Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: nc.kempcloud.net
I ran these commands:
sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp www-data /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt
sudo a2enmod ssl rewrite headers
sudo systemctl restart apache2
sudo vim /etc/apache2/conf-available/well-known.conf
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS
sudo ln -s /etc/apache2/conf-available/well-known.conf /etc/apache2/conf-enabled/
sudo apachectl configtest
sudo systemctl restart apache2
sudo certbot certonly --agree-tos --email <elided_email> --webroot -w /var/lib/letsencrypt/ -d nc.kempcloud.net
sudo certbot renew --dry-run (to test it)
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating renewal of an existing certificate for nc.kempcloud.net
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Detail: 2606:4700:3035::6815:45b1: Invalid response from http://nc.kempcloud.net/.well-known/acme-challenge/p-J03K_hQEz4DqpI8bR0WrN5He4hztNTRNuzOd3rZFc: 502
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Failed to renew certificate nc.kempcloud.net with error: Some challenges have failed.
All simulated renewals failed. The following certificates could not be renewed:
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version): Apache/2.4.57
The operating system my web server runs on is (include version): Debian 12
My hosting provider, if applicable, is: Cloudflare (domain and tunnel)
I can login to a root shell on my machine (yes or no, or I don't know):yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot): certbot 2.1.0
I'm following the article How to Install Nextcloud on Debian 11
to setup Nextcloud on a Raspberry PI.
I'm using Cloudflare tunnel to allow public access to my server.
If I set the tunnel to point to http://<local_ip>:443 and comment out "SSLEngine On" in /etc/apache2/sites-available/nextcloud.conf file, it generates the certificate without issues, however, if I change the tunnel to point to https://<local_ip>:443 and uncomment SSLEngine On, it fails with the mentioned unauthorized error message.
I can see the certificates in /etc/letsencrypt/live/nc.kempcloud.net but they only seem to work with HTTP, not HTTPS.
Any idea what might be the issue? (I've setup another server in the same way before and it worked, I'm not sure why it's not working this time).