Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command: ```
sudo nextcloud.enable-https lets-encrypt
It produced this output:
Please enter your domain name(s) (space-separated): www.onderwegnaarmorgen.com
Attempting to obtain certificates... error running certbot:
Saving debug log to /var/snap/nextcloud/current/certs/certbot/logs/letsencrypt.log
Plugins selected: Authenticator nextcloud:webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.onderwegnaarmorgen.com
Using the webroot path /var/snap/nextcloud/current/certs/certbot for all domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.onderwegnaarmorgen.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.onderwegnaarmorgen.com/.well-known/acme-challenge/dLYMjFisZfioda3UtGbXyunwQRiUnOvHL_IU_fr16hc: "<!DOCTYPE html>
<html>
<head lang="en">
<meta charset="ascii">
<title>TransIP - Reserved domain</title>
"
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.onderwegnaarmorgen.com
Type: unauthorized
Detail: Invalid response from
http://www.onderwegnaarmorgen.com/.well-known/acme-challenge/dLYMjFisZfioda3UtGbXyunwQRiUnOvHL_IU_fr16hc:
"<!DOCTYPE html>
<html>
<head lang="en">
<meta charset="ascii">
<title>TransIP - Reserved domain</title>
"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version): I dont know but have this:
name: nextcloud
version: 13.0.5snap1
summary: Nextcloud Server - A safe home for all your data
description: |
Access, share and protect your files, calendars, contacts, communication and
more at home and in your enterprise.
architectures:
- amd64
confinement: strict
grade: stable
hooks:
configure:
plugs:
- network
- network-bind
apps:
apache:
command: command-apache.wrapper
daemon: simple
plugs:
- network
- network-bind
- removable-media
restart-condition: always
stop-command: stop-command-apache.wrapper
disable-https:
command: command-disable-https.wrapper
plugs:
- network
- network-bind
enable-https:
command: command-enable-https.wrapper
plugs:
- network
- network-bind
manual-install:
command: command-manual-install.wrapper
plugs:
- network
- network-bind
- removable-media
mdns-publisher:
command: command-mdns-publisher.wrapper
daemon: simple
plugs:
- network
- network-bind
restart-condition: always
mysql:
command: command-mysql.wrapper
daemon: simple
plugs:
- network
- network-bind
restart-condition: always
stop-command: stop-command-mysql.wrapper
mysql-client:
command: command-mysql-client.wrapper
plugs:
- network
- network-bind
mysqldump:
command: command-mysqldump.wrapper
plugs:
- network
- network-bind
nextcloud-cron:
command: command-nextcloud-cron.wrapper
daemon: simple
plugs:
- network
- network-bind
- removable-media
restart-condition: on-failure
occ:
command: command-occ.wrapper
plugs:
- network
- network-bind
- removable-media
php-fpm:
command: command-php-fpm.wrapper
daemon: simple
plugs:
- network
- network-bind
- removable-media
restart-condition: always
redis-server:
command: command-redis-server.wrapper
daemon: simple
plugs:
- network
- network-bind
restart-condition: always
renew-certs:
command: command-renew-certs.wrapper
daemon: simple
plugs:
- network
- network-bind
restart-condition: always
I use a dns from a vpn provider!! It gives a server in Australië. With IpLeak; dns adress- 1 server: 103.86.xx.xxx
The operating system my web server runs on is (include version):ubuntu 18.04 lts
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no
I can´t conform that. But now I know that I can change that by the domain registration.
I have three IP-adresses:
Local from my computer
The externel IP from my router
The IP from the dns server, in Australië which I have got from my vpn provider. Which is different from my internetprovider.
Which one should I install by the domain name?
And which type should I use: A, AAAA, CNAME, MX, etc?
I have the server installed on a computer inside my home.
The ip from my router extern is 82.161.205.205. My computer, where the server is installed, has another IP intern.
On who.is I get: https://who.is/dns/onderwegnaarmorgen.com
By the domain registration I have put the two IP’s under DNS , under waarde (IP). The IP 103.86.96.100 is from my vpn provider.
When I try to get a certificate, i get now the following:
Attempting to obtain certificates… error running certbot:
Saving debug log to /var/snap/nextcloud/current/certs/certbot/logs/letsencrypt.log
Plugins selected: Authenticator nextcloud:webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.onderwegnaarmorgen.com
Using the webroot path /var/snap/nextcloud/current/certs/certbot for all domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.onderwegnaarmorgen.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.onderwegnaarmorgen.com/.well-known/acme-challenge/A-x4KEnAjRCQc99neE4JToXMIyYyTHo73hSszyzjf58: Timeout during connect (likely firewall problem)
IMPORTANT NOTES:
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
So, after some trying, I have the right install. https://who.is/dns/onderwegnaarmorgen.com
But I can’t certificate. I think I must do a portforwarding in my router to the computer with the server.
Also port 80…forward (server)computer IP, which port?
port 443 …forward to (server)computer IP, which port?
Is that correct?
How must I do these portforwarding? I
And has these forwarding no consequencies for other computers of programms?
Thanks for your answers!
I now only use my router IP. The other one is deleted.
Forwarding…Thats a problem for me, I don know how to do this on a safe way for the ports 80 and 443. Whitch ports do I need for the internservercomputer? And after the certification I can’t remove the portforwarding?
I have closed port 80. But I must forward port 443, also open, and I must install a rule in ufw. This is to let nextcloud function wel as server. This should be safe?
Hello JuergenAuer,
I see that de certificate expirered at 25 november 2015. Must I renew it then? Or is that going automatic?
What about the restriction: You can restrict your webserver, so that only /.well-known/acme-challenge/randomfilename is allowed per port 80.
How does this work? And what must I do?
And for open port 443 can I also build in restrictions? To make it safer?
Check your crontab if Certbot has created a job. The certificates are renewed after 60 days. But you have 90 days to do that.
I don't know enough about nextcloud. But it should be possible to create two rules:
http + /.well-known/acme-challenge/ -> load the file
other http -> Go to google
You don't need port 443 to create a Letsencrypt-certificate. If you have a redirect http -> https, remove that, if the path is /.well-known/acme-challenge/
Then Letsencrypt loads the file per http / port 80 - job is done.