Failure with Let's Encrypt using NextCloud guide


#1

Hi everybody!,
I’m installing NextCloud server in my laptop (Ubuntu 16.04)using follow guide, I can install let’s encrypt

add-apt-repository ppa:certbot/certbot -y && apt update && apt install letsencrypt -y
letsencrypt certonly -a webroot --webroot-path=/var/www/letsencrypt --rsa-key-size 4096 -d myid.oduckdns.org

and configure permission.sh file but it’s seems let’s encrypt doesn’t create these files. Does anyone know why?

root@server:/root# chmod +x /root/permissions.sh && /root/permissions.sh
chmod: cannot access ‘/etc/letsencrypt/live/myid.duckdns.org/fullchain.pem’: No such file or directory
chmod: cannot access ‘/etc/letsencrypt/live/myid.duckdns.org/privkey.pem’: No such file or directory
chmod: cannot access ‘/etc/letsencrypt/live/myid.duckdns.org/chain.pem’: No such file or directory
chmod: cannot access ‘/etc/letsencrypt/live/angus.duckdns.org/cert.pem’: No such file or directory

Thanks a lot!


#2

If that domain name you may have forgotten to change on the last line is the real one, then it looks like no certificate was issued (you can search on https://crt.sh/)

Did the letsencrypt command produce any error message?


#3

Is “oduckdns.org” a typo in the command you actually ran, or only in the edited version you posted?


#4

After to use your link, I couldn’t found any certificate using my url.

After to apply let’s encrypt command I see below output

root@server:/root# add-apt-repository ppa:certbot/certbot -y && apt update && apt install letsencrypt -y letsencrypt certonly -a webroot --webroot-path=/var/www/letsencrypt --rsa-key-size 4096 -d myid.duckdns.org
gpg: keyring /tmp/tmp94jmwk_x/secring.gpg' created gpg: keyring/tmp/tmp94jmwk_x/pubring.gpg’ created
gpg: requesting key 75BCA694 from hkp server keyserver.ubuntu.com
gpg: /tmp/tmp94jmwk_x/trustdb.gpg: trustdb created
gpg: key 75BCA694: public key “Launchpad PPA for certbot” imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
OK
Hit:1 http://ubuntu.cica.es/ubuntu xenial InRelease
Hit:2 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial InRelease
Hit:3 http://ubuntu.cica.es/ubuntu xenial-updates InRelease
Hit:4 http://ppa.launchpad.net/ondrej/php/ubuntu xenial InRelease
Hit:5 http://ubuntu.cica.es/ubuntu xenial-backports InRelease
Hit:6 http://ubuntu.cica.es/ubuntu xenial-security InRelease
Hit:7 https://download.docker.com/linux/ubuntu xenial InRelease
Hit:8 http://nginx.org/packages/mainline/ubuntu xenial InRelease
Reading package lists… Done
Building dependency tree
Reading state information… Done
27 packages can be upgraded. Run ‘apt list --upgradable’ to see them.
W: Target Packages (nginx/binary-amd64/Packages) is configured multiple times in /etc/apt/sources.list:54 and /etc/apt/sources.list:55
W: Target Packages (nginx/binary-i386/Packages) is configured multiple times in /etc/apt/sources.list:54 and /etc/apt/sources.list:55
W: Target Packages (nginx/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:54 and /etc/apt/sources.list:55
W: Target Translations (nginx/i18n/Translation-en_US) is configured multiple times in /etc/apt/sources.list:54 and /etc/apt/sources.list:55
W: Target Translations (nginx/i18n/Translation-en) is configured multiple times in /etc/apt/sources.list:54 and /etc/apt/sources.list:55
W: Target DEP-11 (nginx/dep11/Components-amd64.yml) is configured multiple times in /etc/apt/sources.list:54 and /etc/apt/sources.list:55
W: Target DEP-11-icons (nginx/dep11/icons-64x64.tar) is configured multiple times in /etc/apt/sources.list:54 and /etc/apt/sources.list:55
W: Target Packages (nginx/binary-amd64/Packages) is configured multiple times in /etc/apt/sources.list:54 and /etc/apt/sources.list:55
W: Target Packages (nginx/binary-i386/Packages) is configured multiple times in /etc/apt/sources.list:54 and /etc/apt/sources.list:55
W: Target Packages (nginx/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:54 and /etc/apt/sources.list:55
W: Target Translations (nginx/i18n/Translation-en_US) is configured multiple times in /etc/apt/sources.list:54 and /etc/apt/sources.list:55
W: Target Translations (nginx/i18n/Translation-en) is configured multiple times in /etc/apt/sources.list:54 and /etc/apt/sources.list:55
W: Target DEP-11 (nginx/dep11/Components-amd64.yml) is configured multiple times in /etc/apt/sources.list:54 and /etc/apt/sources.list:55
W: Target DEP-11-icons (nginx/dep11/icons-64x64.tar) is configured multiple times in /etc/apt/sources.list:54 and /etc/apt/sources.list:55
E: Command line option ‘a’ [from -a] is not understood in combination with the other options.

