Problem with Letsencrypt and Collabora for Nextcloud

I’m trying to follow this guide from Nextcloud to connect it with collabora.

My domain is:

I ran this command: sudo letsencrypt --apache --agree-tos --email -d

It produced this output:

Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from [2a01:4f8:130:32f1::49]: 404


My web server is (include version): Server version: Apache/2.4.25 (Debian)

The operating system my web server runs on is (include version): Debian 9 Stretch

My hosting provider, if applicable, is: self hosted

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): bash shell

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

Hi @HaloElite

you have ipv4- and ipv6 addresses ( ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout A yes 1 0
AAAA 2a01:4f8:130:32f1::49 yes A yes 1 0
AAAA 2a01:4f8:130:32f1::49 yes

Checking a file in /.well-known/acme-challenge answers with the expected http status 404 - Not Found, so it's not the typical ipv4/ipv6 mismatch.

So the apache plugin doesn't understand your configuration.

Switch to webroot as authenticator. Find your DocumentRoot and use it:

certbot run -a webroot -i apache -w yourDocumentRoot -d

@JuergenAuer How do I check where the documentroot is in my case?
(Not in /var/www/html)

If you have a non-standard configuration: I don't know.

Check your vHosts with

apachectl -S

to see, where your port 80 vHost with that domain name is defined. Then check that config file.

@JuergenAuer The problem is, I’m defining a virtual host at /etc/apache2/sites-available like:

<VirtualHost *:80>

If I run:

sudo certbot run -a webroot -i apache -w /etc/apache2/sites-enabled/ -d

I get the same error.

That's not your DocumentRoot.

Add a DocumentRoot to your vHost and use that.

@JuergenAuer Okay, I added:

<VirtualHost *:80>
    DocumentRoot /var/www/html/collab/

Created the document Folder and tried to run the command again. Still nothing.

Then this vHost isn't used. Again: What says apachectl -S

It says:

VirtualHost configuration:
*:443         (/etc/apache2/sites-enabled/default-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost (/etc/apache2/sites-enabled/office.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default 
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: "/var/run/apache2/"
User: name="www-data" id=33
Group: name="www-data" id=33

But in “/etc/apache2/sites-enabled/office.conf” is no DocumentRoot defined. If I do so still the same error.

Then create one, there a file. Then check if you can load that file with your browser to see, if that vHost is really used.

Are you sure?

$ curl -I
HTTP/1.1 302 Found
Date: Mon, 20 May 2019 20:27:22 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1

Do you really control the domain in the worldwide public DNS?

@jmorahan To be honest: I’m not sure. I just created the vHost with that domain name.
I’m totally new to vHosts and stuff like that…

You can only create certificates with domain names you control. These must be worldwide unique.

Is your domain name? uses INWX as nameservers:

Domain	Nameserver	NS-IP
	• / reg-fra1
	• / reg-fra1	•

	2001:67c:1bc::104	•
	• / reg-fra1

Do you use INWX?

No. I just renamed the domain in the vHost conf file in and can’t reach it. Guess I did something wrong in creating it?

That can't work. You need an own, worldwide unique domain name you have to use.

So I just checked a free domain name and used that. Still telling me “the page is not accessible”…

That can't work. You have to register a domain name, then create a DNS A entry yourdomain -> yourip, the ip address must be worldwide visible. So Letsencrypt can validate your domain ownership.

Start with the basics:

1 Like

Okay, I got a subdomain of my university.

<VirtualHost *:80>

But running

sudo certbot --apache -d
sudo certbot run -a webroot -i apache -w /var/www/html/collab/ -d

Still gets me:

Failed authorization procedure. (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching Timeout during connect (likely firewall problem)

 - The following errors were reported by the server:

   Type:   connection
   Detail: Fetching
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

Your domain isn't visible ( ):

Domainname Http-Status redirect Sec. G -14 10.023 T
Timeout - The operation has timed out -14 10.027 T
Timeout - The operation has timed out -14 10.027 T
Timeout - The operation has timed out
Visible Content:

Only timeouts. Looks like a firewall. An open port 80 is required.

You may switch to dns-01 validation. But that requires a dns entry. I don't think you have dns access.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.