NethServer Version: 7.9.2009
I have nextcloud on a virtual host running.
Letsencrypt fails on updating the cert.
Since Nextcloud runs on https only, how do I get a Certificate for it?
NethServer Version: 7.9.2009
I have nextcloud on a virtual host running.
Letsencrypt fails on updating the cert.
Since Nextcloud runs on https only, how do I get a Certificate for it?
With what error? The logs are in /var/log/letsencrypt/
.
Hi
Your NethServer (Not necessarily Nextcloud) must be externally available on Port 80.
And you need a valid FQDN pointing to the external IP of your NethServer (Or Firewall with Port Forwarding).
My 2 cents
Andy
Nethserver is available on oport 80. I have some other virtual hosts with certs that work well. only the nexcloud isnât working.
Hi
You do need to set the LE SSL cert as âStandardââŠ
If youâre using a virtual host for your Nextcloud, you need a seperrate SSL cert for NC.
(eg: nextcloud.domain.tld).
If NOT using a vhost, Nextcloud uses the SSL cert from NethServer, if set as standard.
My 2 cents
Andy
My Home Nethserver, LE Certs in old Server-manager /NethGUI (Port 980):
Note: Iâm NOT using a virtual host for NethserverâŠ
See for yourself:
So, again, what is the error message? Itâs in the log files. Post the latest log showing an error getting the cert for your Nextcloud vhost.
No, you donât; unfortunately Neth doesnât support using a distinct SSL cert for this vhostâthe vhost FQDN would have to part of the default cert.
Hi Dan
I know there are other options like DNS-API for LE.
But helping people blind isnât always easy! We do need some feedback from the guys here, to be able to help!
Like how is it connected, etc.
With this level of Info, we do not even know if Nextcloud is running on NethServer, or a seperate VMâŠ
We donât even know if the âother virtual hosts with certsâ are also running on NethServer - or on another VM / Container / DockerâŠ
And as you know, âassumptionsâ are not really valid in court! Our Info basis should be as rock solid as an âiron clad caseâ, to be able to really help people.
I must admit, my remote mind reading capacity isnât that good that I can read someone elseâs thoughts!
My 2 cents
Andy
Not relevant here. @pnemenz is saying âLetsencrypt fails on updating the cert.â If itâs failing, thereâs an error message, even if Neth is awful at exposing those to the user (seriously, itâs worse than Apple). If (and only if) s/he will share that error message, we can make relevant suggestions and/or ask further relevant questions. But I do need to correct myself in one regard:
The above assumes (reasonably, I think, under the circumstances, but it hasnât been stated) that Neth is installed on the Nethserver using the standard module. If itâs running on some other machine, or on the Neth box using a nonstandard installation, all bets are offâbut once again, the error message from certbot
(or whatever other client is being used) will at least let us know what the problem is.
So we should avoid giving incorrect information, right? Like that the Neth Nextcloud module requires a separate cert when used in a virtual host?
Like there is a standard âmoduleâ to install Neth on NethServer?
We can only give information / tips / etc if we get the right InfosâŠ
I had a client once, who kept repeating: âThe Internet is not workingââŠ
Note the capitalizations and tense⊠Not my Internet is not working, but âThe Internetâ, meaning Google, FB and Microsoft are all down!
(His Firewall was hooked to a âPower saving Multi Mains Adapterâ).
But on what/how NethServer exposes LE errors, I fully agree!
Sometimes itâs enough, mostly you NEED to see the logs!
to make things clear:
Nextcloud is running on the Nethserver as are my other subdomains/virtual hosts.
The logfile is rather long, Iâm not sure, what Iâm supposed exactly to look for. but I guess this is the part of the log youâre looking for:
replay-nonce: 0003zKCiURDAiJQ-nNHDo57duW0isDN76U0-cJRfRPM2xfc
{
âidentifierâ: {
âtypeâ: âdnsâ,
âvalueâ: ânextcloud.(domain removed for this post)â
},
âstatusâ: âinvalidâ,
âexpiresâ: â2021-03-29T05:44:35Zâ,
âchallengesâ: [
{
âtypeâ: âhttp-01â,
âstatusâ: âinvalidâ,
âerrorâ: {
âtypeâ: âurn:ietf:params:acme:error:unauthorizedâ,
âdetailâ: âInvalid response from https://nextcloud.(domain removed for this post)/index.php/login [xxx.xxx.xxx.xxx]: "\u003c!DOCTYPE html\u003e\n\u003chtml class=\"ng-csp\" data-placeholder-focus=\"false\" lang=\"en\" data-locale=\"en\" \u003e\n\t\u003chead\n data-requesttoken=\"sAnq"â,
âstatusâ: 403
},
âurlâ: âhttps://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/13015177/0yI-_Qâ,
âtokenâ: â4lnLcFl_-2yFZ9U-h-u5BB3KwfVMOaos215LY-TwWpEâ,
âvalidationRecordâ: [
{
