Expired certificate on a virtual machine (Nextcloud) running on a TrueNas server

Geogicanu · April 17, 2022, 7:08pm

Hello!
I have had a problem for some time and I can't solve it ...
My certificate expired on March 4, 2022, I initially thought it would be automatically renewed, but it wasn't.
Even after this date, I did not manage to renew it.
My domain is: mycloudgg.go.ro

FreeBSD 12.2-RELEASE-p11 75566f060d4(HEAD) TRUENAS

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
root@NC:~ # certbot --version
certbot 1.22.0
root@NC:~ # certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: mycloudgg.go.ro
    Serial Number: 34d5...
    Key Type: RSA
    Domains: mycloudgg.go.ro
    Expiry Date: 2022-04-04 09:12:28+00:00 (INVALID: EXPIRED)
    Certificate Path: /usr/local/etc/letsencrypt/live/mycloudgg.go.ro/fullchain.pem
    Private Key Path: /usr/local/etc/letsencrypt/live/mycloudgg.go.ro/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@NC:~ # certbot renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /usr/local/etc/letsencrypt/renewal/mycloudgg.go.ro.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Failed to renew certificate mycloudgg.go.ro with error: Requesting acme-v02.api.letsencrypt.org/directory: Name does not resolve

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /usr/local/etc/letsencrypt/live/mycloudgg.go.ro/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

The first certificate was created (issued) more than 90 days ago, using the command:

certbot --nginx -d mycloudgg.go.ro

Thank you!

9peppe · April 17, 2022, 7:11pm

This is the issue. The DNS resolver on that machine is somewhat broken. I don't know enough about FreeBSD but you should probably check the contents of /etc/resolv.conf

Geogicanu · April 17, 2022, 7:21pm

resolv.conf contain:

Generated by resolvconf
search local
nameserver 192.168.1.1
nameserver 193.231.252.1
nameserver 213.154.124.1

that is, my router and DNS from the ISP

9peppe · April 17, 2022, 7:43pm

try if

curl -I -vvv https://acme-v02.api.letsencrypt.org/directory

actually works.

Geogicanu · April 17, 2022, 7:51pm

root@NC:/etc # url -I -vvv https://acme-v02.api.letsencrypt.org/directory
url: Command not found.

Geogicanu · April 17, 2022, 7:59pm

ping from Jails machine:

root@NC:/etc # ping acme-v02.api.letsencrypt.org
ping: cannot resolve acme-v02.api.letsencrypt.org: Host name lookup failure
root@NC:/etc # ping google.com
ping: cannot resolve google.com: Host name lookup failure
root@NC:/etc # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 192.168.1.92: icmp_seq=0 ttl=57 time=16.786 ms
64 bytes from 192.168.1.92: icmp_seq=1 ttl=57 time=17.368 ms
64 bytes from 192.168.1.92: icmp_seq=2 ttl=57 time=17.321 ms
64 bytes from 192.168.1.92: icmp_seq=3 ttl=57 time=16.871 ms

ping from the TrueNas server:

root@truenas2[~]# ping acme-v02.api.letsencrypt.org
PING acme-v02.api.letsencrypt.org (172.65.32.248): 56 data bytes
64 bytes from 172.65.32.248: icmp_seq=0 ttl=58 time=10.214 ms
64 bytes from 172.65.32.248: icmp_seq=1 ttl=58 time=10.452 ms
64 bytes from 172.65.32.248: icmp_seq=2 ttl=58 time=10.722 ms
64 bytes from 172.65.32.248: icmp_seq=3 ttl=58 time=10.820 ms
^C

the "resolv.conf" files on TrueNas and the one in Nextcloud jail are identical

9peppe · April 17, 2022, 8:15pm

You have identified the issue.

I have no idea how to solve it, tho.

danb35 · April 17, 2022, 10:29pm

This doesn't look right either. I don't know what it is, but there's something more than a little weird with networking in this jail.

rg305 · April 18, 2022, 3:52am

Yeah!
Some weird NAT going on.

As for:

Let routers route and DNS servers do DNS.
[remove that line]

Geogicanu · April 18, 2022, 12:41pm

root@NC:~ # ping acme-v02.api.letsencrypt.org
PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248): 56 data bytes
64 bytes from 172.65.32.248: icmp_seq=0 ttl=58 time=11.081 ms
64 bytes from 172.65.32.248: icmp_seq=1 ttl=58 time=10.676 ms
64 bytes from 172.65.32.248: icmp_seq=2 ttl=58 time=10.629 ms
^C
--- ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 10.629/10.795/11.081/0.203 ms
root@NC:~ # certbot renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /usr/local/etc/letsencrypt/renewal/mycloudgg.go.ro.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for mycloudgg.go.ro
Reloading nginx server after certificate renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded:
  /usr/local/etc/letsencrypt/live/mycloudgg.go.ro/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Thanks to everyone who answered me!
There were some inconsistent settings on the TrueNas server under "system / tunable" ...
Have a good day!

9peppe · April 18, 2022, 12:44pm

Don't use this. It's not doing what you expect.

It means "renew even if the certificate isn't expiring", not "try harder"

Geogicanu · April 18, 2022, 1:02pm

I understand!
Anyway, the operation was successful ... even with that parameter.

Thank you!

9peppe · April 18, 2022, 1:05pm

If a certificate needs to be renewed, that parameter does nothing.

But, if it has some lifetime left, it will be renewed regardless of it.

Just don't get in the habit of using that option. There are exceedingly few times when it's actually needed.

Geogicanu · April 18, 2022, 1:25pm

I understand, it was enough:

"certbot renew"

Thank you very much for the explanations and for the time given!

MikeMcQ · April 18, 2022, 1:45pm

Yes, and if you are testing config changes it is best to use:

certbot renew --dry-run

9peppe · April 18, 2022, 1:51pm

And more, if you put it in a crontab:

certbot renew -q

rg305 · April 22, 2022, 1:38pm

A post was split to a new topic: Useless post - nothing to see here