Expired certificate on a virtual machine (Nextcloud) running on a TrueNas server

Hello!
I have had a problem for some time and I can't solve it ...
My certificate expired on March 4, 2022, I initially thought it would be automatically renewed, but it wasn't.
Even after this date, I did not manage to renew it.
My domain is: mycloudgg.go.ro

FreeBSD 12.2-RELEASE-p11 75566f060d4(HEAD) TRUENAS

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
root@NC:~ # certbot --version
certbot 1.22.0
root@NC:~ # certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: mycloudgg.go.ro
    Serial Number: 34d5...
    Key Type: RSA
    Domains: mycloudgg.go.ro
    Expiry Date: 2022-04-04 09:12:28+00:00 (INVALID: EXPIRED)
    Certificate Path: /usr/local/etc/letsencrypt/live/mycloudgg.go.ro/fullchain.pem
    Private Key Path: /usr/local/etc/letsencrypt/live/mycloudgg.go.ro/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@NC:~ # certbot renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /usr/local/etc/letsencrypt/renewal/mycloudgg.go.ro.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Failed to renew certificate mycloudgg.go.ro with error: Requesting acme-v02.api.letsencrypt.org/directory: Name does not resolve

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /usr/local/etc/letsencrypt/live/mycloudgg.go.ro/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

The first certificate was created (issued) more than 90 days ago, using the command:

certbot --nginx -d mycloudgg.go.ro

Thank you!

1 Like

This is the issue. The DNS resolver on that machine is somewhat broken. I don't know enough about FreeBSD but you should probably check the contents of /etc/resolv.conf

1 Like

resolv.conf contain:

Generated by resolvconf
search local
nameserver 192.168.1.1
nameserver 193.231.252.1
nameserver 213.154.124.1

that is, my router and DNS from the ISP

try if

curl -I -vvv https://acme-v02.api.letsencrypt.org/directory

actually works.

root@NC:/etc # url -I -vvv https://acme-v02.api.letsencrypt.org/directory
url: Command not found.

ping from Jails machine:

root@NC:/etc # ping acme-v02.api.letsencrypt.org
ping: cannot resolve acme-v02.api.letsencrypt.org: Host name lookup failure
root@NC:/etc # ping google.com
ping: cannot resolve google.com: Host name lookup failure
root@NC:/etc # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 192.168.1.92: icmp_seq=0 ttl=57 time=16.786 ms
64 bytes from 192.168.1.92: icmp_seq=1 ttl=57 time=17.368 ms
64 bytes from 192.168.1.92: icmp_seq=2 ttl=57 time=17.321 ms
64 bytes from 192.168.1.92: icmp_seq=3 ttl=57 time=16.871 ms

ping from the TrueNas server:

root@truenas2[~]# ping acme-v02.api.letsencrypt.org
PING acme-v02.api.letsencrypt.org (172.65.32.248): 56 data bytes
64 bytes from 172.65.32.248: icmp_seq=0 ttl=58 time=10.214 ms
64 bytes from 172.65.32.248: icmp_seq=1 ttl=58 time=10.452 ms
64 bytes from 172.65.32.248: icmp_seq=2 ttl=58 time=10.722 ms
64 bytes from 172.65.32.248: icmp_seq=3 ttl=58 time=10.820 ms
^C

the "resolv.conf" files on TrueNas and the one in Nextcloud jail are identical

You have identified the issue.

I have no idea how to solve it, tho.

This doesn't look right either. I don't know what it is, but there's something more than a little weird with networking in this jail.

3 Likes

Yeah!
Some weird NAT going on.

As for:

Let routers route and DNS servers do DNS.
[remove that line]

2 Likes
root@NC:~ # ping acme-v02.api.letsencrypt.org
PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248): 56 data bytes
64 bytes from 172.65.32.248: icmp_seq=0 ttl=58 time=11.081 ms
64 bytes from 172.65.32.248: icmp_seq=1 ttl=58 time=10.676 ms
64 bytes from 172.65.32.248: icmp_seq=2 ttl=58 time=10.629 ms
^C
--- ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 10.629/10.795/11.081/0.203 ms
root@NC:~ # certbot renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /usr/local/etc/letsencrypt/renewal/mycloudgg.go.ro.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for mycloudgg.go.ro
Reloading nginx server after certificate renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded:
  /usr/local/etc/letsencrypt/live/mycloudgg.go.ro/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Thanks to everyone who answered me!
There were some inconsistent settings on the TrueNas server under "system / tunable" ...
Have a good day!

1 Like

Don't use this. It's not doing what you expect.

It means "renew even if the certificate isn't expiring", not "try harder" :smiley:

4 Likes

I understand!
Anyway, the operation was successful ... even with that parameter.

Thank you!

If a certificate needs to be renewed, that parameter does nothing.

But, if it has some lifetime left, it will be renewed regardless of it.

Just don't get in the habit of using that option. There are exceedingly few times when it's actually needed.

1 Like

I understand, it was enough:

"certbot renew"

Thank you very much for the explanations and for the time given!

2 Likes

Yes, and if you are testing config changes it is best to use:

certbot renew --dry-run
2 Likes

And more, if you put it in a crontab:

certbot renew -q

1 Like

A post was split to a new topic: Useless post - nothing to see here

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.