Let's Encrypt: nextcloud on a virtual host not working

NethServer Version: 7.9.2009

I have nextcloud on a virtual host running.
Letsencrypt fails on updating the cert.
Since Nextcloud runs on https only, how do I get a Certificate for it?

With what error? The logs are in /var/log/letsencrypt/.

@pnemenz

Hi

Your NethServer (Not necessarily Nextcloud) must be externally available on Port 80.
And you need a valid FQDN pointing to the external IP of your NethServer (Or Firewall with Port Forwarding).

My 2 cents
Andy

Nethserver is available on oport 80. I have some other virtual hosts with certs that work well. only the nexcloud isn’t working.

@pnemenz

Hi

You do need to set the LE SSL cert as “Standard”…
If you’re using a virtual host for your Nextcloud, you need a seperrate SSL cert for NC.
(eg: nextcloud.domain.tld).
If NOT using a vhost, Nextcloud uses the SSL cert from NethServer, if set as standard.

My 2 cents
Andy

My Home Nethserver, LE Certs in old Server-manager /NethGUI (Port 980):

Note: I’m NOT using a virtual host for Nethserver…

See for yourself:

:slight_smile:

So, again, what is the error message? It’s in the log files. Post the latest log showing an error getting the cert for your Nextcloud vhost.

No, you don’t; unfortunately Neth doesn’t support using a distinct SSL cert for this vhost–the vhost FQDN would have to part of the default cert.

@danb35

Hi Dan

I know there are other options like DNS-API for LE.
But helping people blind isn’t always easy! We do need some feedback from the guys here, to be able to help! :slight_smile:
Like how is it connected, etc.

With this level of Info, we do not even know if Nextcloud is running on NethServer, or a seperate VM…
We don’t even know if the “other virtual hosts with certs” are also running on NethServer - or on another VM / Container / Docker…
And as you know, “assumptions” are not really valid in court! Our Info basis should be as rock solid as an “iron clad case”, to be able to really help people.

I must admit, my remote mind reading capacity isn’t that good that I can read someone else’s thoughts! :slight_smile:

My 2 cents
Andy

Not relevant here. @pnemenz is saying “Letsencrypt fails on updating the cert.” If it’s failing, there’s an error message, even if Neth is awful at exposing those to the user (seriously, it’s worse than Apple). If (and only if) s/he will share that error message, we can make relevant suggestions and/or ask further relevant questions. But I do need to correct myself in one regard:

The above assumes (reasonably, I think, under the circumstances, but it hasn’t been stated) that Neth is installed on the Nethserver using the standard module. If it’s running on some other machine, or on the Neth box using a nonstandard installation, all bets are off–but once again, the error message from certbot (or whatever other client is being used) will at least let us know what the problem is.

So we should avoid giving incorrect information, right? Like that the Neth Nextcloud module requires a separate cert when used in a virtual host?

Like there is a standard “module” to install Neth on NethServer? :slight_smile:

We can only give information / tips / etc if we get the right Infos…

I had a client once, who kept repeating: “The Internet is not working”…
Note the capitalizations and tense… Not my Internet is not working, but “The Internet”, meaning Google, FB and Microsoft are all down!
(His Firewall was hooked to a “Power saving Multi Mains Adapter”).

But on what/how NethServer exposes LE errors, I fully agree!
Sometimes it’s enough, mostly you NEED to see the logs!

to make things clear:
Nextcloud is running on the Nethserver as are my other subdomains/virtual hosts.
The logfile is rather long, I’m not sure, what I’m supposed exactly to look for. but I guess this is the part of the log you’re looking for:

