Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bernd.dyndns.info

I ran this command: I click on apply in the nextcloudpi's letsencrpt section to renew the certificate (yes, it worked once to get one but the renew process doesn't work)

It produced this output:
[ letsencrypt ] (Sun Oct 31 20:00:17 CET 2021)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for bernd.dyndns.info
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. bernd.dyndns.info (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://bernd.dyndns.info/.well-known/acme-challenge/hvqYuWtLMGvVl-GaXeW-j6hm-mwm0rWejpriUg5sRaQ [79.250.140.197]: "\n\n404 Not Found\n\n

Not Found

• The following errors were reported by the server:

Domain: bernd.dyndns.info
Type: unauthorized
Detail: Invalid response from
http://bernd.dyndns.info/.well-known/acme-challenge/hvqYuWtLMGvVl-GaXeW-j6hm-mwm0rWejpriUg5sRaQ
[79.250.140.197]: "\n\n404 Not
Found\n\n

Not Found

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version): raspberry pi nextcloud v21.0.4.1

The operating system my web server runs on is (include version): raspian

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): ncp

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

Welcome to the Let's Encrypt community.

Hi @androidin and welcome to the LE community forum

Let's first confirm the external IP, with the output of:
curl -4 ifconfig.co

Then review any and all firewall settings that might be able to block TCP port 80 (HTTP).
I get:

curl -Iki bernd.dyndns.info
curl: (56) Recv failure: Connection reset by peer

curl -Iki https://bernd.dyndns.info
curl: (7) Failed to connect to bernd.dyndns.info port 443: Connection refused

Hi @rg305,

thanks for supporting. My nextcloud was in maintenance mode for a day. But here are the requested outputs now:

bernd@raspberrypi-iob:~ $ curl -4 ifconfig.co
79.250.140.197
bernd@raspberrypi-iob:~ $
bernd@raspberrypi-iob:~ $ curl -Iki bernd.dyndns.info
HTTP/1.1 200 OK
Date: Wed, 03 Nov 2021 06:00:14 GMT
Server: Apache
Strict-Transport-Security: max-age=15768000; includeSubDomains
Upgrade: h2,h2c
Connection: Upgrade
Last-Modified: Sat, 24 Jul 2021 13:44:50 GMT
ETag: "29cd-5c7deb969b308"
Accept-Ranges: bytes
Content-Length: 10701
Vary: Accept-Encoding
Content-Type: text/html

bernd@raspberrypi-iob:~ $ curl -Iki https://bernd.dyndns.info
HTTP/2 302
date: Wed, 03 Nov 2021 06:00:29 GMT
server: Apache
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
content-security-policy: default-src 'self'; script-src 'self' 'nonce-xxx='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
set-cookie: oc_sessionPassphrase=xxxj%2FM; path=/; secure; HttpOnly; SameSite=Lax
set-cookie: ocerw4in4l88=xxx; path=/; secure; HttpOnly; SameSite=Lax
set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
strict-transport-security: max-age=15768000; includeSubDomains
referrer-policy: no-referrer
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-robots-tag: none
x-xss-protection: 1; mode=block
location: https://bernd.dyndns.info/login
content-type: text/html; charset=UTF-8

Note that I have salted sensitive information (at least if I assume that it is sensitive)

Your cert expires in less than 3 days

It's using Apache, so we could troubleshoot that by starting with the output of:
sudo apachectl -t -D DUMP_VHOSTS
[ ^ please ^ post ^ that ^ output ^ ]

What we are going to look for first is to confirm this is correct and works as expected:
"Using the webroot path /var/www/nextcloud"

Hi, here is the output of the requested command:

bernd@raspberrypi-iob:~ $ sudo apachectl -t -D DUMP_VHOSTS
[sudo] Passwort für bernd:
VirtualHost configuration:
*:4443                 localhost (/etc/apache2/sites-enabled/ncp.conf:2)
*:443                  bernd.dyndns.info (/etc/apache2/sites-enabled/nextcloud.conf:4)

This is confusing output.
There is nothing shown for HTTP (TCP port 80).
It only shows HTTPS (TCP port 443) for bernd.dyndns.info.

Please show the outputs of:
sudo grep -Ri bernd.dyndns.info /etc/apache2/

And the file:

Hi rg305, really appreciate your support. Here is the output of your request:

