TrueNAS Nextcloud failing HTTP challenge

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:certbot --version

It produced this output: unexpected error occurred:
pkg_resources. ContextualVersionConflict: (google-api-core 2.2.2 (/usr/local/lib/

My web server is (include version): nginx

The operating system my web server runs on is (include version): TrueNAS 13.0

My hosting provider, if applicable, is: self hosted

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): can't know this

Hi @evanmac, and welcome to the LE community forum :slight_smile:

I'd try updating the TrueNAS to their latest version.


Thanks for welcome, the TrueNAS version is

1 Like

I made the certbot working, but it throws me another error:

Certbot failed to authenticate some domains (authenticator: webroot). The Certif
icate Authority reported these problems:
Type: connection
Detail: Fetching
e/xxxxxxxxxxxxx: Timeout during connect (likely firewall problem)
Hint: The Certificate Authority failed to down load the temporary challenge files
created by Certbot. Ensure that the listed domains serve their content from the
provided--webroot-path/-w and that files created there can be downloaded from
the internet.
Some challenges have failed.

The HTTP-01 authentication challenge request must reach the file via HTTP.
Check the firewall.
Make sure the site is accessible via HTTP.


I had redirect from http to https, so I disabled it in nginx conf, but now the let's encrypt server asnwer me that I reached the limit of failed verification.

How can I install the certificate, then?

The logs show no such redirection:

[still HTTP]

Wait one hour and try again.
Use the staging/testing environment until you get it right.


Or, try using Let's Debug test site until you get it right (it uses LE staging system for one of its tests)


I used the test site and here is the answer:


Error has an A (IPv4) record ( but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

A timeout was experienced while communicating with Get "": dial tcp i/o timeout

@0ms: Making a request to (using initial IP
@0ms: Dialing
@10001ms: Experienced error: dial tcp i/o timeout

Yeah, I know, I used that site before I suggested it to you :slight_smile:

You need a valid HTTP connection to process an HTTP Challenge from the Let's Encrypt servers. You could also use a cell phone with wifi off to use your provider's public internet to test too. It won't work now. You have to get that working.


that's why I'm asking help: I'm in a dead way...

This isn't a forum to help with such general config problems. Our work usually starts once you have http working (for http challenges). Maybe some volunteer who knows TrueNAS might choose to advise.

But, the best option is to try a TrueNAS forum.

If this helps, I see these ports available right now (so, not 80 or 443)

nmap -Pn
Not shown: 995 filtered ports
20/tcp   closed ftp-data
21/tcp   closed ftp
22/tcp   open   ssh
5900/tcp open   vnc
8080/tcp open   http-proxy

Might be a NAT portmap issue.



The f***ing router doesn't accept the 80 redirection; I have to solve this!

Many thanks for your help!

1 Like

and, lo and behold:

Test result for using http-01 (Rerun test)
All OK! OK
No issues were found with If you are having problems with creating an SSL certificate, please visit the Let's Community forums and post a question there.

Now I have to deal with another problem:

T'ype: unauthorized
Detail: Invalid response from "<! doct
ype html>\n<html lang="en">\n\n ‹meta charset=\ "utf-8">\n ‹meta http
equiv=" Pragma" content=\ "no-cache">\n ‹meta http-eq
Hint: The Certificate Authority failed to download the temporary challenge files
created by Certbot. Ensure that the listed domains serve their content from the
provided--webroot-path/-w and that files created there can be downloaded from
the internet.
Some challenges have failed.

But I leave it for tomorrow :smiley:

OK, but, that looks easier :slight_smile:

You are redirecting the http challenge request which look like this to the /ui/ URI:

curl -i
HTTP/1.1 302 Moved Temporarily
Server: nginx

You need to return the contents of the challenge file instead. What you see in the response is your "/ui/" page contents

Do you configure the nginx server blocks yourself?


The TrueNAS login

No, it's a nextcloud install in a TrueNAS Jail

I think that it's because the nextcloud works on a port, say, 3200, and TrueNAS answer on port 80.

I could try to "cross switch" the ports: the ext 80 to 3200 (the nextcloud instance, which I'd like to secure with cert), and the 3200 to 80 (the TrueNAS login)

Yeah, I don't know TrueNAS / NextCloud well enough to say. I've changed the title to reflect the current problem. Maybe that will draw in other volunteers or members to help.

You might also try a TrueNAS or nextcloud forum

An HTTP Challenge will need a proper response. The Let's Debug test site is helpful for new sites. There is a DNS Challenge too but that is often more difficult and I don't think that will help your fundamental routing problems for not only port 80 but also 443.


Using plugins in TrueNAS CORE will only bring you pain. See:

The relevant problem in this case is that beginning in TrueNAS 12, plugins use NAT which gives them weird port numbers. I don't know of a good way to get a cert with the plugin, but I also don't use the plugin. The best way I know of (in my admittedly-biased opinion) to install Nextcloud in a TrueNAS jail is this script: