Unable to get Lets Encrypt Certificate

Hardware: Pi
OS: Ubuntu 20
Installation: snap install nextcloud
Ports: 80 and 443 are open and accessible. I checked this for creating dummy web servers (python3 -m http.server $PORT ). I can reach these with my ufw rules (en)|(dis)abled.
DNS: I’m using Google Domains. I can curl my domain and get the login page on port 80. My browsers insist on https and refuse to connect.
Previous Usage: I was using this solely on my home network, using a .local domain (I think its called avahi / mdns / zeroconf / bonjour). This still works.
Possible confounding factors:

  • Pihole using ports 53 (dns), 81 (website)
  • After I created this question, I successfuly generated a self signed certificate. While I could add an exception to my devices I’d rather not. So now I need to figure out how to get ride of this. I’m able to reach my domain and they complain about the cert.

Command: sudo nextcloud.enable-https lets-encrypt
Log: Should I include /var/log/letsencrypt/letsencrypt.log or /var/snap/nextcloud/current/certs/certbot/logs/letsencrypt.log? They seem to contain sensitive information.

Saving debug log to /var/snap/nextcloud/current/certs/certbot/logs/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cloud.hybras.dev
Using the webroot path /var/snap/nextcloud/current/certs/certbot for all unmatched domains.
Waiting for verification...
Challenge failed for domain cloud.hybras.dev
http-01 challenge for cloud.hybras.dev
Cleaning up challenges
Some challenges have failed.
 - The following errors were reported by the server:

   Domain: cloud.hybras.dev
   Type:   connection
   Detail: Fetching
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

Hi @hybras

What’s the output of… sudo lsof -i -P -n | grep LISTEN

Port 443 is not in use

sshd 1955 root 3u IPv4 65300 0t0 TCP *:22 (LISTEN)
sshd 1955 root 4u IPv6 65302 0t0 TCP *:22 (LISTEN)
lighttpd 1977 www-data 4u IPv4 64074 0t0 TCP *:81 (LISTEN)
lighttpd 1977 www-data 5u IPv6 64075 0t0 TCP *:81 (LISTEN)
pihole-FT 2215 pihole 5u IPv4 64271 0t0 TCP *:53 (LISTEN)
pihole-FT 2215 pihole 7u IPv6 64273 0t0 TCP *:53 (LISTEN)
pihole-FT 2215 pihole 10u IPv4 65927 0t0 TCP (LISTEN)
pihole-FT 2215 pihole 15u IPv6 66692 0t0 TCP [::1]:4711 (LISTEN)
httpd 3981 root 4u IPv6 68332 0t0 TCP *:80 (LISTEN)
httpd 4000 root 4u IPv6 68332 0t0 TCP *:80 (LISTEN)
httpd 4001 root 4u IPv6 68332 0t0 TCP *:80 (LISTEN)
httpd 4002 root 4u IPv6 68332 0t0 TCP *:80 (LISTEN)
httpd 4947 root 4u IPv6 68332 0t0 TCP *:80 (LISTEN)

Hmm looks fine to me…

Are Ports 80 and 443 reachable from outside your local network respective did you forward the ports 80 and 443 from the internet to the local IP address of the Pi in your router?

Yes that’s exactly what I did. Here’s a snippet from my linksys router port forwarding page.

Application name External Port Internal Port Protocol Device IP# Enabled
Nextcloud Http 80 80 Both True
Nextcloud Https 443 443 BothT True

Hmm I’m starting to run out of ideas…

I tested it yesterday on a VPS with a fresh Ubuntu 20.04 install because I was interested if it really works and this is what I did:

  1. installed Pi-hole via official script.

    curl -sSL https://install.pi-hole.net | bash

  2. changed port of Lighttpd to port 81

  3. installed Nextcloud Snap

    sudo snap install nextcloud

  4. obtained a Let’s Encrypt certificate

    sudo nextcloud.enable-https lets-encrypt

Everything worked on the first try. It was actually a 10 minute job.

Potential differences to your setup…

My VPS had a public static IP address. There was no DynDNS service or port forwarding involved and I didn’t change anything in the configuration of Pi-hole. I only tested if I can reach both webinterfaces and if the Nextcloud Snap is able to optain a Let’s Encrypt certificate.

The only thing I could imagine is that there is some DNS issue. Either caused somehow by Pi-hole (unlikely) or that your domain does not resolve to the correct IP address (more likely). Maybe a problem with the DynDNS service, which did not update your public IP address correctly?

…or (that would be the worst case) Your ISP is blocking Port 80 and 443?

The only thing that needs to be saved on my pi is my nextcloud backup. I can start from scratch.

I don’t think my isp is to blame, I can curl $EXTERNAL_IP:{80,443}, as I said b4.

Maybe you could first try this, before you start over…