But problem is when I try to launch

root@server:/root# chmod +x /root/permissions.sh && /root/permissions.sh


#5

it was a mistake, it’s duckdns.org


#6

Did you run all this as a single command? The two lines should have been two separate commands.

First:

add-apt-repository ppa:certbot/certbot -y && apt update && apt install letsencrypt -y

Then:

letsencrypt certonly -a webroot --webroot-path=/var/www/letsencrypt --rsa-key-size 4096 -d myid.duckdns.org


#7

Sorry jomahan,
I was out my country work. Yes, I have tried with single commands but we have same problem.


#8

Are you sure it’s exactly the same problem? You don’t get even a slightly different error message?


#9

well, when I try ti use these command I can see these errors

IMPORTANT NOTES:

aiting for verification…
Cleaning up challenges
Failed authorization procedure. myid.duckdns.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://myid.duckdns.org/.well-known/acme-challenge/EBrtu5hv44u2y79oDDGcThW3WzzEhkSIikU9B3CCytU: "

but if I try to apply first command I can see same error

chmod +x /root/permissions.sh && /root/permissions.sh

chmod: cannot access ‘/etc/letsencrypt/live/myid.duckdns.org/fullchain.pem’: No such file or directory
chmod: cannot access ‘/etc/letsencrypt/live/myid.duckdns.org/privkey.pem’: No such file or directory
chmod: cannot access ‘/etc/letsencrypt/live/myid.duckdns.org/chain.pem’: No such file or directory
chmod: cannot access ‘/etc/letsencrypt/live/angus.duckdns.org/cert.pem’: No such file or directory


#10

Are you still following the guide you posted originally? Including the location ^~ /.well-known/acme-challenge { proxy_pass http://127.0.0.1:81; and letsencrypt.conf bits?

If not, you might try using /var/www or /var/www/nextcloud or whatever your webroot directory actually is, instead of /var/www/letsencrypt


#11

Yes, I have follow this guide, but I don’t know why continue my error. Also, I have tried it using your path (/var/www or /var/www/nextcloud) but nothing


#12

ok, can you share the contents of your nginx.conf, nextcloud.conf, letsencrypt.conf and ssl.conf files please?


#13

Sure!!

nginx file

user www-data;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
multi_accept on;
use epoll;
}
http {
server_names_hash_bucket_size 64;
upstream php-handler {
server unix:/run/php/php7.2-fpm.sock;
}
include /etc/nginx/mime.types;
include /etc/nginx/proxy.conf;
include /etc/nginx/ssl.conf;
include /etc/nginx/header.conf;
include /etc/nginx/optimization.conf;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'"$host" sn="$server_name" '
'rt=$request_time '
'ua="$upstream_addr" us="$upstream_status" '
'ut="$upstream_response_time" ul="$upstream_response_length" '
'cs=$upstream_cache_status' ;
access_log /var/log/nginx/access.log main;
sendfile on;
send_timeout 3600;
tcp_nopush on;
tcp_nodelay on;
open_file_cache max=500 inactive=10m;
open_file_cache_errors on;
keepalive_timeout 65;
reset_timedout_connection on;
server_tokens off;
resolver 192.168.1.1;
# resolver IP is your Router-IP (e.g. your FritzBox)
resolver_timeout 10s;
include /etc/nginx/conf.d/*.conf;
}

nexcloud.conf file

server {
listen 80 default_server;
server_name myid.duckdns.org;
#Your DDNS adress, (e.g. from desec.io or no-ip.com)
location ^~ /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:81;
proxy_set_header Host $host;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2 default_server;
server_name myid.duckdns.org;
root /var/www/nextcloud/;
access_log /var/log/nginx/nextcloud.access.log main;
error_log /var/log/nginx/nextcloud.error.log warn;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
client_max_body_size 10240M;
location / {
rewrite ^ /index.php$uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ \.(?:flv|mp4|mov|m4a)$ {
mp4;
mp4_buffer_size 5m;
mp4_max_buffer_size 10m;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
include php_optimization.conf;
fastcgi_pass php-handler;
fastcgi_param HTTPS on;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
include php_optimization.conf;
fastcgi_pass php-handler;
fastcgi_param HTTPS on;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
location ~ \.(?:css|js|woff|svg|gif|png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
access_log off;
expires 30d;
}
}

