[SOLVED] LetsEncrypt renewal error

Hello Friends,
I’m running NextckoudPi 1.38.6 on a Raspberry Pi 4 4GB with Raspberry Pi OS 64bit.
Everything was running well for the past two months, but in the past two weeks I’ve received a few Nextcloud notifications saying the LetsEncrypt SSL renewal failed.
I tried to log into the NCP panel and run the Letsencrypt renewal manually, but I got this error message:

[ letsencrypt ] (Sun Sep 12 14:07:24 IDT 2021)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ********.********.***
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. ********.********.*** (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://********.********.***/.well-known/acme-challenge/jspBZsvex_V1R42Th7E-9RMQ4GyvIy8cI8r0GhdHxHw: Timeout during connect (likely firewall problem)
- The following errors were reported by the server:

Domain: ********.********.***
Type: connection
Detail: Fetching
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

I made sure ports 443 and 80 are open.

How should I include the letsencrypt.log file?

Hope someone can help

Could be just a dns time-out.
After trying again;
run ncp-report to gather more info and view all logs.
share via plain text file or use pastebin service.

1 Like

Thank you, @OliverV
Can you please explain how I should run ncp-report?
I don’t see it as an option in the ncp panel.

It is not available from ncp-web-panel, only from terminal run:

sudo ncp-report

1 Like

Thank you.
I ran the command, but when I want to scroll back to the output beginning to copy it, the terminal output is cut and I can’t scroll back to the start.

sudo ncp-report > ncp-report.txt

1 Like

Thanks :pray:
Here is the full ncp-report:

I also had troubles with getting the certificate, turning off the nc-https-only when running letsencrypt solved it for me

1 Like

Many thanks, @ZendaiOwl ! Your suggestion solved it also for me :pray: :pray: :pray:
Is it problematic to keep nc-httponly set to OFF, or is it be better to change the setting back to ON after the renewal?

You’re welcome :slight_smile:
It’s best to turn it back on after you’ve received the certificate from letsencrypt.

From what I could understand the certbot does a challenge request on port 80 using http which fails when this setting is turned on, so switching it off just for getting the certificate is fine. However for security reasons you should turn it back on so you’re using https/SSL

1 Like

Excellent. Will do.
Thank you for the explanation and help :pray::+1:

1 Like

Guessing here, but NC is just doing an old-fashioned http > https redirect. Really they should exclude certbot from the redirect. From this post, the redirect should read something like:

RewriteEngine On
RewriteRule ^.well-known/acme-challenge/ - [L]
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Or something like this as there are a number of ways of achieving the same thing. This would allow certbot to continue to use port 80 and redirect everything else.

Really is should be filed somewhere as a bug or an enhancement request.

1 Like

Good catch. Funny it never failed in all this years so something must have changed in the way LE does things. I will update the rewrite the rules

1 Like

Done in devel. Can somebody run

sudo ncp-update devel

And verify that we can now renew while httpsonly is enabled?



I can confirm it, updated to development branch on version 1.39.16 and running Letsencrypt works flawlessly now.
Code from running command is below

Running letsencrypt
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Running deploy-hook command: /etc/letsencrypt/renewal-hooks/deploy/ncp
- Congratulations! Your certificate and chain have been saved at:
  Your key file has been saved at:
  Your cert will expire on 2021-12-28. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot
  again. To non-interactively renew *all* of your certificates, run
  "certbot renew"
- If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
  Donating to EFF:                    https://eff.org/donate-le

System config value trusted_domains => 22 set to string <my-domain-name>
System config value trusted_domains => 3 set to string <my-domain-name>
System config value overwrite.cli.url set to string <my-domain-name>