bernd@raspberrypi-iob:~ $ sudo grep -Ri bernd.dyndns.info /etc/apache2/
/etc/apache2/sites-enabled/nextcloud.conf:    ServerName bernd.dyndns.info
/etc/apache2/sites-enabled/nextcloud.conf:    SSLCertificateFile      /etc/letsencrypt/live/bernd.dyndns.info/fullchain.pem
/etc/apache2/sites-enabled/nextcloud.conf:    SSLCertificateKeyFile /etc/letsencrypt/live/bernd.dyndns.info/privkey.pem
/etc/apache2/sites-enabled/ncp.conf:  SSLCertificateFile /etc/letsencrypt/live/bernd.dyndns.info/fullchain.pem
/etc/apache2/sites-enabled/ncp.conf:  SSLCertificateKeyFile /etc/letsencrypt/live/bernd.dyndns.info/privkey.pem
/etc/apache2/sites-available/nextcloud.confe:    ServerName bernd.dyndns.info
/etc/apache2/sites-available/nextcloud.confe:    SSLCertificateFile      /etc/letsencrypt/live/bernd.dyndns.info/fullchain.pem
/etc/apache2/sites-available/nextcloud.confe:    SSLCertificateKeyFile /etc/letsencrypt/live/bernd.dyndns.info/privkey.pem
/etc/apache2/sites-available/nextcloud.conf:    ServerName bernd.dyndns.info
/etc/apache2/sites-available/nextcloud.conf:    SSLCertificateFile      /etc/letsencrypt/live/bernd.dyndns.info/fullchain.pem
/etc/apache2/sites-available/nextcloud.conf:    SSLCertificateKeyFile /etc/letsencrypt/live/bernd.dyndns.info/privkey.pem
/etc/apache2/sites-available/ncp.conf:  SSLCertificateFile /etc/letsencrypt/live/bernd.dyndns.info/fullchain.pem
/etc/apache2/sites-available/ncp.conf:  SSLCertificateKeyFile /etc/letsencrypt/live/bernd.dyndns.info/privkey.pem

And the file /etc/apache2/sites-enabled/nextcloud.conf

### DO NOT EDIT! THIS FILE HAS BEEN AUTOMATICALLY GENERATED. CHANGES WILL BE OVERWRITTEN ###

<IfModule mod_ssl.c>
  <VirtualHost _default_:443>
    DocumentRoot /var/www/nextcloud
    ServerName bernd.dyndns.info
    CustomLog /var/log/apache2/nc-access.log combined
    ErrorLog  /var/log/apache2/nc-error.log
    SSLEngine on
    SSLProxyEngine on
    SSLCertificateFile      /etc/letsencrypt/live/bernd.dyndns.info/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/bernd.dyndns.info/privkey.pem

    # For notify_push app in NC21
    ProxyPass /push/ws ws://127.0.0.1:7867/ws
    ProxyPass /push/ http://127.0.0.1:7867/
    ProxyPassReverse /push/ http://127.0.0.1:7867/
  </VirtualHost>

  <Directory /var/www/nextcloud/>
    Options +FollowSymlinks
    AllowOverride All
    <IfModule mod_dav.c>
      Dav off
    </IfModule>
    LimitRequestBody 0
    SSLRenegBufferSize 10486000
  </Directory>
  <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
  </IfModule>
</IfModule>

I don't see anything out of the ordinary in those outputs...
So, let's also have a look at the only other file that uses that name:

Hi again, the output of the ncp.conf file is:

bernd@raspberrypi-iob:~ $ cat /etc/apache2/sites-enabled/ncp.conf
Listen 4443
<VirtualHost _default_:4443>
  DocumentRoot /var/www/ncp-web
  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/bernd.dyndns.info/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/bernd.dyndns.info/privkey.pem
  <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
  </IfModule>

  # 2 days to avoid very big backups requests to timeout
  TimeOut 172800

  <IfModule mod_authnz_external.c>
    DefineExternalAuth pwauth pipe /usr/sbin/pwauth
  </IfModule>

</VirtualHost>
<Directory /var/www/ncp-web/>

  AuthType Basic
  AuthName "ncp-web login"
  AuthBasicProvider external
  AuthExternal pwauth

  SetEnvIf Request_URI "^" noauth
  SetEnvIf Request_URI "^index\.php$" !noauth
  SetEnvIf Request_URI "^/$" !noauth
  SetEnvIf Request_URI "^/wizard/index.php$" !noauth
  SetEnvIf Request_URI "^/wizard/$" !noauth

  <RequireAll>

   <RequireAny>
      Require host localhost
      Require local
      Require ip 192.168
      Require ip 172
      Require ip 10
      Require ip fe80::/10
      Require ip fd00::/8
   </RequireAny>

   <RequireAny>
      Require env noauth
      Require user ncp
   </RequireAny>

  </RequireAll>

</Directory>

OK, that is completely unrelated.

I don't understand how it answers to HTTP requests at all !

Something is answering right now:

curl -Ii bernd.dyndns.info
HTTP/1.1 200 OK
Date: Wed, 03 Nov 2021 18:31:34 GMT
Server: Apache
Strict-Transport-Security: max-age=15768000; includeSubDomains
Upgrade: h2,h2c
Connection: Upgrade
Last-Modified: Sat, 24 Jul 2021 13:44:50 GMT
ETag: "29cd-5c7deb969b308"
Accept-Ranges: bytes
Content-Length: 10701
Vary: Accept-Encoding
Content-Type: text/html

It says it's Apache...
But it isn't that one we have been reviewing.

