Certificate expired on Raspberrypi running NextcloudPi

Hi!
My Let's encrypt certificate is expired 4 days ago and I didn't found a solution to renew it.
My domain is: dph.ddns.net
Domain registred by: noip
I ran this command:

certbot renew -a webroot -w /var/www/html --dry-run

It produced this output:

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for dph.ddns.net
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (old_dph.ddns.net) from /etc/letsencrypt/renewal/old_dph.ddns.net.conf produced an unexpected error: Failed authorization procedure. dph.ddns.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://dph.ddns.net/index.php/login [XX.XXX.XX.XXX]: "<!DOCTYPE html>\n<html class=\"ng-csp\" data-placeholder-focus=\"false\" lang=\"en\" data-locale=\"en\" >\n\t<head\n data-requesttoken=\"Wpma". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/dph.ddns.net/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/dph.ddns.net/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: dph.ddns.net
   Type:   unauthorized
   Detail: Invalid response from https://dph.ddns.net/index.php/login
   [XX.XXX.XX.XXX]: "<!DOCTYPE html>\n<html class=\"ng-csp\"
   data-placeholder-focus=\"false\" lang=\"en\" data-locale=\"en\"
   >\n\t<head\n data-requesttoken=\"Wpma"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): RaspberryPi4
The operating system my web server runs on is (include version): NextcloudPi

Can anyone give me a solution for my Problem?

THX a lot!!

Hi @dph, and welcome to the LE community forum

Please show:
certbot certificates

and then try just:
certbot renew --dry-run

root@nextcloudpi:/home/pi# certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log
OCSP check failed for /etc/letsencrypt/live/dph.ddns.net/cert.pem (are we offline?)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: old_dph.ddns.net
    Domains: dph.ddns.net
    Expiry Date: 2021-06-26 10:39:16+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/dph.ddns.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/dph.ddns.net/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

root@nextcloudpi:/home/pi# certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/old_dph.ddns.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for dph.ddns.net
Cleaning up challenges
Attempting to renew cert (old_dph.ddns.net) from /etc/letsencrypt/renewal/old_dph.ddns.net.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for dph.ddns.net:. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/dph.ddns.net/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/dph.ddns.net/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

Unfortunately no success.

This is very peculiar:

Please show this file:

Content of file: old_dph.ddns.net.conf

enew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/dph.ddns.net
cert = /etc/letsencrypt/live/dph.ddns.net/cert.pem
privkey = /etc/letsencrypt/live/dph.ddns.net/privkey.pem
chain = /etc/letsencrypt/live/dph.ddns.net/chain.pem
fullchain = /etc/letsencrypt/live/dph.ddns.net/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 85983cab31d02a837df36265d8ac10b2
authenticator = webroot
webroot_path = /var/www/nextcloud,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]

This seems faulty:

1. first line ends with a comma
2. no matching mapped entry included

Try removing both lines and re-enter the webroot info in the renewal request command line.

Unfortunately it didn't work. I've removed the lines and reentered the renewal command. No success. Can I install a new certificate?
If yes, what do I have to remove/due?

Did you just run certbot renew or did you also add the webroot options to that command again, as suggested by @rg305?

Also, your Nextcloud is returning a redirect to https://dph.ddns.net/index.php/login, so your Nextcloud might interfer with certbots webroot method. Could you please put a text file called "test" with some random text in it the directory /var/www/html/.well-known/acme-challenge ? You might need to make those two latter directories with mkdir if they don't exist already.

Sorry, I didn't add the webroot options, because I didn't know what to enter.
I have created the text file in the directory.

root@nextcloudpi:/var/www/html/.well-known/acme-challenge# ls
test.txt

What do I have to do now? Start the certbot renew command again?

Thx for the help! I'm really sorry, but I don't have any idea how to renew the certificate.

Try accessing http://dph.ddns.net/.well-known/acme-challenge/test.txt -> it doesn't work. It doesn't show the test file, but rather redirects to the login page.

So either NextCloud is interfering with the access to the /.well-known/acme-challenge/ directory or your webroot path isn't correct. It should be the same as the DocumentRoot directive in the appropriate Apache VirtualHost.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.