Attempting to set up certificate auto-renew on Nextcloudpi fails

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:mycloud.point2this.com

I ran this command:
I recently attempted to login to my nextcloud server (installed using the prebuilt installation for a RPi) on a RPi using Firefox browser and got the message that the certificate had expired. I manually renewed the certificate using the following commands:
Testing the renewal process:
sudo certbot renew --dry-run

Test succeeded then I ran:
sudo certbot renew --force-renewal

Then I restarted apache:
sudo systemctl restart apache2

I then checked the certificate by:
echo | openssl s_client -connect mycloud.point2this.com:443 -servername mycloud.point2this.com 2>/dev/null | openssl x509 -noout -text

and saw that it indeed had been updated with a expiration date ~ 3 months from the renewal date.
I then tried to configure for a auto renew of the certificate and used this command:
sudo certbot renew --dry-run

Got the following errors:
Processing /etc/letsencrypt/renewal/mycloud.point2this.com.conf

Simulating renewal of an existing certificate for mycloud.point2this.com
Failed to renew certificate mycloud.point2this.com with error: urn:ietf:params:acme:error:orderNotReady :: The request attempted to finalize an order that is not ready to be finalized :: Order's status ("invalid") is not acceptable for finalization

All simulated renewals failed. The following certificates could not be renewed:

/etc/letsencrypt/live/mycloud.point2this.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

I don’t really know what this error means or how to fix it and how to set up auto renew. Some help/guidance on how to fix this will be greatly appreciated. Thanks

My web server is (include version): Apache/2.4.67 (Debian)

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0

2

That is very unusual. Does that happen repeatedly when using --dry-run? As I understand it that should only happen in obscure cases involving a "race" condition.

Even still, I believe a fix is in Certbot v4.1. You are on v2.1 so are due for an update as it is current v5.x. See: 4.1 Changelog: certbot/certbot/CHANGELOG.md at main · certbot/certbot · GitHub

If that problem does not repeat you should be able to continue reviewing your auto-renew. See this auto-renew section: User Guide — Certbot 5.7.0.dev0 documentation

3

Please don't use --force-renewal unless there's a very good reason to do so. There usually isn't any.