What ports do I need open to update the letsencrypt certificate (Solved)

so I tried to do the update, and it failed. I have 443 and 80 open to the world, but almost everything else blocked. logs just show it’s failing, and now apparently I’m locked out for a week.

Do I need something else opened up? When I set everything up it was on a different network and in a DMZ, now it seems it can’t communicate enough to renew the certificate. Any ideas?

80 and 443 are enough for renewing with certbot.

Which tool are you using for updating your certs?

I was using the built in thing in nextcloud.
sudo nextcloud.enable-https lets-encrypt renew

I think that port 80 may have not been fully open. I’ve set up a rule in the firewall, but it seems I’ve tried too many times.

nextcloud itself is just a software your server and has no built in stuff.

Are you using ncpi?

I followed the instructions for installing Nextcloud as found here:
www digitalocean com/community/tutorials/how-to-install-and-configure-nextcloud-on-ubuntu-18-04

the command to set up a cert was:
sudo nextcloud.enable-https lets-encrypt

I found in my searching that adding renew to the end is supposed to work, but I’m guessing that whatever port issue I was having caused it to try too many times.

As to NCPI, I have no idea. I did a stock install and everything worked. I did do it in my home network where it was set up in a DMZ, but the final location is in a much more locked down environment. Thus my question about ports. I did have 443 open, and everything was working, but I didn’t see anything that said I needed 80 open. I’ve made that change now, and I’m hoping I get out of let’s encrypts jail in a few more days and everything will work, but I don’t know if I have to do the renewal myself, or if I have to stop it checking for a week before I can renew, or what. The certificate thing is a new area for me.

Does not sound like a port issue to me.
Maybe this workaround helps: Renew Letsencrypt Certificate on Nextcloud Box

I still get this error when I try to renew. (note: I removed my real domain name)

Attempting to obtain certificates... error running certbot:

Saving debug log to /var/snap/nextcloud/current/certs/certbot/logs/letsencrypt.log
Plugins selected: Authenticator nextcloud:webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for my.domain.name
Using the webroot path /var/snap/nextcloud/current/certs/certbot for all domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. winkemmc.mooo.com (http-01):
urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the 
domain :: Fetching http://my.domain.name/.well-known/acme-challenge-
/UFkGrH3rmY4sUiU-HoI_00FtOclX8a2jGIHm1_E-bVk: Timeout during connect (likely firewall 
 - The following errors were reported by the server:

   Domain: my.domain.name
   Type:   connection
   Detail: Fetching
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - Your account credentials have been saved in your Certbot
   configuration directory at
   /var/snap/nextcloud/current/certs/certbot/config. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

ok, so I redid all the firewall stuff, and now it seems to be working. looks like there was a problem with the port 80 forwarding. for whatever reason, 443 is fine for using nextcloud, but for the cert renewal, I need 80 open as well.

OK, found the issue, I guess this is solved.

1 Like