LetsEncrypt Auto Renewal Failing - Nextcloud Snap Install

My Domain: loft-nextcloud.loft.aero
Command: None, it is running it automatically via SNAP
Service: Apache
OS: Ubuntu 18.04 LTS

I am running letsencrypt with nextcloud snap. The initial install and certs went fine then I received an error email saying that it needed to be renewed. When I look in the logs, this is what I am seeing:

  2019-05-15 03:56:35,790:DEBUG:certbot.storage:Writing new private key to 
/var/snap/nextcloud/current/certs/certbot/config/archive/loft-nextcloud.loft.aero/privkey3.pem.
2019-05-15 03:56:35,791:WARNING:certbot.renewal:Attempting to renew cert (loft-nextcloud.loft.aero) 
from /var/snap/nextcloud/current/certs/certbot/config/renewal/loft-nextcloud.loft.aero.conf produced an  
unexpected error: [Errno 1] Operation not permitted: 
'/var/snap/nextcloud/current/certs/certbot/config/archive/loft-nextcloud.loft.aero/privkey3.pem'. Skipping.
2019-05-15 03:56:35,793:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/snap/nextcloud/13144/lib/python2.7/site-packages/certbot/renewal.py", line 450, in 
handle_renewal_request
main.renew_cert(lineage ._config, plugins, renewal_candidate)
  File "/snap/nextcloud/13144/lib/python2.7/site-packages/certbot/main.py", line 1192, in renew_cert
  renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/snap/nextcloud/13144/lib/python2.7/site-packages/certbot/main.py", line 115, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
  File "/snap/nextcloud/13144/lib/python2.7/site-packages/certbot/renewal.py", line 315, in renew_cert
lineage.save_successor(prior_version, new_cert, new_key.pem, new_chain, config)
  File "/snap/nextcloud/13144/lib/python2.7/site-packages/certbot/storage.py", line 1111, in save_successor
os.chown(target["privkey"], -1, os.stat(old_privkey).st_gid)
OSError: [Errno 1] Operation not permitted: '/var/snap/nextcloud/current/certs/certbot/config/archive/loft-nextcloud.loft.aero/privkey3.pem'

2019-05-15 03:56:35,793:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2019-05-15 03:56:35,794:ERROR:certbot.renewal:  /var/snap/nextcloud/current/certs/certbot/config/live/loft-nextcloud.loft.aero/fullchain.pem (failure)

Hi @rjsears

today you have created two new certificates ( https://check-your-website.server-daten.de/?q=loft-nextcloud.loft.aero ):

CertSpotter-Id Issuer not before not after Domain names LE-Duplicate next LE
912547604 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-05-15 02:56:33 2019-08-13 02:56:33 loft-nextcloud.loft.aero
1 entries duplicate nr. 2
912534440 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-05-15 02:44:33 2019-08-13 02:44:33 loft-nextcloud.loft.aero
1 entries duplicate nr. 1
793612357 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-03-04 23:46:53 2019-06-02 23:46:53 loft-nextcloud.loft.aero
1 entries

But you don’t use it.

CN=loft-nextcloud.loft.aero
	05.03.2019
	03.06.2019
expires in 19 days	loft-nextcloud.loft.aero - 1 entry

Looks like the file

/var/snap/nextcloud/current/certs/certbot/config/archive/loft-nextcloud.loft.aero/privkey3.pem

is blocked.

Did you change something there?

Hi @JuergenAuer -

Thank you for the information. The system actually check for the new certificate automatically, I am not doing anything at all. So the two certificates in question were were not created by me per se but by the system when it went to renew.

I have made zero changes to the system since installation and issuance of the initial certificate and I am running the snap version of both nextcloud and letsencrypt.

So when you say this file is blocked:

/var/snap/nextcloud/current/certs/certbot/config/archive/loft-nextcloud.loft.aero/privkey3.pem

I have no idea what you mean or how to fix it since it is all done behind the scenes.

I have no idea what hat SNAP is doing.

Looks like a bug of that tool, so you should check the documentation of that tool.

But you have two new certificates, so that part works.

Are these certificates somewhere listed? Is there a menu to install one of these certificates?

I already checked the SNAP, but it looks like it is actually the letsencrypt that is throwing the error, not SNAP. The error is being thrown by storage.py which is provided by certbot (or as close as I can tell).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.