Certificate expired on Raspberrypi running NextcloudPi

Hi!
My Let's encrypt certificate is expired 4 days ago and I didn't found a solution to renew it.
My domain is: dph.ddns.net
Domain registred by: noip
I ran this command:

certbot renew -a webroot -w /var/www/html --dry-run

It produced this output:

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for dph.ddns.net
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (old_dph.ddns.net) from /etc/letsencrypt/renewal/old_dph.ddns.net.conf produced an unexpected error: Failed authorization procedure. dph.ddns.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://dph.ddns.net/index.php/login [XX.XXX.XX.XXX]: "<!DOCTYPE html>\n<html class=\"ng-csp\" data-placeholder-focus=\"false\" lang=\"en\" data-locale=\"en\" >\n\t<head\n data-requesttoken=\"Wpma". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/dph.ddns.net/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/dph.ddns.net/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: dph.ddns.net
   Type:   unauthorized
   Detail: Invalid response from https://dph.ddns.net/index.php/login
   [XX.XXX.XX.XXX]: "<!DOCTYPE html>\n<html class=\"ng-csp\"
   data-placeholder-focus=\"false\" lang=\"en\" data-locale=\"en\"
   >\n\t<head\n data-requesttoken=\"Wpma"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): RaspberryPi4
The operating system my web server runs on is (include version): NextcloudPi

Can anyone give me a solution for my Problem?

THX a lot!!

Hi @dph, and welcome to the LE community forum :slight_smile:

Please show:
certbot certificates

and then try just:
certbot renew --dry-run

1 Like

root@nextcloudpi:/home/pi# certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log
OCSP check failed for /etc/letsencrypt/live/dph.ddns.net/cert.pem (are we offline?)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: old_dph.ddns.net
    Domains: dph.ddns.net
    Expiry Date: 2021-06-26 10:39:16+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/dph.ddns.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/dph.ddns.net/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

root@nextcloudpi:/home/pi# certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/old_dph.ddns.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for dph.ddns.net
Cleaning up challenges
Attempting to renew cert (old_dph.ddns.net) from /etc/letsencrypt/renewal/old_dph.ddns.net.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for dph.ddns.net:. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/dph.ddns.net/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/dph.ddns.net/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

Unfortunately no success.

This is very peculiar:

Please show this file:

Content of file: old_dph.ddns.net.conf

enew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/dph.ddns.net
cert = /etc/letsencrypt/live/dph.ddns.net/cert.pem
privkey = /etc/letsencrypt/live/dph.ddns.net/privkey.pem
chain = /etc/letsencrypt/live/dph.ddns.net/chain.pem
fullchain = /etc/letsencrypt/live/dph.ddns.net/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 85983cab31d02a837df36265d8ac10b2
authenticator = webroot
webroot_path = /var/www/nextcloud,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]

This seems faulty:

  1. first line ends with a comma
  2. no matching mapped entry included

Try removing both lines and re-enter the webroot info in the renewal request command line.

Unfortunately it didn't work. I've removed the lines and reentered the renewal command. No success. Can I install a new certificate?
If yes, what do I have to remove/due?

Did you just run certbot renew or did you also add the webroot options to that command again, as suggested by @rg305?

Also, your Nextcloud is returning a redirect to https://dph.ddns.net/index.php/login, so your Nextcloud might interfer with certbots webroot method. Could you please put a text file called "test" with some random text in it the directory /var/www/html/.well-known/acme-challenge ? You might need to make those two latter directories with mkdir if they don't exist already.

1 Like

Sorry, I didn't add the webroot options, because I didn't know what to enter.
I have created the text file in the directory.

root@nextcloudpi:/var/www/html/.well-known/acme-challenge# ls
test.txt

What do I have to do now? Start the certbot renew command again?

Thx for the help! I'm really sorry, but I don't have any idea how to renew the certificate.

Try accessing http://dph.ddns.net/.well-known/acme-challenge/test.txt -> it doesn't work. It doesn't show the test file, but rather redirects to the login page.

So either NextCloud is interfering with the access to the /.well-known/acme-challenge/ directory or your webroot path isn't correct. It should be the same as the DocumentRoot directive in the appropriate Apache VirtualHost.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.