Unable to pull LetsEncrypt cert on fresh AIO install

ℹ️ Support
,
1
Support intro

Sorry to hear you’re facing problems. :slightly_frowning_face:

The community help forum (help.nextcloud.com) is for home and non-enterprise users. Support is provided by other community members on a best effort / “as available” basis. All of those responding are volunteering their time to help you.

If you’re using Nextcloud in a business/critical setting, paid and SLA-based support services can be accessed via portal.nextcloud.com where Nextcloud engineers can help ensure your business keeps running smoothly.

Getting help

In order to help you as efficiently (and quickly!) as possible, please fill in as much of the below requested information as you can.

Before clicking submit: Please check if your query is already addressed via the following resources:

(Utilizing these existing resources is typically faster. It also helps reduce the load on our generous volunteers while elevating the signal to noise ratio of the forums otherwise arising from the same queries being posted repeatedly).

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can. :heart:

The Basics

  • Nextcloud Server version (e.g., 29.x.x): 31.x
    Using nextcloud-aio. nextcloud/aio-nextcloud:latest
  • Operating system and version (e.g., Ubuntu 24.04):
    • Ubuntu 24.04
  • Web server and version (e.g, Apache 2.4.25):
    • AIO Apache 2.4.63
  • Reverse proxy and version _(e.g. nginx 1.27.2)
    • N/A
  • PHP version (e.g, 8.3):
    • whatever is included in aio-netxloud:latest
  • Is this the first time you’ve seen this error? (Yes / No):
    Yes - New server install, new NC install
  • When did this problem seem to first start?
    Upon completing AIO setup and attempting to proceed to public URL to set up prod environment
  • Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
    AIO following GitHub - nextcloud/all-in-one: 📦 The official Nextcloud installation method. Provides easy deployment and maintenance with most features included in this one Nextcloud instance.
  • Are you using CloudfIare, mod_security, or similar? (Yes / No)
    No

Summary of the issue you are facing:

Replacing an old NextCloud server, both old and new are running on Linux VMs. When attempting to access the public URL, I receive “ERR_SSL_PROTOCOL_ERROR”. I have reviewed logs sudo docker logs nextcloud-aio-apache and have seen the “likely firewall problem” entries, and have checked on steps from What can I do when Nextcloud is not reachable via my domain or if I get `SSL_ERROR_INTERNAL_ERROR_ALERT` or `ERR_SSL_PROTOCOL_ERROR` when opening my Nextcloud domain? · nextcloud/all-in-one · Discussion #2105 · GitHub. I am confident this is related to Geo-IP filtering, but we have some ongoing malicious attempts to connect to the old NC server, hence we have more firewall access rules than normal.

What I am hoping to find is a manual method/terminal command that would elicit the attempt to pull the AIO cert from LetsEncrypt. I haven’t been able to determine the exact interval at which it would try automatically, and before I make any more temporary Geo-IP filter changes to open port 80 for testing, I would like to find a way to cause the cert challenge on-demand.

Please let me know if there is a standard interval I could verify to test at, or a manual option to cause the challenge. I can provide more info if needed.

2

Hi,
From what you’ve described, it looks like your Nextcloud AIO instance is directly exposed to the internet without a reverse proxy – in the “Reverse proxy and version” section, you wrote “N/A”.

In such a setup, Let’s Encrypt cannot issue a certificate if there’s GeoIP filtering or other restrictions on ports 80/443. The ACME challenge simply fails.

A proper solution here is to place a reverse proxy – such as NGINX Proxy Manager – in front of AIO. This approach:

  • handles Let’s Encrypt certificates directly (no need for AIO to contact ACME),
  • ensures only necessary services are exposed publicly,
  • allows routing multiple domains or services cleanly,
  • and keeps the AIO setup safely inside your internal network.

Additionally, this setup would even allow you to run both your old and new Nextcloud servers simultaneously, each accessible via a separate domain or subdomain (e.g., cloud-old.domain.com and cloud.domain.com). That’s very useful during migrations or testing.

:jigsaw: For reference – this is the exact setup I use (AIO running on one VM, NGINX Proxy Manager on a separate VM):
:arrow_right: My post with docker-compose.yml and NGINX Proxy Manager configuration

Summary:

  • docker-compose.yml for AIO runs the interface on port 6789, with APACHE_PORT=11000.

  • In NGINX Proxy Manager, I forward the domain to IP:11000, not to AIO’s port 443.

  • Under the Advanced tab in NPM, I add:

    client_body_buffer_size 512k;
proxy_read_timeout 86400s;
client_max_body_size 0;

With this setup, Let’s Encrypt works flawlessly – no SSL errors, no failed ACME challenges.

3

I appreciate your response. By late yesterday morning, it appears that it was able to pull the cert and the main UI is accessible now. I suspect the Geo-IP exceptions I had created were working, but it just needed to cycle through whatever interval there is until it tried to pull the cert again, which it was allowed to this time. Thanks again!

1 Like
4

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.