Please show the output of:
sudo netstat -pant | grep -Ei ':80|apache|http|nginx'

Hi again,

here is the requested output:

bernd@raspberrypi-iob:~ $ sudo netstat -pant | grep -Ei ':80|apache|http|nginx'
tcp        0      0 0.0.0.0:180             0.0.0.0:*               LISTEN      1055/lighttpd
tcp        0      0 0.0.0.0:8090            0.0.0.0:*               LISTEN      505/deCONZ
tcp        0      0 127.0.0.1:46260         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46322         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46312         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46298         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46160         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46364         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46396         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46200         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46370         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46328         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46268         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46086         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46178         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46138         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46220         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46278         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46394         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 192.168.178.19:50002    192.168.178.19:8090     TIME_WAIT   -
tcp        0      0 127.0.0.1:46264         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46314         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46366         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46404         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46174         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46216         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46254         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46102         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46094         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46204         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 192.168.178.19:49998    192.168.178.19:8090     TIME_WAIT   -
tcp        0      0 127.0.0.1:46332         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46384         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46392         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46336         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46398         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 192.168.178.19:50084    192.168.178.19:8090     TIME_WAIT   -
tcp        0      0 127.0.0.1:46344         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46234         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46308         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46156         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46112         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46228         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46098         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:40416         127.0.0.1:7867          VERBUNDEN   19416/apache2
tcp        0      0 192.168.178.19:36286    192.168.178.29:8088     VERBUNDEN   2035/io.harmony.0
tcp        0      0 127.0.0.1:46286         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46224         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46106         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46258         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46232         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46152         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46130         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46148         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46212         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46196         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46356         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46208         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46318         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46272         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46110         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46142         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46090         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46380         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46274         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 192.168.178.19:50000    192.168.178.19:8090     TIME_WAIT   -
tcp        0      0 127.0.0.1:46400         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46376         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46388         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46164         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46340         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46084         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46134         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 127.0.0.1:46282         127.0.0.1:8090          TIME_WAIT   -
tcp        0      0 192.168.178.19:180      192.168.178.33:60943    VERBUNDEN   1055/lighttpd
tcp        0      0 127.0.0.1:46078         127.0.0.1:8090          TIME_WAIT   -
tcp6       0      0 :::180                  :::*                    LISTEN      1055/lighttpd
tcp6       0      0 :::4443                 :::*                    LISTEN      1336/apache2
tcp6       0      0 :::443                  :::*                    LISTEN      1336/apache2
tcp6       0      0 :::80                   :::*                    LISTEN      1336/apache2
tcp6       0      0 :::8081                 :::*                    LISTEN      1670/io.admin.0
tcp6       0      0 :::8082                 :::*                    LISTEN      3351/io.web.0
tcp6       0      0 192.168.178.19:443      45.146.164.110:49506    FIN_WAIT2   19415/apache2
tcp6       0      0 192.168.178.19:443      45.146.164.110:34634    FIN_WAIT2   19416/apache2
tcp6       0      0 192.168.178.19:443      79.250.140.197:60648    VERBUNDEN   19416/apache2

Items of interest:

lightspeed is in use.

Apache says it's using port 80.
[but I haven't found exactly where/how]

ok. And what is your recommendation? I mean, :::80 is not a real IP, isn't it? And you said that a virtual host listening to port 80 is missing, right? Is there a way to put it manually somehow in a config file?

That is a real IP binding. It's in IPv6 format, but Apache will show that when bound to both IPv4 and IPv6.

At this point, without being able to locate where the vhost config for HTTP is, I can only refer you back to nextcloud and their documentation OR maybe someone will come by with some experience with this particular situation and provide you with some guidance; As I won't be able to even directly confirm that is the correct webroot.
That said, we might be able to confirm it indirectly.
But I must presume it will fail as has the renewal request.
If so, we can only confirm its' failure and are still left without a way to fix it.

If you want to try confirming the webroot, do these steps:
sudo mkdir -p /var/www/nextcloud/.well-known/acme-challenge
echo test1234 > /var/www/nextcloud/.well-known/acme-challenge/Test_File-1234
echo test4321 > /var/www/nextcloud/Test_File-4321

Then try these from an Internet connected system:
http://bernd.dyndns.info/Test_File-4321
http://bernd.dyndns.info/.well-known/acme-challenge/Test_File-1234

Once all testing is completed you can delete the test files with:
rm /var/www/nextcloud/.well-known/acme-challenge/Test_File-1234
rm /var/www/nextcloud/Test_File-4321

Hi rg305,

these are no good news

Isnt it possible to add that manually if it's missing?

OK, I created the test files. Then:

from those calls I get a "The requested URL was not found on this server" error in the browser. I assume that this is something you want to see as a confirmation, right?

By the way: isn't it possible to add the missing virtual host anyhow into the nextcloud.conf file either by adding it manually, doiing it by script or even repair the nextcloud installation?

We can't add a vhost to a system that already has something (else) responding to that port.

You need to go down the nextcloud support path.

My certificate expired 2 days ago. Yesterday I was willing to try it a last time. The trial with bernd.dyndns.info failed. But I set a forward record (CNAME) from my own tl domain to bernd.dyndns.info. As soon as I entered this tl domain in nextcloudpi I got a new certificate. I don't know whether it's reproducable but let's hope the best. Saying this I am pretty sure I tried to aquire a certificate for that tl domain several days before but this didn't work. But yesterday it did.

Ah, btw, I entered a VHOST for port 80 into the 000-default.conf in the apache2/sites-enabled directory. Don't know if this did the trick.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.