Can't renew SSL certificate (nextcloudpi)


#1

I’m running nextcloudpi which has an option to create and renew let’s encrypt certificates. However, I cant renew my certificate. Error Message is below. Any help is appreciated

My domain is:
https://nextcloud.anotherthought.de
I ran this command:
nextcloudpi-config letsencrypt option (which effectively launches this script:
It produced this output:
Launching letsencrypt
Creating virtual environment…
Installing Python packages…
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nextcloud.anotherthought.de
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. nextcloud.anotherthought.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://nextcloud.anotherthought.de/.well-known/acme-challenge/Mchao1pwyrNQsZ6d4RJGv14G4PrZrwUgcrs8PPz_0oo: Timeout after connect (your server may be slow or overloaded)
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: nextcloud.anotherthought.de
    Type: connection
    Detail: Fetching
    http://nextcloud.anotherthought.de/.well-known/acme-challenge/Mchao1pwyrNQsZ6d4RJGv14G4PrZrwUgcrs8PPz_0oo:
    Timeout after connect (your server may be slow or overloaded)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.
    Done. Press any key…

My web server is (include version):
Server version: Apache/2.4.25 (Raspbian)

The operating system my web server runs on is (include version):
Raspian
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no


#2

Your domain has an AAAA record but isn’t responding to HTTP requests on its IPv6 address.


#4

Thanks, you guided me on the right track and I could solve the problem. I will quickly describe the issue + workaround in case somebody else has the same problem:

The manufacturer of my router (FritzBox, AVM) offers a service called myfritz which acts as a dyndns. So I have a CNAME entry on my domain which references to the dyndns adress. In the router settings, there is an option which sets the port forwarding and this should additionally set A- and AAAA-record. However, the AAAA-record is not set to the IPv6 of the PI but to the IP of the router and therefore the certificate renewal failed.
This is most likely due to a bug in the myfritz system since it used to work before and I didn’t change anything. I disabled IPv6 completely in the router so the AAAA record got deleted and the renewal succeeded via IPv4 and the normal IPv4 port forwarding.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.