After moving my Nextcloud data to a new device my certificate doesn't work anymore

I have a Raspberry Pi 4 with apache2 where I run Nextcloud. I have a certificate for my domain and I use certbot.
I moved my data directory to a new device. After that I can access my Nextcloud files but when I want to see other Nextcloud apps (like calendar), I’m geting an internal server error.
The apache2 error.log says:
localhost:4443:0 server certificate does NOT include an ID which matches the server name
ssl_stapling_init_cert: can’t retrieve issuer certificate!
Unable to configure certificate localhost:4443:0 for stapling

My domain is: https://ortmann-media.eu

My web server is (include version): Apache/2.4.38 (Raspbian)

The operating system my web server runs on is (include version): Raspbian GNU/Linux 10 (buster)

My hosting provider, if applicable, is: self hosted

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Hi @GambaJo

it’s not possible to check your domain because the port doesn’t answer.

Checked to see if there is a certificate - https://check-your-website.server-daten.de/?q=ortmann-media.org

There is no valid certificate.

So OCSP-Stapling can’t work.

1 Like

Ups, sorry. Wrong domain. Should be https://ortmann-media.eu

Ok, there is a new certificate (and a new check) - https://check-your-website.server-daten.de/?q=ortmann-media.eu#ct-logs

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2020-03-25 2020-06-23 ortmann-media.eu, www.ortmann-media.eu - 2 entries
Let’s Encrypt Authority X3 2020-03-25 2020-06-23 ortmann-media.eu - 1 entries

But the certificate with two domain names isn’t used, so the www version isn’t secure. Ok, not relevant if you use only the non-www version.

The port 4443 is invisible, so it’s unknown if this port is configured.

What says

apachectl -S

Can that port talk with Letsencrypt via port 80?

OCSP - Url: http://ocsp.int-x3.letsencrypt.org

must work.

apachectl -S

AH00526: Syntax error on line 6 of /etc/apache2/sites-enabled/ncp.conf:
SSLCertificateKeyFile: file '/etc/ssl/private/ssl-cert-snakeoil.key' does not exist or is empty
Action '-S' failed.
The Apache error log may have more information.

Port 4443 is not forwarded but works in my network.

How can I check this?

Disable that not working vHost. Or add there your correct certificate.

curl 	http://ocsp.int-x3.letsencrypt.org

should work. But if your Apache doesn’t start because of a missing file, that’s the first problem.

1 Like

Sorry for the late answer.

/etc/apache2/sites-enabled/ncp.conf:
Listen 4443

DocumentRoot /var/www/ncp-web
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

  # 2 days to avoid very big backups requests to timeout
  TimeOut 172800

  <IfModule mod_authnz_external.c>
    DefineExternalAuth pwauth pipe /usr/sbin/pwauth
  </IfModule>

</VirtualHost>
<Directory /var/www/ncp-web/>

  AuthType Basic
  AuthName "ncp-web login"
  AuthBasicProvider external
  AuthExternal pwauth

  SetEnvIf Request_URI "^" noauth
  SetEnvIf Request_URI "^index\.php$" !noauth
  SetEnvIf Request_URI "^/$" !noauth
  SetEnvIf Request_URI "^/wizard/index.php$" !noauth
  SetEnvIf Request_URI "^/wizard/$" !noauth

  <RequireAll>

   <RequireAny>
      Require host localhost
      Require local
      Require ip 192.168
      Require ip 172
      Require ip 10
      Require ip fe80::/10
      Require ip fd00::/8
   </RequireAny>

   <RequireAny>
      Require env noauth
      Require user ncp
   </RequireAny>

  </RequireAll>

</Directory>

But the SSL files exists.

curl 	http://ocsp.int-x3.letsencrypt.org

When I do this there is no result, so I think it’s ok.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.