Problem with Letsencrypt and Collabora for Nextcloud

Help
1

I’m trying to follow this guide https://help.nextcloud.com/t/start-to-finish-nextcloud-collabora-step-by-step-guide/10602 from Nextcloud to connect it with collabora.

My domain is: office.nextcloud.com

I ran this command: sudo letsencrypt --apache --agree-tos --email my@mail.de -d office.nextcloud.com

It produced this output:

Failed authorization procedure. office.nextcloud.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://office.nextcloud.com/.well-known/acme-challenge/b0jjiuhiES4J0iuptu9_fp23mXbZjB4QGHAAPdZ3aRo [2a01:4f8:130:32f1::49]: 404

IMPORTANT NOTES:

My web server is (include version): Server version: Apache/2.4.25 (Debian)

The operating system my web server runs on is (include version): Debian 9 Stretch

My hosting provider, if applicable, is: self hosted

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): bash shell

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

2

Hi @HaloElite

you have ipv4- and ipv6 addresses ( https://check-your-website.server-daten.de/?q=office.nextcloud.com ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
office.nextcloud.com A 176.9.217.49 yes 1 0
AAAA 2a01:4f8:130:32f1::49 yes
www.office.nextcloud.com A 176.9.217.49 yes 1 0
AAAA 2a01:4f8:130:32f1::49 yes

Checking a file in /.well-known/acme-challenge answers with the expected http status 404 - Not Found, so it's not the typical ipv4/ipv6 mismatch.

So the apache plugin doesn't understand your configuration.

Switch to webroot as authenticator. Find your DocumentRoot and use it:

certbot run -a webroot -i apache -w yourDocumentRoot -d office.nextcloud.com
3

@JuergenAuer How do I check where the documentroot is in my case?
(Not in /var/www/html)

4

If you have a non-standard configuration: I don't know.

Check your vHosts with

apachectl -S

to see, where your port 80 vHost with that domain name is defined. Then check that config file.

5

@JuergenAuer The problem is, I’m defining a virtual host at /etc/apache2/sites-available like:

<VirtualHost *:80>
ServerName office.nextcloud.com
</VirtualHost>

If I run:

sudo certbot run -a webroot -i apache -w /etc/apache2/sites-enabled/ -d office.nextcloud.com

I get the same error.

6

That's not your DocumentRoot.

Add a DocumentRoot to your vHost and use that.

7

@JuergenAuer Okay, I added:

<VirtualHost *:80>
    ServerName office.nextcloud.com
    DocumentRoot /var/www/html/collab/
</VirtualHost>

Created the document Folder and tried to run the command again. Still nothing.

8

Then this vHost isn't used. Again: What says apachectl -S

9

It says:

VirtualHost configuration:
*:443                  143.93.44.83 (/etc/apache2/sites-enabled/default-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server myDigitalHome.umwelt-campus.de (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost myDigitalHome.umwelt-campus.de (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost office.nextcloud.com (/etc/apache2/sites-enabled/office.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default 
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

But in “/etc/apache2/sites-enabled/office.conf” is no DocumentRoot defined. If I do so still the same error.

10

Then create one, there a file. Then check if you can load that file with your browser to see, if that vHost is really used.

11

Are you sure?

$ curl -I http://office.nextcloud.com/
HTTP/1.1 302 Found
Date: Mon, 20 May 2019 20:27:22 GMT
Server: Apache/2.4.29 (Ubuntu)
Location: https://nextcloud.at
Content-Type: text/html; charset=iso-8859-1

Do you really control the domain office.nextcloud.com in the worldwide public DNS?

12

@jmorahan To be honest: I’m not sure. I just created the vHost with that domain name.
I’m totally new to vHosts and stuff like that…

13

You can only create certificates with domain names you control. These must be worldwide unique.

Is office.nextcloud.com your domain name?

office.nextcloud.com uses INWX as nameservers:

Domain	Nameserver	NS-IP
www.office.nextcloud.com
	•  ns.inwx.de / reg-fra1
		•
office.nextcloud.com
	•  ns.inwx.de / reg-fra1
	192.174.68.104	•

	• 
	2001:67c:1bc::104	•
nextcloud.com
	•  ns.inwx.de / reg-fra1
		•

Do you use INWX?

14

No. I just renamed the domain in the vHost conf file in office.mynextcloud.com and can’t reach it. Guess I did something wrong in creating it?

15

That can't work. You need an own, worldwide unique domain name you have to use.

16

So I just checked a free domain name and used that. Still telling me “the page is not accessible”…

17

That can't work. You have to register a domain name, then create a DNS A entry yourdomain -> yourip, the ip address must be worldwide visible. So Letsencrypt can validate your domain ownership.

Start with the basics:

1 Like
18

Okay, I got a subdomain of my university.

<VirtualHost *:80>
   ServerAdmin my@email.de
   ServerName other-40.umwelt-campus.de
   ...

But running

sudo certbot --apache -d other-40.umwelt-campus.de
or
sudo certbot run -a webroot -i apache -w /var/www/html/collab/ -d other-40.umwelt-campus.de

Still gets me:

Failed authorization procedure. other-40.umwelt-campus.de (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://other-40.umwelt-campus.de/.well-known/acme-challenge/iK5FafFe9xPfSI4v47k1SaBi76FTYRAnN7SiqYsPmOg: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: other-40.umwelt-campus.de
   Type:   connection
   Detail: Fetching
   http://other-40.umwelt-campus.de/.well-known/acme-challenge/iK5FafFe9xPfSI4v47k1SaBi76FTYRAnN7SiqYsPmOg:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
19

Your domain isn't visible ( https://check-your-website.server-daten.de/?q=other-40.umwelt-campus.de ):

Domainname Http-Status redirect Sec. G
http://other-40.umwelt-campus.de/
143.93.46.40 -14 10.023 T
Timeout - The operation has timed out
https://other-40.umwelt-campus.de/
143.93.46.40 -14 10.027 T
Timeout - The operation has timed out
http://other-40.umwelt-campus.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
143.93.46.40 -14 10.027 T
Timeout - The operation has timed out
Visible Content:

Only timeouts. Looks like a firewall. An open port 80 is required.

You may switch to dns-01 validation. But that requires a dns entry. I don't think you have dns access.

2 Likes
20

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.