Problem with Letsencrypt on a nextcloudpi server


#1

Hello,

I’m using nextcloudpi hosted on a Raspberry pi at home. I am not an experienced user, so please, bear with me. My server was running smoothly until the certificate was not renewed, it was concomitant to a nextcloudpi update that did not succeed. The update problem is now fixed, but I can’t renew my certificate. I think it may be not related with the update anymore, as I had this same problem about 2 years ago which resolved by itself few months later. But it is quite annoying to have this issue and not knowing how to deal with it. I believe it’s related to IPv6, but I have zero knowledge on that.

My domain is: vercingeto.freeboxos.fr

I ran this command: Running letsencrypt from the TUI of nextcloupi leads to:

Running letsencrypt
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for vercingeto.freeboxos.fr
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. vercingeto.freeboxos.fr (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://vercingeto.freeboxos.fr/.well-known/acme-challenge/kQGybT3-8Do6Lpz2ERf8MOz6MUfhGs7V79awHy7Bvhs: Timeout during connect (likely firewall problem)
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: vercingeto.freeboxos.fr
   Type:   connection
   Detail: Fetching
   https://vercingeto.freeboxos.fr/.well-known/acme-challenge/kQGybT3-8Do6Lpz2ERf8MOz6MUfhGs7V79awHy7Bvhs:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

Here is the letsdebug output: https://letsdebug.net/vercingeto.freeboxos.fr/30867

Here are the info of the server:

NextCloudPi version  v1.10.7
NextCloudPi image    NextCloudPi_10-05-18
distribution         Raspbian GNU/Linux 9 \n \l
automount            yes
USB devices          sda 
datadir              /media/USBdrive/ncdata
data in SD           no
data filesystem      btrfs
data disk usage      730G/932G
rootfs usage         2.4G/15G
swapfile             /var/swap
dbdir                /var/lib/mysql
Nextcloud check      ok
Nextcloud version    15.0.5.3
HTTPD service        up
PHP service          up
MariaDB service      up
Redis service        up
Postfix service      up
internet check       ok
port check 80        open
port check 443       open
interface            eth0
certificates         vercingeto.freeboxos.fr
NAT loopback         yes
uptime               23:05

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0 (not sure if nextcloudpi is using the same)

What should I do ?

Thanks


#2

Hi @jean2

you have ipv4 and ipv6 addresses ( https://check-your-website.server-daten.de/?q=vercingeto.freeboxos.fr ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
vercingeto.freeboxos.fr A 88.190.248.159 yes 1 0
AAAA 2a01:e35:8bef:89f0::1 yes
www.vercingeto.freeboxos.fr Name Error yes 1 0

But your ipv6 doesn’t work, there is only a timeout.

Your certificate is expired

CN=vercingeto.freeboxos.fr
	24.12.2018
	24.03.2019
4 days expired	vercingeto.freeboxos.fr - 1 entry

perhaps remove the ipv6, renew your certificate, then fix your ipv6 configuration.


#3

Hello,

Yes my certificate is expired, but the automatic renewal failed while it used to work, hence my question.

What does it mean to remove ipv6? I tried to deactivate it from my box or from internet provider’s website but the problem remains so I’m not sure what I’m doing. But again, what’s weird is that it used to work.

Thanks


#4

Check your domain management (DNS). There is an AAAA record with the value 2a01:e35:8bef:89f0::1.

Remove that value.

Later you can add this entry again.


#5

Hello,

From what I understood, the DNS is handled by my internet provider (a french one, “Free”) which gives the possibility to create a subdomain under their domain freeboxos.fr. So I don’t know if I have full access.

All I got from my webpanel of the box is:


where it says “Activate IPv6” and the other part is “prefix delegation” which I don’t know what it does, but the address you mentioned appear here but is grayed out.
There is also a button on the account on their website with says “IPv6 support -> Yes/No”, so I choose No and restart everything, but I got the same error.

I’ve just saw this article: https://www.freenews.fr/freenews-edition-nationale-299/freebox-9/il-ne-sera-bientot-plus-possible-de-desactiver-ipv6-sur-freebox
It says that it won’t be possible anymore to deactivate ipv6 on the box.


#6

Is this your domain management? Looks more like your internet connection management.

If you can’t change that, you have to configure your Apache, that ipv6 is used.

Something like

Listen [::]:80
Listen [::]:443

in your config file.


#7

Where do I find this config file ?


#8

Your server answers as Apache:

Server: Apache

Perhaps in

/etc/apache2/

But I don’t use a Raspberry.


#9

There are various dir and various files in there.
Would you have any idea how the entire file looks like so I might find it?


#10

@JuergenAuer, I modify my port.conf file, which looks like this now:

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

Listen 80
Listen [::]:80

<IfModule ssl_module>
	Listen 443
        Listen [::]:443
</IfModule>

<IfModule mod_gnutls.c>
	Listen 443
        Listen [::]:443
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

but it still doesn’t work. (I run service apache2 restart and reboot the raspberry before trying again).