Not able to issue certificate using acme.sh

I am new to this create certificate and would like to seek some guide step by step. I have install acme.sh through putty and would create certificate for my nextcloud on my own private truenas server. I have some error as below is the details

My domain is: maskookt.duckdns.org

I ran this command:

acme.sh --issue -d maskookt.duckdns.org -w /usr/local/www/nextcloud/

It produced this output:

My web server is (include version):
nextcloud 12.1-RELEASE-p12

The operating system my web server runs on is (include version):
TrueNAS-12.0-U1

The version of my client License is GPLv3

I have share my nginx config file as below :

    load_module /usr/local/libexec/nginx/ngx_http_uploadprogress_module.so;

    user www www;
worker_processes  1;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    # Types to enable gzip compression on
    gzip_types
        text/plain
        text/css
        text/js
        text/xml
        text/javascript
        application/javascript
        application/x-javascript
        application/json
        application/xml
        application/rss+xml
        image/svg+xml;

    # reserve 1MB under the name 'proxied' to track uploads
    upload_progress proxied 1m;

    sendfile        on;
    #tcp_nopush     on;
    client_max_body_size 1000m;

    #keepalive_timeout  0; 

     # Security Headers
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1";

        location / {
            rewrite ^.* $scheme://$http_host/ui/ redirect;
        }

        location /progress {
            # report uploads tracked in the 'proxied' zone
            report_uploads proxied;
        }

        location /api/docs {
            proxy_pass http://127.0.0.1:6000/api/docs;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Scheme $scheme;
            proxy_set_header X-Script-Name /api/docs;
        }

        location /api/docs/restful/static {
            alias /usr/local/www/swagger-ui/node_modules/swagger-ui-dist;
        }

        location /ui {
            if ( $request_method ~ ^POST$ ) {
                proxy_pass http://127.0.0.1:6000;
            }
            try_files $uri $uri/ /index.html =404;
            alias /usr/local/www/webui;
            add_header Cache-Control "must-revalidate";
            add_header Etag "TrueNAS-12.0-U1";
        }

        location /websocket {
            proxy_pass http://127.0.0.1:6000/websocket;
            proxy_http_version 1.1;
            proxy_set_header X-Real-Remote-Addr $remote_addr;
keepalive_timeout  65;

    # Disable tokens for security (#23684)
    server_tokens off;

    gzip  on;
    #upload_store /var/tmp/firmware;
    client_body_temp_path /var/tmp/firmware;

    error_log syslog:server=unix:/var/run/log,nohostname;
    access_log syslog:server=unix:/var/run/log,nohostname;

    server {
        server_name  localhost;
        listen                 0.0.0.0:443 default_server ssl http2;
        listen                 [::]:443 default_server ssl http2;

        ssl_certificate        "/etc/certificates/freenas_default.crt";
        ssl_certificate_key    "/etc/certificates/freenas_default.key";
        ssl_dhparam "/data/dhparam.pem";

        ssl_session_timeout    120m;
        ssl_session_cache      shared:ssl:16m;

        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EDH+aRSA:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SH>
        add_header Strict-Transport-Security max-age=0;

        #ssl_stapling on;
        #ssl_stapling_verify on;
        #resolver ;
        #ssl_trusted_certificate ;

        listen       0.0.0.0:80;
        listen       [::]:80;

     # Security Headers
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1";

        location / {
            rewrite ^.* $scheme://$http_host/ui/ redirect;
        }

        location /progress {
            # report uploads tracked in the 'proxied' zone
            report_uploads proxied;
        }

        location /api/docs {
            proxy_pass http://127.0.0.1:6000/api/docs;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Scheme $scheme;
            proxy_set_header X-Script-Name /api/docs;
        }

        location /api/docs/restful/static {
            alias /usr/local/www/swagger-ui/node_modules/swagger-ui-dist;
        }

        location /ui {
            if ( $request_method ~ ^POST$ ) {
                proxy_pass http://127.0.0.1:6000;
            }
            try_files $uri $uri/ /index.html =404;
            alias /usr/local/www/webui;
            add_header Cache-Control "must-revalidate";
            add_header Etag "TrueNAS-12.0-U1";
        }

