SSl certs stopped working for self hosted Nextcloud installation

yes, that' is something I'd like to be able to do.

2 Likes

Then the first thing you need to do is to update the DNS zone from:

Name:    cloud.aslanfrench.work
Address: 192.168.1.202

To:

Name:    cloud.aslanfrench.work
Address: 136.49.246.64

[and if that new IP can change, then you may need use a DDNS client to keep that IP updated]

6 Likes

A DDNS is a dedicated DNS right? It's so that the the IP doesn't change a bunch. I'm lucky and have Google Fiber and it doesn't actually change IP that often.

I have changed the DNS to point to the right IP. I didn't do that already because I thought: "why isn't 136.49.246.64 but the internal IP is?"

But I have just now remembered that my nginx sorts incoming traffic by the subdomain used through a reverse proxy config, so maybe now that my DNS is pointing cloud.aslanfrench.work to the correct location, it will work. We'll see. I have told the DNS to refresh and I'll check back in an hour or two once it's propagated.

EDIT:

DNS says it's already propogated. Going to cloud. gives the ssl cert error. I run the certbot command and I gettt the following:

└─➤ sudo certbot --nginx
[sudo] password for aslan: 
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: cloud.aslanfrench.work
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for cloud.aslanfrench.work

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: cloud.aslanfrench.work
  Type:   connection
  Detail: Fetching http://cloud.aslanfrench.work/.well-known/acme-challenge/UymF3R66cj_t6qFv8buIW19xkX5muMYSg-ER0xGOn74: Error getting validation data

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

is it safe to share the log contents here? I checked them yesterday and it appears to contain my entire nginx config within the log.

The "D" in front of DNS is for Dynamic.

If it can change at all, you should use a DDNS client which can keep the IP updated.

Generally yes, although using the --nginx plugin will alter the nginx config and that can be reflected in the log files.
I don't really think we need to see that log file to understand what has gone wrong in this case:
http://cloud.aslanfrench.work/ fails to reach your nginx server.

I get:

curl -Ii http://cloud.aslanfrench.work/
curl: (56) Recv failure: Connection reset by peer
2 Likes

Sorry, what does that mean? I'm googling it but finding a lot of different stuff. Does this mean my router port isn't open and it's being refused or something like that?

2 Likes

There is no way for anyone here to know exactly why is doesn't work.

2 Likes

You'll probably also need to forward port 80 on the router to port 80 on your web server, and port 443 on the router to port 443 on your web server.

3 Likes

I would assume what I have is valid since it was previously valid and can still be accessed locally using the internal ip right?

I guess I should take this to the nextcloud forum since this isn't a letsencrypt issue. Thank you for the help.

3 Likes

I double checked and I still have my port forwarding settings on my router. Thanks for the help. I'll check in with nextcloud people for the rest. Have a nice day!

3 Likes

I double checked my ports again and I noticed that the port forwarding was only set up for my server via a wired connection, whereas my server is now connected by wifi in my new apartment due to the ISP hook up being in the bathroom for some reason.

So I updated the port forwarding for the router to point to the wifi and it appears to have worked. Or at least when I go to https://cloud.aslanfrench.work I get a SSL cert error instead of a refused connection, which matches what happened when I had the DNS pointing to the internal IP.

So now it works except for the broken SSL.

With that in mind I ran certbot again and geto the following response:


blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for cloud.aslanfrench.work

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: cloud.aslanfrench.work
  Type:   connection
  Detail: Fetching http://cloud.aslanfrench.work/.well-known/acme-challenge/ChvbUe1FL8m9brA2C7rwtJr3cziVTD3gjZqfaWP2sQ0: Connection refused

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
2 Likes

You should check your port 80 forwarding. I can see your site with https but I cannot see your site with http. The msg about expired cert could not occur without at least seeing your site. The http never gets to your site.

My tests:

curl -I cloud.aslanfrench.work
curl: (7) Failed to connect to cloud.aslanfrench.work port 80: Connection refused

curl -I https://cloud.aslanfrench.work
curl: (60) SSL certificate problem: certificate has expired

Hopefully this is not your ISP blocking port 80 (some do).

Also see:
https://decoder.link/sslchecker/cloud.aslanfrench.work/443

4 Likes

That website is really useful!

And your post was very helpful.

I double checked again and while I properly moved over the 8080 port forwarding I missed the 80 port.

I have corrected this but when I use the namecheap tool it still says handshake failed.

I have my nginx set up with a reverse proxy that forwards all port 80 traffice to https.

nextcloud.conf looks like this:

server {
	listen 80;
	listen [::]:80;	
	server_name cloud.aslanfrench.work;
	location /.well-known/acme-challenge {
		root /var/www/letsencrypt;
		default_type "text/plain";
		try_files $uri =404;
	}
	location / {
		return 301 https://$server_name:443;
	}
}

As you can see with the Location it forwards everything to 443. So is the issue here something to do with that?

2 Likes

It works as written; But the forwarding doesn't need the ":443".
Instead try using:
return 301 https://$host$request_uri;

What is the pending "issue" exactly?
What "handshake"?

3 Likes

This is what it shows me:

https://decoder.link/sslchecker/cloud.aslanfrench.work/80

It says

Handshake failed, we haven't received any certificates from the requested server.

I don't know what that means. I would assume it means that they tried to grab the certs, and then didn't get them. Makes sense it couldn't get certs because certbot hasn't made them. But then why isn't certbot working when I run it? Earlier it appeared to be a connection issue but now I've set up the port forwarding correctly.

I tried running curl on the connection myself but I get no response from CLI. Not even an error response.

2 Likes

Try port 443. That is for https. Port 80 is used for http which has no certificate

3 Likes

443 works fine:

But when I run certbot it gives me this error:

2 Likes

Then you either:

  • block certain geolocations/countries

OR

  • have a problem in the HTTP vhost config

And again:

I see:

curl -Ii cloud.aslanfrench.work
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Thu, 11 Nov 2021 05:29:13 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://cloud.aslanfrench.work:443
3 Likes

I don't think it's this, since I haven't changed anything when I moved to a new apartment.

I'm using nginx. I thought vhost stuff was just for apache?

Also like I said I haven't changed anything with my server configs from my last apartment, so I don't know how this could the source of the issue.

2 Likes

Virtual hosts (vhosts) are for all modern web servers.

Let's have a look at the output of:
nginx -T
and place a test file in the expected challenge location, like:
echo "test1234" > /var/www/letsencrypt/Test_File-1234

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.