Nextcloud Snap not encrypting

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: garrettsbodywork.fairuse.org (through FreeDNS)

I ran this command: sudo nextcloud.enable-https lets-encrypt

It produced this output: accepted terms and entered email address just fine, then got this after entering my domain.
Attempting to obtain certificates... error running certbot:

Saving debug log to /var/snap/nextcloud/current/certs/certbot/logs/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for garretsbodywork.fairuse.org
Usingthe webroot path /var/snap/nextcloud/current/certs/certbot for all unmatched domains.
Waiting for verification...
Challenge failed for domain garrettsbodywork.fairuse.org
http-01 challenge for garrettsbodywork.fairuse.org
Cleaning up challenges
Some challenges fave failed.
IMPORTANT NOTES:

My web server is (include version): Nextcloud Snap (current)

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: None. Using own server

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

My Nextcloud is working through my IP address and through http right now, but I can't seem to figure out adding encryption.

1 Like
2

Welcome to the Let's Encrypt Community :slightly_smiling_face:

An HTTP-01 challenge starts from a domain name on port 80 (http) then follows up to 10 redirects to domain names on either port 80 (http) or port 443 (https). IPv6 addresses (DNS AAAA records) are given priority over IPv4 addresses (DNS A records) for challenge requests. Since satisfaction of an HTTP-01 challenge requires Let's Encrypt be able to reach the server corresponding to the IP address, the IP address cannot be private.

https://toolbox.googleapps.com/apps/dig/#A/

Screenshot_20210908-150110_Samsung Internet
Screenshot_20210908-150110_Samsung Internet1440×1685 160 KB

2 Likes
3

Hi @grinquest, welcome to the LE community forum :slight_smile:

You must use a real Internet IP.
The site needs to be fully functional (from the Internet) before you can try to secure it (via HTTP authentication).

Name:    garrettsbodywork.fairuse.org
Address: 10.0.0.135

RFC 1918 IPs are not routable over the Internet.

1 Like
4

Thanks y'all,
I'm very new to the server environment. I didn't realize that I needed to have a public IP. In my further research, I realized that I would probably need to pay for a public IPv4 address. Is there a way around this? Can I use just an IPv6 address? If so, can someone point me in the right direction? Barring that, is there a free (and preferably private) way around it? I'm not looking to spend much money here. I'm doing this mostly as a DIY project for proof of concept and my own learning at this point.

2 Likes
5

Instead of satisfying an HTTP-01 challenge, you could satisfy a DNS-01 challenge. It is even possible to manually create the DNS TXT record for _acme-challenge.garrettsbodywork.fairuse.org if necessary.

Per @JamesLE's excellent observation below, if you can get a free, public IPv6 address, you could use it to satisfy an HTTP-01 challenge.

2 Likes
6

An IPv6 address would also be fine.

3 Likes
7

Yes; but then only IPv6 enabled* clients will be able to reach you.
[* there are also IPv4 to IPv6 services available to those that don't have IPv6]

1 Like
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.