Attempting to set up certificate auto-renew on Nextcloudpi fails

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:mycloud.point2this.com

I ran this command:
I recently attempted to login to my nextcloud server (installed using the prebuilt installation for a RPi) on a RPi using Firefox browser and got the message that the certificate had expired. I manually renewed the certificate using the following commands:
Testing the renewal process:
sudo certbot renew --dry-run

Test succeeded then I ran:
sudo certbot renew --force-renewal

Then I restarted apache:
sudo systemctl restart apache2

I then checked the certificate by:
echo | openssl s_client -connect mycloud.point2this.com:443 -servername mycloud.point2this.com 2>/dev/null | openssl x509 -noout -text

and saw that it indeed had been updated with a expiration date ~ 3 months from the renewal date.
I then tried to configure for a auto renew of the certificate and used this command:
sudo certbot renew --dry-run

Got the following errors:
Processing /etc/letsencrypt/renewal/mycloud.point2this.com.conf

Simulating renewal of an existing certificate for mycloud.point2this.com
Failed to renew certificate mycloud.point2this.com with error: urn:ietf:params:acme:error:orderNotReady :: The request attempted to finalize an order that is not ready to be finalized :: Order's status ("invalid") is not acceptable for finalization

All simulated renewals failed. The following certificates could not be renewed:

/etc/letsencrypt/live/mycloud.point2this.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

I don’t really know what this error means or how to fix it and how to set up auto renew. Some help/guidance on how to fix this will be greatly appreciated. Thanks

My web server is (include version): Apache/2.4.67 (Debian)

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0

That is very unusual. Does that happen repeatedly when using --dry-run? As I understand it that should only happen in obscure cases involving a "race" condition.

Even still, I believe a fix is in Certbot v4.1. You are on v2.1 so are due for an update as it is current v5.x. See: 4.1 Changelog: certbot/certbot/CHANGELOG.md at main · certbot/certbot · GitHub

If that problem does not repeat you should be able to continue reviewing your auto-renew. See this auto-renew section: User Guide — Certbot 5.7.0.dev0 documentation

Please don't use --force-renewal unless there's a very good reason to do so. There usually isn't any.

Thanks for the reply. This is new territory for me. I did check out the change log. So how to I upgrade (commands?) to the newer version of certbot running on the Nextcloud Pi server? Thanks for the pointer to certbot UG doc.

OK, so given my intention to renew the cert, what command should I have used to renew the cert???
And why not use '--force'? It seems to have worked as the new validity date is mid-August.....

I am not sure for Pi specifically but the general install is here: https://certbot.eff.org/

The repositories (apt, dnf, ...) for many distros are very old. Generally snap or pip are preferred for Certbot. If those are too awkward consider a different ACME Client like lego. Keep in mind I know very little about RPi but lego is 'go' based with binary downloads

Update: Oh, for Apache are you able to use its mod_md? It is an ACME Client built in to Apache. If you are happy with Certbot that's fine. Just another idea. See:

The Apache docs are a good reference and install overview: mod_md - Apache HTTP Server Version 2.4

The github for mod_md has very good examples: GitHub - icing/mod_md: Let's Encrypt (ACME) in Apache httpd · GitHub

thanks. The last thing I want to do is break this system as it took me 2+ long days to put it together. Yes, Apache is the web server.

Just a thought I forgot to add....Why can't I schedule a cron task to run every 3 months and run a script:
sudo certbot renew --force-renewal
sudo systemctl restart apache2

Wouldn't this work?

Until they reduce the cert lifetime to 45 days. Much better to run a daily, or even twice-daily (as it is by default), cron job of just certbot renew. But doesn't Nextcloudpi have its own facility to manage certificates?

Edit: Well, their github page makes it look like they do, but their docs site seems completely unusable. Ah, that site was deprecated almost four years ago, but nobody bothered to update it to say so. The current docs location appears to be a category in the Nextcloud forum, but I don't see anything there on how to set up Let's Encrypt--perhaps it'd be worth asking there. Or avoiding this extremely poorly-documented software.

--force-renewal is not needed except certain one-time use special cases.

People often misuse it and become rate-limited causing major problems for them. Please do not rely on that for routine renew.

The Certbot renew is designed to run frequently. Twice/day is recommended or at least once/day. The auto-renew docs link I provided earlier shows an example cron for that which also gives random renewal times (also recommended to avoid everyone asking for certs at the same time).

A CA (like Let's Encrypt) may need to revoke certs affected by Incidents. A current version of Certbot will detect that using ARI feature and be sure your cert is renewed promptly. Even ignoring that benefit, renewing at the last moment doesn't give any time to cope with outages (yours or LE) or problems.

The renew command doesn't do much each day. It looks at the cert on your local drive and may issue an ARI request to check that. All very fast.

Just certbot renew

It can lead to hitting rate limits and if renewal isn't necessary, it's wasteful.