Too many certificates created and struggling to setup Certbot - NextCloud / SNAP

Help
1

Hello everyone,

First of all, I'm a noob.

I use a server were my Nextcloud is installed on a domain lile mynextcloud.fr

I installed Nextcloud with snap command, and I enabled HTTPS trought this command :
sudo nextcloud.enable-https lets-encrypt

It worked the 6 firsts month, and two days ago, I received an email telling me that my certificated will expire the 10th of october.

So I tried to setup the certbot following this tutorials : Certbot - Ubuntufocal Other
But I get stuck at the step 7, as my server is working on this machine (server I guess), I preferred use the second way that I need to keep my web server running on this machine, so I entered this command :
sudo certbot certonly --webroot

And it asks me for a webroot thingy... I didn't understand what was this, so I preferred use the old method

So the first question is : what is webroot ? And maybe there is a simpler way to setup Certbot.

As I said, as I didn't know how to configure Certbot, I finally used again the command :
sudo nextcloud.enable-https lets-encrypt

The thing is, it didn't work several times, I actually get a success message from my shell, but myu website wasn't still in HTTPS. So I tried several times (until 5 times), and now I got a message error telling me : you can't generate more than 5 certificates.

So the second question is : how to use one of those certificate ? and why it didn't work properly ?

Thanks a lot for your help guys,

2

Hi @PerfectJam and welcome to the LE community forum :slight_smile:
Where we serve users of all skill levels!
Thank you for being upfront with yours :wink:

The "web" "root" is the "root" directory where the "web" site is being served from.

As certbot is obviously already setup, I suspect that you mean to ask about "how to easily obtain a cert using certbot".
There are only three ways to obtain a cert using certbot.
I will order them in order of their usual complexity:

  1. using a plugin to authenticate and pass the challenge request:
    --apache [if you use Apache web server]
    --nginx [if you use nginx web server]
  2. using the webroot parameter to point certbot where to place the challenge response.
  3. using DNS authentication - which requires using a plugin that can manipulate your DNS zone entries via API [this requires that your DNS Service Provider (DSP) support updates via API - not all do]

So before we go down any of those paths...
And because I take nothing for granted...
And because you stated "First of all, I'm a noob."...
And because you seem to be basing your need to renew on this one thing:
"two days ago, I received an email telling me that my certificated will expire the 10th of October"

I must (go back and) begin at the beginning.
Is the cert in use actually expired now (today is after Oct 10)?
[If you provide the FQDN (domain name), we may be better able to help you (and quicker)]

1 Like
3

Hello @rg305 and thank you for your help !

I installed Nextcloud using snap command on my server (running on Ubuntu server 20.04).

The certificate has expired the October 10 (I received an email by Let's Encrypt)
The domain name is : www.jamofara.fr

If you need more information, tell me ! :slight_smile:

Have a good day,

1 Like
4

Please show the LE logs file:
/var/log/letsencrypt/letsencrypt.log

And also the output of:
sudo apachectl -t -D DUMP_VHOSTS

Also, please remove the ":443" from the redirection:
[:443 is implied by HTTPS]

curl -Iki www.jamofara.fr
HTTP/1.1 301 Moved Permanently
Date: Wed, 13 Oct 2021 07:55:51 GMT
Server: Apache
Location: https://www.jamofara.fr:443/
5

There are multiple CAs involved here:
crt.sh | jamofara.fr

Which ACME clients are you using?
What renewal commands have you tried?

What says?:
certbot certificates

6

Hello there, thank you for replying so fast.

  • I have multiple letsencrypt.log files in this directory, 10 files to be precise, here the copy paste of the first one, let me know if you need the other !

2021-10-13 03:09:40,585:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2021-10-13 03:09:41,661:DEBUG:certbot._internal.main:certbot version: 1.20.0
2021-10-13 03:09:41,662:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/1514/bin/certbot
2021-10-13 03:09:41,662:DEBUG:certbot._internal.main:Arguments: ['-q', '--preconfigured-renewal']
2021-10-13 03:09:41,662:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-10-13 03:09:41,698:DEBUG:certbot._internal.log:Root logging level set at 40
2021-10-13 03:09:41,702:DEBUG:certbot._internal.display.obj:Notifying user:

2021-10-13 03:09:41,702:DEBUG:certbot._internal.display.obj:Notifying user: No renewals were attempted.
2021-10-13 03:09:41,702:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2021-10-13 03:09:41,702:DEBUG:certbot._internal.renewal:no renewal failures

  • When I run the command
    sudo apachectl -t -D DUMP_VHOSTS
    I got this :
    apachectl: command not found

  • How can I remove the redirection ?

