Nextcloudpi automatic certificate renewal failed


#1

Hello,
I have been running nextcloudpi for 6 months at least without any trouble, but since a few days I can’t access my cloud anymore because let’s encrypt certificate has not been renewed automatically, as it usually does. I get this error :
thibmus.hopto.org utilise un certificat de sécurité invalide. Le certificat a expiré le 20 décembre 2018 à 12:26:11 UTC+1. La date courante est 30 décembre 2018 à 10:20. Code d’erreur : SEC_ERROR_EXPIRED_CERTIFICATE

I don’t understand why this error happened in the first place, and have no clue on how to fix this.
Could someone please help me ? I have little knowledge about rapberry pi, apache serveur, nextcloud, linux etc … so if possible try to keep you answers simple. Thanks you in advance.

My domain is:
thibmus.hopto.org
I ran this command:
No idea, it usually works automatically.

It produced this output:
thibmus.hopto.org utilise un certificat de sécurité invalide. Le certificat a expiré le 20 décembre 2018 à 12:26:11 UTC+1. La date courante est 30 décembre 2018 à 10:20. Code d’erreur : SEC_ERROR_EXPIRED_CERTIFICATE

My web server is (include version):
nextcloudpi 14
The operating system my web server runs on is (include version):
raspberry pi 3 B+
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes but I don’t know what to do

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Yes but access broken


#2

How did you install the certificate in the first place? Has NextCloudPi some sort of automated and integrated feature for this?


#3

Yes exactly, it is comes fully packaged with nextclouppi distribution/server, and it worked like a charm, so I am only aware of let’sencrypt because of this problem. I guess there is a way to do it manually as well.


#4

Do you have access to the NextCloudPi web-interface?


#5

No, because firefox or chrome won’t let me connect to my nextcloud, the connection being considered unsafe, but I can connect to the raspberry thanks to ssh.


#6

When connecting via ssh, this is the message I get:
The authenticity of host ‘192.168.1.12 (192.168.1.12)’ can’t be established.
ECDSA key fingerprint is SHA256:2mxYXF2KUdQGPyDk8SXe5/yTeLx5x1eWJMMi4JyhPqQ.
Are you sure you want to continue connecting (yes/no)?


#7

That warning can be overridden without any trouble. Just click “Advanced” or some other button and make an exception.

It’s probably the first time you’re connecting to that host from that machine. If so, this is normal.


#8

In most cases when connecting to an unsafe website, the browser does show some other button (advanced), but for some reason when I am trying to connect to my website thibmus.hopto.org this button doesn’t show up, I suppose it is the same for you when you try.
Message in French, as if my nextcloud site was trying to steal some data from me :
Des individus malveillants tentent peut-être de subtiliser vos informations personnelles sur le site thibmus.hopto.org (mots de passe, messages ou numéros de carte de crédit, par exemple).
NET::ERR_CERT_DATE_INVALID

As for ssh, it is not my first connection from this machine.

Des individus malveillants tentent peut-être de subtiliser vos informations personnelles sur le site thibmus.hopto.org (mots de passe, messages ou numéros de carte de crédit, par exemple).

NET::ERR_CERT_DATE_INVALID

Subject: thibmus.hopto.org

Issuer: Let’s Encrypt Authority X3
Expires on: 20 déc. 2018
Current date: 30 déc. 2018


#9

Thank you very much for your trying to guide me out of this problem ! really appreciate.


#10

Chrome can bypass the error:

This server could not prove that it is thibmus.hopto.org ; its security certificate expired 11 days ago. This may be caused by a misconfiguration or an attacker intercepting your connection. Your computer’s clock is currently set to Sunday, December 30, 2018. Does that look right? If not, you should correct your system’s clock and then refresh this page.

Proceed to thibmus.hopto.org (unsafe)

Anyway, I noticed your site isn’t reachable through port 80. I had to manually put https:// in front of it.

Was access through HTTP on port 80 possible earlier? Could it be NextCloudPi uses the http-01 challenge for the renewal and now port 80 is blocked, it can’t?


#11

Most likely you’ve set the HSTS header on your site. This header makes it so that any browser that’s visited your site once will always insist on a correct certificate in the future, and not let you click through warnings. Here’s an article on how to clear the settings in your browser: https://www.thesslstore.com/blog/clear-hsts-settings-chrome-firefox/


#12

Hi @verduron

did you add a firewall? An open port 80 is required, as @Osiris wrote. But your site doesn’t answer connecting port 80.

Or is it a home server, so your internet provider blocks port 80? Perhaps new, added in the last weeks?

PS: Your site sends a HSTS header and a preload directive:

Strict-Transport-Security: max-age=15768000; includeSubDomains; preload

You should add HSTS only if you have always a working certificate. hopto.org is a public suffix, so if you send preload, another user may add your site to the Google preload list. Then you can’t create an exception if your certificate is invalide.


split this topic #13

2 posts were split to a new topic: HSTS preloading


#15

Ok, this nextcloud is indeed a home server and I can’t create an exception in the browser so I will try to regain access thanks to @jsha instructions and then try to renew the certificate from the server, and let you know.
Thank you so much for your help, it takes me quite long time to understand all this and make the tests, so please be patient… but I’ll get back to you.


#16

Thanks to @jsha 's suggestion I was able to regain access to my server through the browser. I then re-ran let’sencrypt configuration script in nextcloudpi, and it worked !! For some reason the certificate has been renewed or a new one has been issued and the server is working fine. Thanks so much for your help @jurgenhaas @jsha and @Osiris !


closed #17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.