Unable to get Lets Encrypt Certificate

hybras · August 18, 2021, 8:43pm

Hardware: Pi
OS: Ubuntu 20
Installation: snap install nextcloud
Ports: 80 and 443 are open and accessible. I checked this for creating dummy web servers (python3 -m http.server $PORT ). I can reach these with my ufw rules (en)|(dis)abled.
DNS: I’m using Google Domains. I can curl my domain and get the login page on port 80. My browsers insist on https and refuse to connect.
Previous Usage: I was using this solely on my home network, using a .local domain (I think its called avahi / mdns / zeroconf / bonjour). This still works.
Possible confounding factors:

Pihole using ports 53 (dns), 81 (website)
After I created this question, I successfuly generated a self signed certificate. While I could add an exception to my devices I’d rather not. So now I need to figure out how to get ride of this. I’m able to reach my domain and they complain about the cert.

Command: sudo nextcloud.enable-https lets-encrypt
Log: Should I include /var/log/letsencrypt/letsencrypt.log or /var/snap/nextcloud/current/certs/certbot/logs/letsencrypt.log? They seem to contain sensitive information.
Output:

Saving debug log to /var/snap/nextcloud/current/certs/certbot/logs/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cloud.hybras.dev
Using the webroot path /var/snap/nextcloud/current/certs/certbot for all unmatched domains.
Waiting for verification...
Challenge failed for domain cloud.hybras.dev
http-01 challenge for cloud.hybras.dev
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: cloud.hybras.dev
   Type:   connection
   Detail: Fetching
   http://cloud.hybras.dev/.well-known/acme-challenge/FRphGHVH6gIUx1Z-MD0-pVCasnCtCkAxJbjKvyS0iNY:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

bb77 · August 19, 2021, 6:24am

Hi @hybras

What’s the output of… sudo lsof -i -P -n | grep LISTEN

hybras · August 19, 2021, 2:20pm

Port 443 is not in use


sshd	1955	root	3u	IPv4	65300	0t0	TCP *:22 (LISTEN)
sshd	1955	root	4u	IPv6	65302	0t0	TCP *:22 (LISTEN)
lighttpd	1977	www-data	4u	IPv4	64074	0t0	TCP *:81 (LISTEN)
lighttpd	1977	www-data	5u	IPv6	64075	0t0	TCP *:81 (LISTEN)
pihole-FT	2215	pihole	5u	IPv4	64271	0t0	TCP *:53 (LISTEN)
pihole-FT	2215	pihole	7u	IPv6	64273	0t0	TCP *:53 (LISTEN)
pihole-FT	2215	pihole	10u	IPv4	65927	0t0	TCP 127.0.0.1:4711 (LISTEN)
pihole-FT	2215	pihole	15u	IPv6	66692	0t0	TCP [::1]:4711 (LISTEN)
httpd	3981	root	4u	IPv6	68332	0t0	TCP *:80 (LISTEN)
httpd	4000	root	4u	IPv6	68332	0t0	TCP *:80 (LISTEN)
httpd	4001	root	4u	IPv6	68332	0t0	TCP *:80 (LISTEN)
httpd	4002	root	4u	IPv6	68332	0t0	TCP *:80 (LISTEN)
httpd	4947	root	4u	IPv6	68332	0t0	TCP *:80 (LISTEN)

bb77 · August 19, 2021, 3:58pm

Hmm looks fine to me…

Are Ports 80 and 443 reachable from outside your local network respective did you forward the ports 80 and 443 from the internet to the local IP address of the Pi in your router?

hybras · August 19, 2021, 9:21pm

Yes that’s exactly what I did. Here’s a snippet from my linksys router port forwarding page.

Application name	External Port	Internal Port	Protocol	Device IP#	Enabled
Nextcloud Http	80	80	Both	192.168.1.177	True
Nextcloud Https	443	443	BothT	192.168.1.177	True

bb77 · August 20, 2021, 5:19am

Hmm I’m starting to run out of ideas…

I tested it yesterday on a VPS with a fresh Ubuntu 20.04 install because I was interested if it really works and this is what I did:

installed Pi-hole via official script.

curl -sSL https://install.pi-hole.net | bash
changed port of Lighttpd to port 81
installed Nextcloud Snap

sudo snap install nextcloud
obtained a Let’s Encrypt certificate

sudo nextcloud.enable-https lets-encrypt

Everything worked on the first try. It was actually a 10 minute job.

Potential differences to your setup…

My VPS had a public static IP address. There was no DynDNS service or port forwarding involved and I didn’t change anything in the configuration of Pi-hole. I only tested if I can reach both webinterfaces and if the Nextcloud Snap is able to optain a Let’s Encrypt certificate.

The only thing I could imagine is that there is some DNS issue. Either caused somehow by Pi-hole (unlikely) or that your domain does not resolve to the correct IP address (more likely). Maybe a problem with the DynDNS service, which did not update your public IP address correctly?

…or (that would be the worst case) Your ISP is blocking Port 80 and 443?

hybras · August 20, 2021, 8:25pm

The only thing that needs to be saved on my pi is my nextcloud backup. I can start from scratch.

I don’t think my isp is to blame, I can curl $EXTERNAL_IP:{80,443}, as I said b4.

bb77 · August 21, 2021, 1:11pm

Maybe you could first try this, before you start over…

github.com/nextcloud/nextcloud-snap

Difficulty changing LetsEncrypt certificate domains

opened 08:52AM - 29 Dec 17 UTC

lindhe

bug

Three months ago, I ran `sudo nextcloud.enable-https lets-encrypt` and went thro…ugh the prompts and was very conveniently served a signed cert for my domain. But I thought it would renew automatically, so I just let it be. Two days ago it expired. Yesterday, tried to run `sudo nextcloud.enable-https lets-encrypt` again, and it seemed to succeed (please see output below). But I was not served with a new cert. I still got the old one. I thought that it maybe was cached, but I've waited more than 12 hours now so I thought I'd get the valid one by now. First of all I would like to understand how I update the certificate, and secondly I would like to know how I get it to automatically renew. I really thought that lets-encrypt did so by default. I'm running nextcloud snap on Ubuntu 16.10 server. May or may not be related to #401. ``` > sudo nextcloud.enable-https lets-encrypt In order for Let's Encrypt to verify that you actually own the domain(s) for which you're requesting a certificate, there are a number of requirements of which you need to be aware: 1. In order to register with the Let's Encrypt ACME server, you must agree to the currently-in-effect Subscriber Agreement located here: https://letsencrypt.org/repository/ By continuing to use this tool you agree to these terms. Please cancel now if otherwise. 2. You must have the domain name(s) for which you want certificates pointing at the external IP address of this machine. 3. Both ports 80 and 443 on the external IP address of this machine must point to this machine (e.g. port forwarding might need to be setup on your router). Have you met these requirements? (y/n) y Please enter an email address (for urgent notices or key recovery): me@example.com Please enter your domain name(s) (space-separated): me.example.com example.com Attempting to obtain certificates... done Restarting apache... done ```