âurlâ: âhttp://nextcloud.(domain removed for this post)/.well-known/acme-challenge/4lnLcFl_-2yFZ9U-h-u5BB3KwfVMOaos215LY-TwWpEâ,
âhostnameâ: ânextcloud.(domain removed for this post)â,
âportâ: â80â,
âaddressesResolvedâ: [
âxxx.xxx.xxx.xxxâ
],
âaddressUsedâ: âxxx.xxx.xxx.xxxâ
},
{
âurlâ: âhttps://nextcloud.(domain removed for this post)/.well-known/acme-challenge/4lnLcFl_-2yFZ9U-h-u5BB3KwfVMOaos215LY-TwWpEâ,
âhostnameâ: ânextcloud.(domain removed for this post)â,
âportâ: â443â,
âaddressesResolvedâ: [
âxxx.xxx.xxx.xxxâ
],
âaddressUsedâ: âxxx.xxx.xxx.xxxâ
},
{
âurlâ: âhttps://nextcloud.(domain removed for this post)/index.php/loginâ,
âhostnameâ: ânextcloud.(domain removed for this post)â,
âportâ: â443â,
âaddressesResolvedâ: [
âxxx.xxx.xxx.xxxâ
],
âaddressUsedâ: âxxx.xxx.xxx.xxxâ
}
],
âvalidatedâ: â2021-03-22T05:44:39Zâ
}
]
}
2021-03-22 06:44:45,765:DEBUG:acme.client:Storing nonce: 0003zKCiURDAiJQ-nNHDo57duW0isDN76U0-cJRfRPM2xfc
2021-03-22 06:44:45,765:WARNING:certbot._internal.auth_handler:Challenge failed for domain nextcloud.(domain removed for this post)
2021-03-22 06:44:45,765:INFO:certbot._internal.auth_handler:http-01 challenge for nextcloud.(domain removed for this post)
2021-03-22 06:44:45,766:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:Domain: nextcloud.(domain removed for this post)
Type: unauthorized
Detail: Invalid response from https://nextcloud.(domain removed for this post)/index.php/login [xxx.xxx.xxx.xxx]: â\n<html class="ng-csp" data-placeholder-focus="false" lang="en" data-locale="en" >\n\t<head\n data-requesttoken="sAnqâTo fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2021-03-22 06:44:45,766:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File â/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.pyâ, line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File â/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.pyâ, line 180, in _poll_authorizations
raise errors.AuthorizationError(âSome challenges have failed.â)
AuthorizationError: Some challenges have failed.
Hi
Pls donât take the above as critics, but weâve had people here eg asking about Roundcube - and the were not even using Nethserver, but rather some hosted webserver with a Plesk interfaceâŠ
Does the nethserver.domain.tld resolve correctly internally and externally?
No worry. I know sometimes ppl asking for help just ask anywhere
Yes the domain resolve correctly. I even can access the cloud with an security exeption.
LetsEncrypt is specifically complaining about the nextcloud domain, the others seem OK, including NethServer itselfâŠ
Where did you enter in the Domains for LetsEncrypt? In the Cockpit Dashboard?
yes exactly as the otherones
Did you test if Nextcloud is available from external?
If you PM the domain / IP, I can test for youâŠ
yes it is, but you can test it, if you like
This shows that the Nextcloud virtual host isnât responding properly; itâs giving a 403 (Unauthorized) error when asked for the challenge. It shouldnât be doing that, of course, but itâs unclear why itâs doing it. Whatâs the output of config show nextcloud
?
nextcloud=configuration
HonorAdStartTls=disabled
TrustedDomains=nextcloud.(domain removed for this post)
VirtualHost=nextcloud.(domain removed for this post)
Wellknown=disabled
Nothing looks out of the ordinary there. What about the virtual host config file? Itâs /etc/httpd/conf.d/zz_nextcloud.conf
1 # ================= DO NOT MODIFY THIS FILE =================
2 #
3 # Manual changes will be lost when this file is regenerated.
4 #
5 # Please read the developerâs guide, which is available
6 # at NethServer official site: https://www.nethserver.org
7 #
8 #
9 <VirtualHost :80>
10 ServerName nextcloud.(domain removed for this post)
11 Redirect / https://nextcloud.(domain removed for this post)/
12
13
14 <VirtualHost :443>
15 ServerName nextcloud.(domain removed for this post)
16 SSLEngine on
17 SSLCertificateFile /etc/pki/tls/certs/localhost.crt
18 SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
19 SSLCertificateChainFile /etc/letsencrypt/live/(domain removed for this post)-0004/chain.pem
20 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
21
22 RewriteCond %{HTTPS} !=on
23 RewriteRule (.) https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
24
25 Alias / â/usr/share/nextcloud/â
26 <Directory â/usr/share/nextcloudâ>
27 Options +FollowSymLinks
28 AllowOverride All
29 Require all granted
30
31
32 Dav off
33
34
35 <FilesMatch .php$>
36 SetHandler âproxy:fcgi://127.0.0.1:9002â
37
38
39 SetEnv HOME /usr/share/nextcloud
40 SetEnv HTTP_HOME /usr/share/nextcloud
41 SetEnvIf Authorization "(.)" HTTP_AUTHORIZATION=$1
42
43
44 <Directory â/usr/share/nextcloud/data/â>
45 # just in case if .htaccess gets disabled
46 Require all denied
47
48