NextCloudPi LetsEncrypt - no certificate

screetch0r · June 22, 2020, 1:46pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: stall-cloud.heart-and-soul.net

I ran this command: NextCloudPi letsencrypt application

It produced this output:
[ letsencrypt ] (Mon Jun 22 13:18:59 UTC 2020)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for stall-cloud.heart-and-soul.net
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. stall-cloud.heart-and-soul.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://stall-cloud.heart-and-soul.net/index.php/login [2001:8d8:1801:833a::1]: "\n<html class=“ng-csp” data-placeholder-focus=“false” lang=“en” data-locale=“en” >\n\t<head\n data-requesttoken=“YXM0”
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: stall-cloud.heart-and-soul.net
Type: unauthorized
Detail: Invalid response from
https://stall-cloud.heart-and-soul.net/index.php/login
[2001:8d8:1801:833a::1]: "\n<html class=“ng-csp”
data-placeholder-focus=“false” lang=“en” data-locale=“en”
>\n\t<head\n data-requesttoken=“YXM0”

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version):

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

=====

Hi guys,

I am trying to get a Letsencrypt for my site stall-cloud.heart-and-soul.net which points to my local NextCloud-Server behind my Router via a vServer (217.160.250.94 which is the CNAME for stall-cloud.heart-and-soul.net and which is autossh-ing into my local machine as I am behind a DSL-lite).

It seems like evrything is working. I can access my NextCloud via either http://stall-cloud.heart-and-soul.net or https://stall-cloud.heart-and-soul.net. However I cannot get the certificate for the above mentioned reason upon applying for the certificate in the NextCloudPi Web GUI.

Your help is much appreciated.

Thanks Marc

rg305 · June 22, 2020, 2:10pm

It would seem that there is a redirection that is causing the problem.

screetch0r · June 22, 2020, 2:21pm

Hi rg305,

thanks for the response. Both http://stall-cloud.heart-and-soul.net and https://stall-cloud.heart-and-soul.net redirect to my local NextCloud.

In a frist step my Domain stall-cloud.heart-and-soul.net CNAMEs my vServer at 217.160.250.94. and that vServer redirect via autossh to my local NextCloud through port 443.

I am new to this material. Is there any way to gauge the potential areas which may cause the problem?

rg305 · June 22, 2020, 2:23pm

The LE authentication request would look something like:
http://stall-cloud.heart-and-soul.net/.well-known/acme-challenge/random-letters-and-numbers

that HTTP connection can’t be redirected to your login page.

Do you know your way around Apache web server?

screetch0r · June 22, 2020, 2:58pm

Thank you.

No, I am not into the details of Apache. Will certainly have a look. Anything specific you find worth pointing me to?

and by the way: A Happy Birthday To You!

rg305 · June 22, 2020, 3:16pm

I’d start with:
apachectl -S

That will show which file covers which names.
Within the correct file you should find the redirection.
Feel free to post and ask for help, if needed.

screetch0r · June 22, 2020, 3:49pm

this outputs:

root@localhost:/etc/apache2/sites-enabled# apachectl -S
VirtualHost configuration:
*:80 localhost.localdomain (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33

rg305 · June 22, 2020, 3:51pm

There is only the default.
Doesn’t look much configured…

Let’s have a look at the one file:
/etc/apache2/sites-enabled/000-default.conf

screetch0r · June 22, 2020, 4:05pm

right... thats basically unconfigured. The only things I added refer to the lines "Rewrite" for the HTTP to HTTPS rerouting.

Sorry, please let us know if this is too much of hastle for you because I am trying to deal with things which are out of my knowlegde.

<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME} [R,L]

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

screetch0r · June 22, 2020, 9:09pm

Instead of using the NextCloudPi WebGUI to apply for the letsencrypt certificate, I tried the command

sudo certbot --apache

This apparently proper configured my apache to obtain the certificate for my domain stall-cloud.heart-and-soul.net.

However, and I guess that is completely correct, apache now listens on ports :80 and :443. In my setup I am required to listen on port :443 for my autossh-tunnel to my local NextCloud NAS server. Which however, can no longer, get on top of port :443 as it is preoccupied by apache.

So this sounds like: I can only get apache properly up and running to get my LE certificate or I can use port :443 to autossh-tunnel to my local NAS.

Are there any ideas how to get both to working?

Again, I wish to have the following:
Domain (stall-cloud.heart-and-soul.net) --> via CNAME --> vServer (217.160.150.94 - this one is running the apache and obtains the LE certificate) --> via autossh --> local NextCloud-Server (behind my router)

thanks all!