replay-nonce: 0003zKCiURDAiJQ-nNHDo57duW0isDN76U0-cJRfRPM2xfc

{
“identifier”: {
“type”: “dns”,
“value”: “nextcloud.(domain removed for this post)”
},
“status”: “invalid”,
“expires”: “2021-03-29T05:44:35Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: "Invalid response from https://nextcloud.(domain removed for this post)/index.php/login [xxx.xxx.xxx.xxx]: “\u003c!DOCTYPE html\u003e\n\u003chtml class=\“ng-csp\” data-placeholder-focus=\“false\” lang=\“en\” data-locale=\“en\” \u003e\n\t\u003chead\n data-requesttoken=\“sAnq””,
“status”: 403
},
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/13015177/0yI-Q",
“token”: "4lnLcFl
-2yFZ9U-h-u5BB3KwfVMOaos215LY-TwWpE”,
“validationRecord”: [
{
“url”: “http://nextcloud.(domain removed for this post)/.well-known/acme-challenge/4lnLcFl_-2yFZ9U-h-u5BB3KwfVMOaos215LY-TwWpE”,
“hostname”: “nextcloud.(domain removed for this post)”,
“port”: “80”,
“addressesResolved”: [
“xxx.xxx.xxx.xxx”
],
“addressUsed”: “xxx.xxx.xxx.xxx”
},
{
“url”: “https://nextcloud.(domain removed for this post)/.well-known/acme-challenge/4lnLcFl_-2yFZ9U-h-u5BB3KwfVMOaos215LY-TwWpE”,
“hostname”: “nextcloud.(domain removed for this post)”,
“port”: “443”,
“addressesResolved”: [
“xxx.xxx.xxx.xxx”
],
“addressUsed”: “xxx.xxx.xxx.xxx”
},
{
“url”: “https://nextcloud.(domain removed for this post)/index.php/login”,
“hostname”: “nextcloud.(domain removed for this post)”,
“port”: “443”,
“addressesResolved”: [
“xxx.xxx.xxx.xxx”
],
“addressUsed”: “xxx.xxx.xxx.xxx”
}
],
“validated”: “2021-03-22T05:44:39Z”
}
]
}
2021-03-22 06:44:45,765:DEBUG:acme.client:Storing nonce: 0003zKCiURDAiJQ-nNHDo57duW0isDN76U0-cJRfRPM2xfc
2021-03-22 06:44:45,765:WARNING:certbot._internal.auth_handler:Challenge failed for domain nextcloud.(domain removed for this post)
2021-03-22 06:44:45,765:INFO:certbot._internal.auth_handler:http-01 challenge for nextcloud.(domain removed for this post)
2021-03-22 06:44:45,766:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:

Domain: nextcloud.(domain removed for this post)
Type: unauthorized
Detail: Invalid response from https://nextcloud.(domain removed for this post)/index.php/login [xxx.xxx.xxx.xxx]: "\n<html class=“ng-csp” data-placeholder-focus=“false” lang=“en” data-locale=“en” >\n\t<head\n data-requesttoken=“sAnq”

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2021-03-22 06:44:45,766:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 180, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.

Hi

Pls don’t take the above as critics, but we’ve had people here eg asking about Roundcube - and the were not even using Nethserver, but rather some hosted webserver with a Plesk interface…

Does the nethserver.domain.tld resolve correctly internally and externally?

No worry. I know sometimes ppl asking for help just ask anywhere :slight_smile:

Yes the domain resolve correctly. I even can access the cloud with an security exeption.

LetsEncrypt is specifically complaining about the nextcloud domain, the others seem OK, including NethServer itself…

Where did you enter in the Domains for LetsEncrypt? In the Cockpit Dashboard?

yes exactly as the otherones

Did you test if Nextcloud is available from external?

If you PM the domain / IP, I can test for you…

yes it is, but you can test it, if you like

This shows that the Nextcloud virtual host isn’t responding properly; it’s giving a 403 (Unauthorized) error when asked for the challenge. It shouldn’t be doing that, of course, but it’s unclear why it’s doing it. What’s the output of config show nextcloud?

nextcloud=configuration
HonorAdStartTls=disabled
TrustedDomains=nextcloud.(domain removed for this post)
VirtualHost=nextcloud.(domain removed for this post)
Wellknown=disabled

Nothing looks out of the ordinary there. What about the virtual host config file? It’s /etc/httpd/conf.d/zz_nextcloud.conf

1 # ================= DO NOT MODIFY THIS FILE =================
2 #
3 # Manual changes will be lost when this file is regenerated.
4 #
5 # Please read the developer’s guide, which is available
6 # at NethServer official site: https://www.nethserver.org
7 #
8 #
9 <VirtualHost :80>
10 ServerName nextcloud.(domain removed for this post)
11 Redirect / https://nextcloud.(domain removed for this post)/
12
13
14 <VirtualHost :443>
15 ServerName nextcloud.(domain removed for this post)
16 SSLEngine on
17 SSLCertificateFile /etc/pki/tls/certs/localhost.crt
18 SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
19 SSLCertificateChainFile /etc/letsencrypt/live/(domain removed for this post)-0004/chain.pem
20 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
21
22 RewriteCond %{HTTPS} !=on
23 RewriteRule (.
) https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
24
25 Alias / “/usr/share/nextcloud/”
26 <Directory “/usr/share/nextcloud”>
27 Options +FollowSymLinks
28 AllowOverride All
29 Require all granted
30
31
32 Dav off
33
34
35 <FilesMatch .php$>
36 SetHandler “proxy:fcgi://127.0.0.1:9002”
37
38
39 SetEnv HOME /usr/share/nextcloud
40 SetEnv HTTP_HOME /usr/share/nextcloud
41 SetEnvIf Authorization "(.
)" HTTP_AUTHORIZATION=$1
42
43
44 <Directory “/usr/share/nextcloud/data/”>
45 # just in case if .htaccess gets disabled
46 Require all denied
47
48