Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:diesnatalislaetitia.ddns.net/nextcloud
I ran this command:
acme.sh --issue -d diesnatalislaetitia.ddns.net --keylength 4096 -w
/var/www/letsencrypt
–key-file /etc/letsencrypt/diesnatalislaetitia.ddns.net/key.pem
–ca-file /etc/letsencrypt/diesnatalislaetitia.ddns.net/ca.pem
–cert-file /etc/letsencrypt/diesnatalislaetitia.ddns.net/cert.pem
–fullchain-file /etc/letsencrypt/diesnatalislaetitia.ddns.net/fullchain.pem
–reloadcmd “systemctl reload nginx.service”
It produced this output:Timeout during connect (likely firewall problem)
My web server is (include version): nginx
The operating system my web server runs on is (include version): Ubuntu LTS 16.04 (not sure)
My hosting provider, if applicable, is: myself?
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
I’ve set up an LEMP nextcloud service for myself a while ago (last week of june) then I went on business trip and more trips and in August: the certificate ran out.
So as I arrived home I tried to renew the certificate using the command shown above.
I’m very new to this stuff and only doing as a hobby.
I used this Tutorial to set up my nextcloud server. Even through it’s in german, you can see the commands.
root /var/www;
location ^~ /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:81;
proxy_redirect off;
}
location / {
# Enforce HTTPS
# Use this if you always want to redirect to the DynDNS address (no local access).
return 301 https://$server_name$request_uri;
# Use this if you also want to access the server by local IP:
#return 301 https://$server_addr$request_uri;
}
# Certificates used
ssl_certificate /etc/letsencrypt/diesnatalislaetitia.ddns.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/diesnatalislaetitia.ddns.net/key.pem;
# Not using TLSv1 will break:
# Android <= 4.4.40
# IE <= 10
# IE mobile <=10
# Removing TLSv1.1 breaks nothing else!
# TLSv1.3 is not supported by most clients, but it should be enabled.
ssl_protocols TLSv1.2 TLSv1.3;
# Cipher suite from https://cipherli.st/
# Max. security, but lower compatibility
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AE$
# Cipher suite from https://wiki.mozilla.org/Security/Server_Side_TLS
# Cipher suite from https://wiki.mozilla.org/Security/Server_Side_TLS
#ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECD$
# (Modern) cipher suite from https://mozilla.github.io/server-side-tls/ssl-config-generator/
#ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECD$
# Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
# Use multiple curves.
# secp521r1: Not supported by Chrome
# secp384r1: Not supported by Android (DAVdroid)
ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
# Server should determine the ciphers, not the client
ssl_prefer_server_ciphers on;
# OCSP Stapling
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
# This should be ca.pem
# This should be ca.pem
# See here: https://certbot.eff.org/docs/using.html
ssl_trusted_certificate /etc/letsencrypt/diesnatalislaetitia.ddns.net/ca.pem;
# This is the local DNS server (e.g. the IP of the Router if it is used as DNS server in the local networ$
resolver 192.168.178.71;
# SSL session handling
ssl_session_timeout 24h;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
#
# Add headers to serve security related headers
#
# HSTS (ngx_http_headers_module is required)
# In order to be recoginzed by SSL test, there must be an index.hmtl in the server's root
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Robots-Tag none always;
add_header X-Download-Options noopen always;
add_header X-Permitted-Cross-Domain-Policies none always;
add_header Referrer-Policy no-referrer always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
location = / {
# Disable access to the web root, otherwise nginx will show the default site here.
# deny all;
}
#
# Nextcloud
#
location ^~ /nextcloud/ {
# Set max. size of a request (important for uploads to Nextcloud)
client_max_body_size 10G;
# Besides the timeout values have to be raised in nginx' Nextcloud config, these values have to b$
proxy_connect_timeout 3600;
proxy_send_timeout 3600;
proxy_read_timeout 3600;
send_timeout 3600;
proxy_buffering off;
send_timeout 3600;
proxy_buffering off;
proxy_request_buffering off;
proxy_max_temp_file_size 10240m;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://127.0.0.1:82;
proxy_redirect off;
}
# These two location blocks are needed, otherwise you'll get warnings in the Nextcloud admin UI later on
location = /.well-known/carddav {
return 301 $scheme://$host/nextcloud/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/nextcloud/remote.php/dav;
}
# Well-known URL for Webfinger
# Regardless of this rule, you'll get a warning in the admin UI when the social app is not installed
location = /.well-known/webfinger {
return 301 $scheme://$host/nextcloud/public.php?service=webfinger;
return 301 $scheme://$host/nextcloud/public.php?service=webfinger;
}
location ~ /(ocm-provider|ocs-provider)/ {
return 301 $scheme://$host/nextcloud/$1/;
}
