Create new certificate - error

Help
1

I have no idea what I do wrong. I like to install Nextcloud at a Raspberry Pi 3. I used the following HowTo:

https://canox.net/2016/06/die-eigene-cloud-mit-dem-raspberry-pi-und-nextcloud/

I tried to create a lets encrypt certificate and get an error:

sudo certbot certonly --webroot -w /var/www/nextcloud/ -d my.domaine.de -m mail@mail.de --agree-tos

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for my.domaine.de
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. my.domaine.de (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://my.domaine.de/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxx-Pz9zQ: Connection refused

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: my.domaine.de
    Type: connection
    Detail: Fetching
    http://my.domaine.de/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxx-Pz9zQ:
    Connection refused

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

I checked port 80 and 443:

Open Port Check Tool - Test Port Forwarding on Your Router

Both are closed

I have no idea where the fault is. I never had a error like that

2

Hi @Blaubart

an open port 80 is required if you want to use http-01 validation.

So Connection refused looks like a firewall or something else, that blocks.

Or it's a wrong port forwarding.

3

I used the port forwarding like I did it in the past. I have a Fritzbox 7490 and configured port 80 and 443 to the Raspberry. I tried to use nginx instead apache at the Raspberry, but nginx isn't running at the time. I also get an error because go ngnix. Thats why I installed and startet apache2. After the installation port 80 is open, but generating a certificate wasn't possible:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for my.domain.de
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. my.domain.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://my.domain.de/.well-known/acme-challenge/xxxxxxxxxxxx_Kqc [xxx.xxx.150.232]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"

IMPORTANT NOTES:

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

4

Apache2 may have a completely different webroot, so you have to change your Certbot command.

5

OK, so the best way would be, to try getting Nginx working.
It seems Nginx dosen't running because letsencrypt is missing.

service Nginx status:

  • nginx.service - A high performance web server and a reverse proxy server
    Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
    Active: failed (Result: exit-code) since Thu 2019-05-16 23:23:17 CEST; 4min 3s ago
    Docs: man:nginx(8)
    Process: 4368 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=1/FAILURE)

Mai 16 23:23:11 systemd[1]: Starting A high performance web server and a reverse proxy server...
Mai 16 23:23:17 nginx[4368]: nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/my.domain.de/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(
Mai 16 23:23:17 nginx[4368]: nginx: configuration file /etc/nginx/nginx.conf test failed
Mai 16 23:23:17 systemd[1]: nginx.service: Control process exited, code=exited status=1
Mai 16 23:23:17 systemd[1]: Failed to start A high performance web server and a reverse proxy server.
Mai 16 23:23:17 systemd[1]: nginx.service: Unit entered failed state.
Mai 16 23:23:17 systemd[1]: nginx.service: Failed with result 'exit-code'.

6

Then use a self signed certificate instead.

7

now nginx is running and port 80 is open.

But I get the same Error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for my.domain.de
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. my.domain.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://my.domain.de/.well-known/acme-challenge/xxxxx5ho [xxx.xxx.140.129]:

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: my.domain.de
    Type: unauthorized
    Detail: Invalid response from
    http://my.domain.de/.well-known/acme-challenge/xxxxx5ho
    [xxx.xxx.140.129]:

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

8

Then your webroot may be wrong. That's a non-standard webroot.

9

Thx!!

I changed to /var/www/html and it works!!

10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.