letsencrypt.conf

server {
listen 127.0.0.1:81 default_server;
server_name 127.0.0.1;
charset utf-8;
access_log /var/log/nginx/le.access.log main;
error_log /var/log/nginx/le.error.log warn;
location ^~ /.well-known/acme-challenge {
default_type text/plain;
root /var/www/letsencrypt;
}
}

ssl.conf

ssl_certificate /etc/letsencrypt/live/myid.duckdns.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myid.duckdns.org/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/myid.duckdns.org/fullchain.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128';
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_stapling on;
ssl_stapling_verify on;

#14

Hi @SimonLoe,

It should be great if you share the real domain.

Is your domain using IPv4, IPV6 or both?.

In your ssl.conf you have this:

ssl_certificate /etc/letsencrypt/live/myid.duckdns.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myid.duckdns.org/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/myid.duckdns.org/fullchain.pem;

but if you didn’t issue any cert for your domain, nginx will refuse to start because those files don’t exist, are you sure you didn’t issue any cert?.

Please, show the unedited output of this command:

letsencrypt certificates

Note: I’ve tested the guide and it is working fine for me (at least using IPv4, if you use IPv6 you need to add 2 listen directives to your conf files).

Cheers,
sahsanu


#15

Hi sahsanu,
Im using IPv4

I dont hava any certificate. Which step must be created?

xarl@server:~$ sudo letsencrypt certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


No certs found.

xarl@server~$


#16

Hi @SimonLoe,

The first thing is test that LE can reach the webroot for your domain:

mkdir -p /var/www/letsencrypt/.well-known/acme-challenge/
echo "this is a test" > /var/www/letsencrypt/.well-known/acme-challenge/test

Now try to reach that file with your browser or command line (preferably from outside your network):

http://myid.duckdns.com/.well-known/acme-challenge/test

or from command line:

curl -ikL http://myid.duckdns.com/.well-known/acme-challenge/test

If you get the text “this is a test” you should be ready to issue the certificate.

letsencrypt certonly -a webroot --webroot-path=/var/www/letsencrypt --rsa-key-size 4096 -d myid.duckdns.org

Cheers,
sahsanu


#17

I just encountered this bug today while setting up SSL certificates for electrumx servers.

The problem was very simple and stupid. For some reason the live and archive folders in the /etc/letsencrypt tree had no execute permissions.

ElectrumX was unable to read its certificates, of course. This was on both Arch linux and Ubuntu 16.04.

For some reason it is not well known by many people at all that the execute permissions on directories influence the cd command. If you have a user level permission file inside another folder that lacks the X permission on the enclosing folder, you cannot access the file even though the file itself has read/write/execute permissions granted relevant to the user trying to access it.

/
|
folder root rwx------
|            |
|        file user rwxrwxrwx

If this is what the permissions look like, even though the file is permissioned to allow unlimited access, only the user who owns the folder can enter the directory, or read the file.


#18

Hi, I have tried to use your test, and I can’t do to work it. I investigated all week but nothing.

For what is this command? I need to add if I can’t see the test?
letsencrypt certonly -a webroot --webroot-path=/var/www/letsencrypt --rsa-key-size 4096 -d myid.duckdns.org

mmm


#19

So I could create these files using root (as I did it to install all letsencrypt folder) but nothing, always I have the same error


#20

Hi @SimonLoe,

How did you test it?, What are the errors you got?.

Let’s see what are the ports used by nginx:

netstat -ptan | grep LISTEN | grep nginx

or

ss -pln | grep nginx

Also, try to reach the test file using directly the port 81 directly from your server:

curl -ikL http://127.0.0.1:81/.well-known/acme-challenge/test

Also, try to reach the test file from outside your network:

http://myid.duckdns.org/.well-known/acme-challenge/test`

And after that, use below commands and show us the output:

grep 'acme-challenge' /var/log/nginx/le.*.log
grep 'acme-challenge' /var/log/nginx/nextcloud.*.log

That command is to issue the certificate so no, you should not use that command till you can reach the test file from outside your network.

Cheers,
sahsanu