        location /websocket {
            proxy_pass http://127.0.0.1:6000/websocket;
            proxy_http_version 1.1;
            proxy_set_header X-Real-Remote-Addr $remote_addr;
	    proxy_set_header X-Real-Remote-Port $remote_port;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
        }

        location /websocket/shell {
            proxy_pass http://127.0.0.1:6000/_shell;
            proxy_http_version 1.1;
            proxy_set_header X-Real-Remote-Addr $remote_addr;
            proxy_set_header X-Real-Remote-Port $remote_port;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_send_timeout 7d;
            proxy_read_timeout 7d;
        }

        location /api/v2.0 {
            # do not add the path to proxy_pass because of automatic url decoding
            # e.g. /api/v2.0/pool/dataset/id/tank%2Ffoo/ would become
            #      /api/v2.0/pool/dataset/id/tank/foo/
            proxy_pass http://127.0.0.1:6000;
            proxy_http_version 1.1;
            proxy_set_header X-Real-Remote-Addr $remote_addr;
            proxy_set_header X-Real-Remote-Port $remote_port;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $remote_addr;
        }

        location /_download {
            proxy_pass http://127.0.0.1:6000;
            proxy_http_version 1.1;
            proxy_set_header X-Real-Remote-Addr $remote_addr;
            proxy_set_header X-Real-Remote-Port $remote_port;
            proxy_read_timeout 10m;
        }
	
location /_upload {
            # Allow uploads of any size. Its middlewared job to handle size.
            client_max_body_size 0;
            proxy_pass http://127.0.0.1:6000;
            # make sure nginx does not buffer the upload and pass directly to middlewared
            proxy_request_buffering off;
            proxy_http_version 1.1;
            proxy_set_header X-Real-Remote-Addr $remote_addr;
            proxy_set_header X-Real-Remote-Port $remote_port;
        }

        location /images {
            alias /var/db/system/webui/images;
        }

        location /_plugins {
            proxy_pass http://127.0.0.1:6000/_plugins;
            proxy_http_version 1.1;
            proxy_set_header X-Real-Remote-Addr $remote_addr;
            proxy_set_header X-Real-Remote-Port $remote_port;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $remote_addr;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/local/www/nginx-dist;
        }

    }

}

Hope someone able to help me out.

Thanks

1 Like

It doesn't look like your nginx config serves files from /usr/local/www/nextcloud/.

You might need to add something like:

location /.well-known/acme-challenge/ {
    root /usr/local/www/nextcloud/;
}

... then reload nginx, and try again.

1 Like

i am not good to track files and post in.. hope I have post in the correct file

/usr/local/www/nextcloud/ => inside do have a folder .well-known/acme-challenge/ OWtqIhU1BKQLAStkOc2g9xnjDtKsp3BFJaMouKSCxTs. I am not sure what is the script or file. what this folder does anyway?

For the nginx config, the file which shared is located in /usr/local/etc/nginx/nginx.conf.
is this the correct file?

location /.well-known/acme-challenge/ {
    root /usr/local/www/nextcloud/;
}

For this two line code, where should i put in.

Btw, how do i restart nginx, is the command line as below ?

# service nginx restart

I do read some documentation and still not able to solve it. Hope you can assist further. thanks

1 Like

To prove that you control your domain, Let's Encrypt asks you to create a file and make it accessible at e.g. http://example.com/.well-known/acme-challenge/xxxxxxx.

When you tell acme.sh to use a certain webroot (-w /usr/local/www/nextcloud/), the expectation is that a file in /usr/local/www/nextcloud/.well-known/acme-challenge/xyz will be downloadable from http://example.com/.well-known/acme-challenge/xyz.

So we just need to make sure that nginx is configured to do that.

You could put it just above:

Yep.

Before you do that, you can check that your modification did not break anything with:

sudo nginx -t
1 Like

It's an orthogonal suggestion to be sure, but there's a much simpler way to handle TLS certs for your Nextcloud installation:

I have follow the steps and here is the screen print

reload nginx

and I try to try issue certificate again...

it did not work, but base on the verify error :
Website still showing error 404 not found nginx

but the end IP, i am able to open the link to my nextcloud

is this means, the error not on the link on the DNS and my server ? basically like what you have mention about create file and able to access both side..

Do I miss any steps or anything which I have not configure the setting?

Sorry, i do need more help..

Thanks, I do need to research and thanks for your suggestion on this..

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.