Problem to renew certificate

mh23 · June 13, 2022, 6:16pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
sudo certbot renew

It produced this output:
IMPORTANT NOTES:

The following errors were reported by the server:

Domain: midgard.crabdance.com
Type: unauthorized
Detail: 79.203.102.46: Invalid response from
Nextcloud "\n<html class="ng-csp" data-placeholder-focus="false"
lang="en" data-locale="en" >\n\t<head\n
data-requesttoken="brGT"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version):
Server version: Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 20.04.4 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

Output 'sudo apachectl-S':
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443 is a NameVirtualHost
default server 127.0.1.1 (/etc/apache2/sites-enabled/default-ssl.conf:2)
port 443 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/default-ssl.conf:2)
port 443 namevhost midgard.crabdance.com (/etc/apache2/sites-enabled/nextcloud-le-ssl.conf:2)
*:80 midgard.crabdance.com (/etc/apache2/sites-enabled/nextcloud.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

rg305 · June 13, 2022, 6:22pm

Hi @mh23, and welcome to the LE community forum

It seems that something changed in March:

As the regular renewal cycle was broken.

And now the renewal is failing...
We should have a look at the file:
/etc/apache2/sites-enabled/nextcloud.conf
[which is where we should be handling the challenge requests]

mh23 · June 13, 2022, 7:41pm

In March I moved my nextcloud from a pi (OS was nextcloudpi) to a pc (OS is now ubuntu with a new nextcloud installation) with the same domain.

Here is the nextcloud.conf:

<VirtualHost *:80>
   DocumentRoot /var/www/nextcloud/
   ServerName midgard.crabdance.com
   #ServerAlias www.yourdomain.com
   #Redirect permanent / https://midgard.crabdance.com/
<Directory /var/www/nextcloud/>
   Options +FollowSymlinks
   AllowOverride All
   Require all granted
<IfModule mod_dav.c>
   Dav off
</IfModule>
   SetEnv HOME /var/www/nextcloud
   SetEnv HTTP_HOME /var/www/nextcloud
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =midgard.crabdance.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

MikeMcQ · June 13, 2022, 9:42pm

Your Apache VirtualHost for port 80 is redirecting all requests to HTTPS and your HTTPS VirtualHost redirects the acme-challenge request to your login page. You need the server to respond with the acme challenge token value instead. There are many ways to correct this. One is to update your rewrite rules by adding this line immediately after RewriteEngine on

RewriteRule ^/\.well-known/.+ - [END]

This will prevent the /.well-known/acme-challenge/TokenValue request from being redirected to your https server.

As long as your DocumentRoot for the http VirtualHost is correct the cert renewal should be fine.

rg305 · June 13, 2022, 10:32pm

If that doesn't do the trick, try this line above the RewriteRule:
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]

mh23 · June 14, 2022, 6:23pm

I tested both suggestions one after the other but it didn´t work.

I checked the DocumentRoot. In the files 000-default.conf and default-ssl.conf it was '/var/www/html'. I changed the path in '/var/www/nextcloud' and tried again both suggestions.
I get again the same error message

Domain: midgard.crabdance.com
Type: unauthorized
Detail: 79.203.102.46: Invalid response from
Nextcloud "\n<html class="ng-csp" data-placeholder-focus="false"
lang="en" data-locale="en" >\n\t<head\n
data-requesttoken="B3iQ"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

Any further ideas?

rg305 · June 14, 2022, 6:48pm

More of the same.
Try each of those (again); But this time create a test text file in the expected challenge location.
And see if it can be accessed directly from the Internet.
mkdir -p /var/www/nextcloud/.well-known/acme-challenge
echo "test" > /var/www/nextcloud/.well-known/acme-challenge/Test_File-1234
http://midgard.crabdance.com/.well-known/acme-challenge/Test_File-1234

mh23 · June 14, 2022, 8:54pm

I can access the file.

rg305 · June 14, 2022, 9:21pm

hmm...
Then can you get a cert now?

mh23 · June 15, 2022, 4:06pm

no, same error again

rg305 · June 15, 2022, 4:10pm

Try:

sudo certbot certonly --webroot -w /var/www/nextcloud -d midgard.crabdance.com --dry-run

mh23 · June 15, 2022, 4:20pm

It works

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for midgard.crabdance.com
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:

The dry run was successful.

But why does it only work with those additionally parameters?

rg305 · June 15, 2022, 4:33pm

Ok, now get the cert:

sudo certbot certonly --webroot -w /var/www/nextcloud -d midgard.crabdance.com

It seems that certbot is unable to handle the syntax of the configuration file.
I suspect the unblanced:

has thrown it off its' game.

So, we overcame that by explicitly telling certbot where to place the challenge file.

system · July 15, 2022, 4:34pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.