  • When you say, multiple CAs, you mean multiple certificate (generated by let's encrypt) right ?
    If yes, indeed, there is multiple, 5 for jamofara.com and 1 for www.jamofara.fr

  • How can I know my ACME client (I thought it was Let's Encrypt)

  • I tried multiple times (because I didn't have the https on my browser) :
    nextcloud.enable-https lets-encrypt

  • certbot certificates says :
    root@localhost:~# certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log

No certificates found.

7

Try:
sudo httpd -t -D DUMP_VHOSTS

You need to modify the http vhost config file (or an .htaccess file if done that way).

No, I mean multiple Certificate Authorities (CA).

It might be just that one - if you don't recall installing any other.
[but I haven't yet ruled out having multiple versions of certbot installed - that can happen]

Well that's not good... :frowning:

The site cert lacks the "www".
See: SSL Server Test: jamofara.fr (Powered by Qualys SSL Labs)

8
  • sudo httpd -t -D DUMP_VHOSTS
    it gives me :

root@localhost:~# sudo httpd -t -D DUMP_VHOSTS
sudo: httpd: command not found

I tried to install it but I get this :

root@localhost:~# sudo apt-get install httpd
Reading package lists... Done
Building dependency tree
Reading state information... Done
Package httpd is a virtual package provided by:
nginx 1.21.3-1~focal
nginx-light 1.18.0-0ubuntu1.2
nginx-full 1.18.0-0ubuntu1.2
nginx-extras 1.18.0-0ubuntu1.2
lighttpd 1.4.55-1ubuntu1.20.04.1
nginx-core 1.18.0-0ubuntu1.2
apache2 2.4.41-4ubuntu3.6
yaws 2.0.7+dfsg-1
webfs 1.21+ds1-12
tntnet 2.2.1-4build1
ocsigenserver 2.16.0-2
mini-httpd 1.30-2
micro-httpd 20140814-2
You should explicitly select one to install.

  • I'll try to remove the redirection, but it will take some times :sweat_smile:

The thing is, when I installed nextcloud, I simply followed this tutorial (in french, but the command are understable by themselves I guess) : Comment installer et configurer Nextcloud sur Ubuntu 20.04 | DigitalOcean

And I thought that just running again this command : nextcloud.enable-https lets-encrypt will renew my CA.

9

You should not have to install anything.

Please show the output of:
cat /snap/nextcloud/current/meta/snap.yaml

From the little I can understand, it should have.

10

Here the output sir :

root@localhost:~# cat /snap/nextcloud/current/meta/snap.yaml
name: nextcloud
version: 22.2.0snap2
summary: Nextcloud Server - A safe home for all your data
description: |
Access, share and protect your files, calendars, contacts, communication and
more at home and in your enterprise.
apps:
apache:
command: bin/run-httpd -k start -DFOREGROUND
stop-command: bin/httpd-wrapper -k stop
reload-command: bin/httpd-wrapper -k graceful
daemon: simple
restart-condition: always
plugs:
- network
- network-bind
- removable-media
command-chain:
- snap/command-chain/snapcraft-runner
disable-https:
command: bin/disable-https
plugs:
- network
- network-bind
command-chain:
- snap/command-chain/snapcraft-runner
enable-https:
command: bin/enable-https
plugs:
- network
- network-bind
command-chain:
- snap/command-chain/snapcraft-runner
export:
command: bin/export-data
plugs:
- network
- network-bind
- removable-media
command-chain:
- snap/command-chain/snapcraft-runner
import:
command: bin/import-data
plugs:
- network
- network-bind
- removable-media
command-chain:
- snap/command-chain/snapcraft-runner
logrotate:
command: bin/run-logrotate
daemon: simple
restart-condition: on-failure
timer: 00:00
command-chain:
- snap/command-chain/snapcraft-runner
manual-install:
command: bin/manual-install
plugs:
- network
- network-bind
- removable-media
command-chain:
- snap/command-chain/snapcraft-runner
mdns-publisher:
command: bin/delay-on-failure mdns-publisher nextcloud
daemon: simple
restart-condition: always
plugs:
- network
- network-bind
command-chain:
- snap/command-chain/snapcraft-runner
mysql:
command: bin/start_mysql
stop-command: support-files/mysql.server stop
reload-command: bin/reload-mysql
daemon: simple
restart-condition: always
plugs:
- network
- network-bind
command-chain:
- snap/command-chain/snapcraft-runner
mysql-client:
command: bin/run-mysql
plugs:
- network
- network-bind
command-chain:
- snap/command-chain/snapcraft-runner
mysqldump:
command: bin/run-mysqldump
plugs:
- network
- network-bind
command-chain:
- snap/command-chain/snapcraft-runner
nextcloud-cron:
command: bin/nextcloud-cron
daemon: simple
restart-condition: on-failure
plugs:
- network
- network-bind
- removable-media
command-chain:
- snap/command-chain/snapcraft-runner
nextcloud-fixer:
command: bin/nextcloud-fixer
daemon: simple
restart-condition: on-failure
plugs:
- network
- network-bind
- removable-media
command-chain:
- snap/command-chain/snapcraft-runner
occ:
command: bin/occ
plugs:
- network
- network-bind
- removable-media
command-chain:
- snap/command-chain/snapcraft-runner
php-fpm:
command: bin/start-php-fpm
reload-command: bin/reload-php
daemon: simple
restart-condition: always
plugs:
- network
- network-bind
- network-observe
- removable-media
command-chain:
- snap/command-chain/snapcraft-runner
redis-server:
command: bin/start-redis-server
daemon: simple
restart-condition: always
plugs:
- network
- network-bind
command-chain:
- snap/command-chain/snapcraft-runner
renew-certs:
command: bin/renew-certs
daemon: simple
restart-condition: always
plugs:
- network
- network-bind
command-chain:
- snap/command-chain/snapcraft-runner
architectures:

  • amd64
    assumes:
  • command-chain
    base: core18
    confinement: strict
    grade: stable
    hooks:
    configure:
    plugs:
    • network
    • network-bind
    • removable-media
      pre-refresh:
      plugs:
    • network
    • network-bind
    • removable-media
11

Ok, I'm not familiar with all of that (maybe some other reader can better advise).
But in the meantime...
Let's find this program "bin/httpd-wrapper", with:
sudo find / -name httpd-wrapper

12

Here we are :

root@localhost:~# sudo find / -name httpd-wrapper
/snap/nextcloud/28586/bin/httpd-wrapper
/snap/nextcloud/28575/bin/httpd-wrapper
find: ‘/proc/543438’: No such file or directory

13

Let's try:
/snap/nextcloud/28586/bin/httpd-wrapper -t -D DUMP_VHOSTS

If that fails, try:
/snap/nextcloud/28586/bin/httpd-wrapper -S

14

Omg, nothing work on my installation :rofl:

root@localhost:~# cd /snap/nextcloud/28586/bin/
root@localhost:/snap/nextcloud/28586/bin# httpd-wrapper -t -D DUMP_VHOSTS
httpd-wrapper: command not found
root@localhost:/snap/nextcloud/28586/bin# httpd-wrapper -S
httpd-wrapper: command not found

15

Ok, I'm out of my element here.
We'll have to wait for someone more experienced with this type of nextcloud installation.

16

Thanks a lot for your help !

Maybe I should start a fresh install of nextcloud. Everything looks a bit messy on my server...

Any tutorial to follow ?

1 Like
17

I would check on their site.
They should have some recommendations.

1 Like
18

You probably need to use ./httpd-wrapper instead of just httpd-wrapper. For that to work you need to be in the directory as you did before.

1 Like
19

Here we are :

root@localhost:~# cd /snap/nextcloud/28586/bin/
root@localhost:/snap/nextcloud/28586/bin# ./httpd-wrapper
./httpd-wrapper: 4: .: Can't open /utilities/common-utilities
root@localhost:/snap/nextcloud/28586/bin#

20

Hm, it's probably not supposed to be run from within the snap environment. I too have no clue about Nextcloud, so I don't have any ideas about this.

1 Like