_domains => 22 set to string <my-domain-name>
System config value trusted_domains => 3 set to string <my-domain-name>
System config value overwrite.cli.url set to string <my-domain-name>