TrueNAS Nextcloud failing HTTP challenge

evanmac · November 7, 2022, 12:34pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: t42.dyndns.org

I ran this command:certbot --version

It produced this output: unexpected error occurred:
pkg_resources. ContextualVersionConflict: (google-api-core 2.2.2 (/usr/local/lib/
python3.9/site-packages),Requirement.parse('google-api-core<2dev,>=1.21.0'),{'
google-api-python-client'})

My web server is (include version): nginx

The operating system my web server runs on is (include version): TrueNAS 13.0

My hosting provider, if applicable, is: self hosted

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): can't know this

rg305 · November 7, 2022, 4:26pm

Hi @evanmac, and welcome to the LE community forum

I'd try updating the TrueNAS to their latest version.

evanmac · November 7, 2022, 4:50pm

Thanks for welcome, the TrueNAS version is
TrueNAS-13.0-U3

evanmac · November 7, 2022, 5:45pm

I made the certbot working, but it throws me another error:

Certbot failed to authenticate some domains (authenticator: webroot). The Certif
icate Authority reported these problems:
Domain: xxx.xxx.TLD
Type: connection
Detail: xxx.xxx.xxx.xxx: Fetching http://xxx.xxx.TLD/.well-known/acme-challeng
e/xxxxxxxxxxxxx: Timeout during connect (likely firewall problem)
Hint: The Certificate Authority failed to down load the temporary challenge files
created by Certbot. Ensure that the listed domains serve their content from the
provided--webroot-path/-w and that files created there can be downloaded from
the internet.
Some challenges have failed.

rg305 · November 7, 2022, 5:56pm

The HTTP-01 authentication challenge request must reach the file via HTTP.
Check the firewall.
Make sure the site is accessible via HTTP.

evanmac · November 7, 2022, 6:15pm

I had redirect from http to https, so I disabled it in nginx conf, but now the let's encrypt server asnwer me that I reached the limit of failed verification.

How can I install the certificate, then?

rg305 · November 7, 2022, 6:19pm

The logs show no such redirection:

[still HTTP]

Wait one hour and try again.
OR
Use the staging/testing environment until you get it right.

MikeMcQ · November 7, 2022, 6:29pm

Or, try using Let's Debug test site until you get it right (it uses LE staging system for one of its tests)

evanmac · November 7, 2022, 6:48pm

I used the test site and here is the answer:

ANotWorking

Error

t42.dyndns.org has an A (IPv4) record (78.30.56.133) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

A timeout was experienced while communicating with t42.dyndns.org/78.30.56.133: Get "http://t42.dyndns.org/.well-known/acme-challenge/letsdebug-test": dial tcp 78.30.56.133:80: i/o timeout

Trace:
@0ms: Making a request to http://t42.dyndns.org/.well-known/acme-challenge/letsdebug-test (using initial IP 78.30.56.133)
@0ms: Dialing 78.30.56.133
@10001ms: Experienced error: dial tcp 78.30.56.133:80: i/o timeout

MikeMcQ · November 7, 2022, 7:15pm

Yeah, I know, I used that site before I suggested it to you

You need a valid HTTP connection to process an HTTP Challenge from the Let's Encrypt servers. You could also use a cell phone with wifi off to use your provider's public internet to test http://t42.dyndyns.org too. It won't work now. You have to get that working.

evanmac · November 7, 2022, 7:17pm

that's why I'm asking help: I'm in a dead way...

MikeMcQ · November 7, 2022, 7:24pm

This isn't a forum to help with such general config problems. Our work usually starts once you have http working (for http challenges). Maybe some volunteer who knows TrueNAS might choose to advise.

But, the best option is to try a TrueNAS forum.

If this helps, I see these ports available right now (so, not 80 or 443)

nmap t42.dyndns.org -Pn
Not shown: 995 filtered ports
PORT     STATE  SERVICE
20/tcp   closed ftp-data
21/tcp   closed ftp
22/tcp   open   ssh
5900/tcp open   vnc
8080/tcp open   http-proxy

Osiris · November 7, 2022, 7:38pm

Might be a NAT portmap issue.

evanmac · November 7, 2022, 8:07pm

THIS!

The f***ing router doesn't accept the 80 redirection; I have to solve this!

Many thanks for your help!

evanmac · November 7, 2022, 8:11pm

and, lo and behold:

Test result for t42.dyndns.org using http-01 (Rerun test)
All OK! OK
No issues were found with t42.dyndns.org. If you are having problems with creating an SSL certificate, please visit the Let's
Encry.pt Community forums and post a question there.

evanmac · November 7, 2022, 8:13pm

Now I have to deal with another problem:

Domain: t42.dyndns.org
T'ype: unauthorized
Detail: 78.30.56.133: Invalid response from http://t42.dyndns.org/ui/: "<! doct
ype html>\n<html lang="en">\n\n ‹meta charset=\ "utf-8">\n ‹meta http
equiv=" Pragma" content=\ "no-cache">\n ‹meta http-eq
Hint: The Certificate Authority failed to download the temporary challenge files
created by Certbot. Ensure that the listed domains serve their content from the
provided--webroot-path/-w and that files created there can be downloaded from
the internet.
Some challenges have failed.

But I leave it for tomorrow

MikeMcQ · November 7, 2022, 8:24pm

OK, but, that looks easier

You are redirecting the http challenge request which look like this to the /ui/ URI:

curl -i t42.dyndns.org/.well-known/acme-challenge/SampleChallengeToken
HTTP/1.1 302 Moved Temporarily
Server: nginx
Location: http://t42.dyndns.org/ui/

You need to return the contents of the challenge file instead. What you see in the response is your "/ui/" page contents

Do you configure the nginx server blocks yourself?

evanmac · November 8, 2022, 9:04am

The TrueNAS login

No, it's a nextcloud install in a TrueNAS Jail

I think that it's because the nextcloud works on a port, say, 3200, and TrueNAS answer on port 80.

I could try to "cross switch" the ports: the ext 80 to 3200 (the nextcloud instance, which I'd like to secure with cert), and the 3200 to 80 (the TrueNAS login)

MikeMcQ · November 8, 2022, 1:54pm

Yeah, I don't know TrueNAS / NextCloud well enough to say. I've changed the title to reflect the current problem. Maybe that will draw in other volunteers or members to help.

You might also try a TrueNAS or nextcloud forum

An HTTP Challenge will need a proper response. The Let's Debug test site is helpful for new sites. There is a DNS Challenge too but that is often more difficult and I don't think that will help your fundamental routing problems for not only port 80 but also 443.

danb35 · November 8, 2022, 5:28pm

Using plugins in TrueNAS CORE will only bring you pain. See:

The relevant problem in this case is that beginning in TrueNAS 12, plugins use NAT which gives them weird port numbers. I don't know of a good way to get a cert with the plugin, but I also don't use the plugin. The best way I know of (in my admittedly-biased opinion) to install Nextcloud in a TrueNAS jail is this script: