Unable To Obtain Certificate/Nextcloud on RPi

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:wiredwrx.ddns.net

I ran this command:using nextcloudpi - trying to get a certificate

It produced this output:`
[ letsencrypt ]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for wiredwrx.ddns.net
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. wiredwrx.ddns.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://104.0.131.80:8080/.well-known/acme-challenge/zL9gAsTL_2vonp-3ashj_wJXNqGNLQ6itVmjht0R6t4: Invalid port in redirect target. Only ports 80 and 443 are supported, not 8080
IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: wiredwrx.ddns.net
Type: connection
Detail: Fetching
http://104.0.131.80:8080/.well-known/acme-challenge/zL9gAsTL_2vonp-3ashj_wJXNqGNLQ6itVmjht0R6t4:
Invalid port in redirect target. Only ports 80 and 443 are
supported, not 8080

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.`

My web server is (include version):Apache

The operating system my web server runs on is (include version):Raspbian Buster

My hosting provider, if applicable, is:at home, my ISP is ATTUverse

I can login to a root shell on my machine (yes or no, or I don’t know):Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): using nextcloudpi 1.23.1

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Don’t think so

I am trying to setup nextcloud at home. My internet and network is as follows.
ATT-Uverse modem (Arris NVG-599)—>TP Link AP (which handles DHCP for the home network) ----> unmanaged linksys switch—>wired computers including the Raspberry pi.

I am following the instruction from a video by Techno Dad Life entitled Easiest Nextcloud Installation with Docker, to install nextcloud on my RPi running Open Media Vault. All has gone well, until I try to setup/get a certificate from letsencrypt in the nextcloudpi “control panel” I have checked by DDNSs in the panel, and they start without error. But, when trying letsencrypt, I get the error above

I first turned off the firewall on the ATT Modem, to see if that resolved the issue, and it did not. I also tried port forwarding on the AP with the firewall turned off, with no luck. The ATT modem does not have a port forwarding option, but it does have NAT tables which I have tried, also with no luck. There are also options for " IP PAssthrough" and “Public Subnet Hosts” and some others. I have read the help files, with no luck.

Any help is greatly appreciated. I am not necessarily a newb at this stuff, but I am certainly no expert or professional, so thanks for bearing with me.

Kindly,
Michael

1 Like

You need to handle the HTTP authentication requests via port 80.
That means: Exclude them from the redirection.

If you need help with that, please show the current port 80 section for wiredwrx.ddns.net.

1 Like

Thanks for the response, but not sure what you mean.

The DDNS is pointing to my ATT Uverse external IP address. I don’t understand what you mean by “exclude them from the redirection” since I am not currently aware of any redirection of ports. Also, how do I “handle the HTTP authentication requests via port 80” when I have not set up the authentication requests to be anywhere other than port 80.

Thanks,
Michael

1 Like

Something (Apache) is redirecting the HTTP requests to port 8080:

curl -Iki http://wiredwrx.ddns.net/
HTTP/1.1 302 Found
Date: Wed, 18 Mar 2020 01:31:02 GMT
Server: Apache
Location: http://104.0.131.80:8080
Content-Type: text/html

FYI: The hardcoded IP doesn’t even match the current IP for your name…
I’m thinking your router has been hacked.
or
That was a previously used IP and just OLD/forgotten coding.

1 Like

OR
The current IP for wiredwrx.ddns.net (“34.199.8.144”) is incorrect.

You say you have ATTUverse.
But that doesn’t match the IP in use:

Name:    ec2-34-199-8-144.compute-1.amazonaws.com
Address:  34.199.8.144

Please confirm your Internet IP:
curl ifconfig.me

And update your DDNS IP.

1 Like

IP 104.0.131.80

pi@raspberrypi:~ $ curl ifconfig.me
104.0.131.80pi@raspberrypi:~ $

I updated my DNS in their control panel to point to port 80, but the IP matches the output from curl ifconfig.me in their control panel, but I still get the same error. I also did a DNS lookup, and notice that the wrong IP address is returned for that address.

I also have available to me wiredwrx.duckdns.org, and a DNS lookup shows the correct IP for that hostname, so I changed the settings for letsencrypt, but still get the same error. I also tried port forwarding in my AP, with no change. I wonder if the inbound traffic is getting stopped at the modem?

Is there a way to alter the “location: http://104.0.131.80:8080” listed in APACHE. I tried to alter/inspect “/etc/httpd/conf/httpd.conf” but can’t even find it on my pi. I’ll continue looking.

Thanks again for the help

1 Like

you know this works fine, do you? :smiley:

tell us why you’re redirecting to a raw ip address, please. (you will need a certificate for the raw ip, and let’s encrypt doesn’t support this yet)

(I am not surprised at all duckdns works better than ddns)