SSL issue after renewing certificates with Let's Encrypt

lukaswb · November 24, 2019, 3:12pm

Hello,

I am running Nextcloud on my ODROID XU4 and had to replace the self signed certificates via Let’s Encrypt. After that I am running into the following error:

Nextcloud version (eg, 12.0.2): 17.0.1
Operating system and version (eg, Ubuntu 17.04): Debian Stretch with Armbian Linux 4.14.133-odroidxu4
Apache or nginx version (eg, Apache 2.4.25): 2.4.25
PHP version (eg, 7.1): 7.2.24-1+0~20191026.31+debian9~1.gbpbbacde

The issue you are facing:
When I connect to my Nextcloud Instance over the web interface it’s super slow and not all resources are fully loaded (e.g. navbar). On my iPhone I am using the Nextcloud Client and I get an SSL error message.

Oddly, when I try to connect from my girlfriend’s laptop I see an ERR_CONNECTION_RESET error. For more details I tried a curl with verbose option and got an SSL_ERROR_SYSCALL from her machine. From my laptop I get a normal HTTP-200 response.

When turning SSL off and using port 80 in my vhost everything is working fine.

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

Connect to nextcloud instance via web or client

The output of your Nextcloud log in Admin > Logging:

[cron] Debug: Finished OC\Command\CommandJob job with ID 762 in 0 seconds

GET /cron.php
from 192.168.0.100 at 2019-11-24T15:05:00+00:00

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => '***',
  'passwordsalt' => '***',
  'secret' => '***',
  'trusted_domains' => 
  array (
    0 => '***',
  ),
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => 'localhost',
    'port' => 6379,
  ),
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'datadirectory' => '/media/nas1',
  'overwrite.cli.url' => '***',
  'dbtype' => 'mysql',
  'version' => '17.0.1.1',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => '***',
  'dbpassword' => '***',
  'installed' => true,
  'loglevel' => '0',
  'forcessl' => true,
  'maintenance' => false,
  'theme' => '',
  'mail_smtpmode' => 'php',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
  'updater.secret' => '***',
  'updater.release.channel' => 'stable',
);

The output of your Apache/nginx/system log in /var/log/error.log:

[Sun Nov 24 16:01:17.921582 2019] [ssl:error] [pid 2132] [client 64.41.200.106:52880] AH02042: rejecting client initiated renegotiation

The nextcloud.conf file in my /etc/apache2 folder

 <VirtualHost *:80>
ServerAdmin mail@mail.com
DocumentRoot "/var/www/html/nextcloud"
ServerName ***
<Directory "/var/www/html/nextcloud/">
Options MultiViews FollowSymlinks

AllowOverride All
Order allow,deny
Allow from all
</Directory>
TransferLog /var/log/apache2/nextcloud_access.log
ErrorLog /var/log/apache2/nextcloud_error.log 
RewriteEngine on
RewriteCond %{SERVER_NAME} =***
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

The SSL configuration for apache just includes the default from Let’s Encrypt I can post more of it if needed.

In general I am seeing my renewed certificate in the browser when connecting from my machine.

Expires: Saturday, 22. February 2020 at 13:07:28 Central European Standard Time

I appreciate any help!

tflidd · November 24, 2019, 3:34pm

Can you run a test on your ssl setup on https://www.ssllabs.com/ssltest/

Did you perhaps not reload the settings correctly? Is the server on you local network? You access via hostname or via IP?

lukaswb · November 24, 2019, 4:08pm

Hi, thanks for your answer.

I already ran a test on ssllabs with gave me an A+ rating:

Server Key and Certificate #1
Valid from	Sun, 24 Nov 2019 12:07:28 UTC
Valid until	Sat, 22 Feb 2020 12:07:28 UTC (expires in 2 months and 28 days)
Key	RSA 2048 bits (e 65537)
Weak key (Debian)	No
Issuer	Let's Encrypt Authority X3
AIA: http://cert.int-x3.letsencrypt.org/
Signature algorithm	SHA256withRSA
Extended Validation	No
Certificate Transparency	Yes (certificate)
OCSP Must Staple	No
Revocation information	OCSP
OCSP: http://ocsp.int-x3.letsencrypt.org
Revocation status	Good (not revoked)
DNS CAA	No (more info)
Trusted	Yes
Mozilla  Apple  Android  Java  Windows

The only error I have seen was under Miscellaneous:

Miscellaneous
Test date	Sun, 24 Nov 2019 15:00:51 UTC
Test duration	173.253 seconds
HTTP status code	Request failed (Too many Redirection)
HTTP server signature	Apache/2.4.25 (Debian)

After changing the settings I did a reload of my apache2 (sudo systemctl reload apache2). The server is running on my local network. I am using a no-ip DynDNS and no-ip on my server to update my ipv4 address. My ports are also forwarded correctly (80,8080,8443,443).

lukaswb · November 25, 2019, 7:04pm

I just tested my URL from an external network and everything’s working fine. So the only problem is accessing my domain from my local network (via SSL).

Any ideas?