FYI: Outputs are now as follows

$ apachectl -S
VirtualHost configuration:
*:443 stall-cloud.heart-and-soul.net (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80 localhost.localdomain (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

000-default.conf
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME} [R,L]

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf
RewriteCond %{SERVER_NAME} =stall-cloud.heart-and-soul.net
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

000-default-le-ssl.conf

<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    RewriteEngine On

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf
ServerName stall-cloud.heart-and-soul.net
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/stall-cloud.heart-and-soul.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/stall-cloud.heart-and-soul.net/privkey.pem

rg305 · June 22, 2020, 10:11pm

We need to exclude the authentication requests from the forwarding/redirection.
To the file: 000-default.conf
Please adjust as follows:
[note: there is a new line and added text to the last line]

    RewriteEngine On
    RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

screetch0r · June 23, 2020, 11:44am

hmm... nothing changed. I amended 000-default.conf as suggested (added the new line plus the extra text). When trying to open the ssh-tunnel to my NextCloud I get the following message:

Warning: remote port forwarding failed for listen port 443

000-default.conf prints now:

<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    RewriteEngine On
    RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf
RewriteCond %{SERVER_NAME} =stall-cloud.heart-and-soul.net
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

'# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

And $ apachectl -S looks like follows:

VirtualHost configuration:
*:443 stall-cloud.heart-and-soul.net (/etc/apache2/sites-enable d/000-default-le-ssl.conf:2)
*:80 localhost.localdomain (/etc/apache2/sites-enabled/000-def ault.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

rg305 · June 23, 2020, 9:53pm

Back up a few steps...

Were you able to get a certificate?

screetch0r · June 24, 2020, 8:49am

yes, a certificate was issued on Jun 22. at least this is what my browser tells me when entering stall-cloud.heart-and-soul.net. It says something like: this connection is secure and I have a vaild certificate for this URL issued by Let’s Encrypt Authority X3.

rg305 · June 24, 2020, 2:35pm

OK.
So what remains?
Is anything still failing?

screetch0r · June 24, 2020, 2:40pm

Hey, yes. My point was:

However, and I guess that is completely correct, apache now listens on ports :80 and :443. In my setup I am required to listen on port :443 for my autossh-tunnel to my local NextCloud NAS server. Which however, can no longer get on top of port :443 as it is preoccupied by apache.
So this sounds like: I can only get apache properly up and running to get my LE certificate or I can use port :443 to autossh-tunnel to my local NAS.
Are there any ideas how to get both to working?

I.e. can I get the LE certificate for my vServer through 443 and also can access port 443 to autossh down to my local NextCloud-NAS?

Thanks

rg305 · June 24, 2020, 10:09pm

You could do both if the system that terminates the HTTPS connection can then “proxy” any “other” HTTPS requests to the other system.
This is typically known as a “reverse proxy”.
Most, if not all, web servers support this.
Not 100% sure if “autossh-tunnel” can be proxied by all web servers.
I guess that is the real question here…

screetch0r · June 25, 2020, 10:25am

PERFECT… thank you. that helped massively. After searching for “SSL reverse proxy Apache2” I figured it out, amended the conf and it’s up and running.

Thanks so much for your dedicated support here!

domyssl · June 26, 2020, 9:27am

hallo

screetch0r the schema you configuration ??

autossh tunnel ? or revery proxy apache…

ip public (server or dns ??) -> ??? how to work you system ???

tanks advance for info

screetch0r · June 26, 2020, 9:45am

Hi domyssl,

I have a Domain sub-domain (stall-cloud.heart-and-soul.net) which forwards via DNS (CNAME) to my virtual Server with static ipv4 (217.160.250.94).
This vServer runs apache2 listening on ports :80 and :443 any incoming traffic from my sub-domain. All incoming with be forwarded to https (i.e. :443). In addition, apache proxies incoming 443 to 8080.

My local NAS on my PC here (running NextCloud) is auto-ssh’ing upon reboot to my vServer and brings all requests from 8080 to my local port 443, i.e. my NextCloud.

Hope this does make sense. please let us know if you need further clarification.
Thanks Marc

Topic		Replies	Views
Can't get letsencrypt certificate for my nextcloud Help	18	9584	December 7, 2021
Renew letsencrypt in server with nextcloud Ayuda (en Español)	8	3078	February 19, 2022
Nextcloud letsencrypt cert unable to create Help	9	1997	September 30, 2021
Unable to create Lets encrypt certificte Help	12	1240	May 5, 2021
Verification with letsencrypt not ok Help	4	437	March 12, 2023

NextCloudPi LetsEncrypt - no certificate

Related topics