Renew Certificate Error

Help
1

Hey guys,
i’m running nextcloud on my raspberry pi and it worked fine just until a few days ago the Let’s Encrypt certificate expired. I’m not able to reach my cloud in a browser, firefox gives me the following error code: SEC_ERROR_EXPIRED_CERTIFICATE. But i can reach my cloud with the desktop and smartphone app, so its still working.
If i’m trying to renew the certificate on my raspberry it gives me this:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/powercloud.spdns.de.conf

Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for powercloud.spdns.de
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (powercloud.spdns.de) from /etc/letsencrypt/renewal/powercloud.spdns.de.conf produced an unexpected error: Failed authorization procedure. powercloud.spdns.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://powercloud.spdns.de/.well-known/acme-challenge/yIjjuFB_pGIMY2mMh8DFnWpTLlc3t32ujH0742ONUMA [31.16.75.132]: “\r\n403 Forbidden\r\n<body bgcolor=“white”>\r\n

403 Forbidden

\r\n
”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/powercloud.spdns.de/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/powercloud.spdns.de/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

I have no idea what to do, the IP adress is correct.
I hope you can help me :slight_smile:

2

Hi @MadUnicorn

checking your domain - yep, there is a 403 - https://check-your-website.server-daten.de/?q=powercloud.spdns.de

Domainname Http-Status redirect Sec. G
http://powercloud.spdns.de/
31.16.75.132 301 https://powercloud.spdns.de/ 0.163 A
https://powercloud.spdns.de/
31.16.75.132 302 https://powercloud.spdns.de/login 2.773 N
Certificate error: RemoteCertificateChainErrors
https://powercloud.spdns.de/login 200 2.640 N
Certificate error: RemoteCertificateChainErrors
small content:
http://powercloud.spdns.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
31.16.75.132 301 https://powercloud.spdns.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.084 A
Visible Content: 301 Moved Permanently nginx/1.10.3
https://powercloud.spdns.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 403 2.233 N
Forbidden
Certificate error: RemoteCertificateChainErrors
Visible Content: 403 Forbidden nginx/1.10.3

But it's not the http, it's your https - configuration. Expected is a http status 404 - Not Found, not 403.

So first step: Check your config file in

/etc/letsencrypt/renewal

to see, which webroot you use.

Then check, if this is the correct webroot and if the permissions are correct.

Create the two subdirectories

yourwebroot/.well-known/acme-challenge

there a file (file name 1234), then try to load that file via

 https://powercloud.spdns.de/.well-known/acme-challenge/1234

or use the online tool to check that url.

That must work.

3

Okay so my config file (powercloud.spdns.de.conf) says the following:

renew_before_expiry = 30 days

version = 0.28.0
archive_dir = /etc/letsencrypt/archive/powercloud.spdns.de
cert = /etc/letsencrypt/live/powercloud.spdns.de/cert.pem
privkey = /etc/letsencrypt/live/powercloud.spdns.de/privkey.pem
chain = /etc/letsencrypt/live/powercloud.spdns.de/chain.pem
fullchain = /etc/letsencrypt/live/powercloud.spdns.de/fullchain.pem

Options used in the renewal process

[renewalparams]
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = webroot
webroot_path = /var/www/html,
account = 5ae9462977b08629b1d672976d1c31da
[[webroot_map]]
powercloud.spdns.de = /var/www/html

Seems about right for me but i’m not quite sure. How do i check if the permissions are correct and where exactly do i place the file 1234 to be able to access it online? And just to understand, what do i gain with creating the file? To check if i can reach my cloud?
Thanks for your help

4

There

is your webroot_path. I'm curious about the , (comma) at the end, perhaps remove that, perhaps that's the problem.

Then create the two subdirectories

/var/www/html/.well-known/acme-challenge

there a file, then test it. This directory needs the correct permissions (if it is correct).

To check, if your webroot path is correct and has the correct permissions.

5

Okay, thanks for your answer.
I removed the comma, but that didn’t changed a thing. Then i created the file “1234” which i can’t reach in my browser due to a possible security-problem as firefox tells me. I get the same screen when i want to reach my cloud normally, saying that there’s a certificate missing : “SEC_ERROR_EXPIRED_CERTIFICATE”.
I’m just curius why i simply cant renew my certificate, the cloud just worked fine before it expired.

6

Create an exception in your browser.

Then you see the problem:

https://powercloud.spdns.de/.well-known/acme-challenge/1234

There is a http status 403 - Forbidden.

So there is a wrong configuration. You must see the content of your test file, a http status 200 is required.

7

Sorry i’m writing late, i was on vacation.
So there is a wrong configuration but what can i do to fix it?
Is there a way to see where exactly the error is located and what caused it?

8

It might help us to know what webserver software you are using.

Would you like to share your webserver configuration here please?

9

Okay so I experimented a bit, updated my raspberry and suddenly i was able to renew the certificate. I dont know what exactly the problem was but after restarting nginx everything just worked fine. So thanks for your answers and your help guys! :smiley:

10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.