Renewal of Letsencrypt certificates on NS8

frankn · April 29, 2025, 5:26pm

NethServer Version: 8
Module: Nextcloud

Hello all,

I checked the older mails regarding not auto-renewing Letsencrypt certificates… but I’m not sure, whether that helps. I have a DNS entry for nextcloud.mydomain.com, which works. I also installed a TLS certificate from Letsencrypt, which ended yesterday. Up to now it was automatically renewed, but now it’s not any more.

Two weeks ago I received an email from Letsencrypt that they stop the notification service via email… which did not bother me, because if the renewal itself works, the email is not that important for me.

But it seems that the update does not work any more. I thought that I maybe could delete the certificate and re–request ist… but there was an error message containing the three other certificates

<3>Timeout after about 30 seconds. Certificate not obtained for [‘mydomain.dyndns.biz’, ‘roundcube.mydomain.com’, ‘mail1.mydomain.com’, ‘host1.mydomain.com’].

The other domains and certificates are still valid… like roundcube.mydomain.com.

How can I renew the certificate? Any hints would be very welcome.

Thank you very much in advance and best regards,

Frank
<3>

mrmarkuz · April 29, 2025, 6:19pm

Is port 80/tcp open/forwarded correctly?

Maybe a firewall blocks connections to/from letsencrypt servers?

Are the dyndns IPs correct?

In NS8 Nextcloud app settings disable the cert, save, enable the cert and save again.

fasttech · April 29, 2025, 7:55pm

Confused, I thought you’d said 443 needed to be forwarded appropriately for certs now?

frankn · April 29, 2025, 8:00pm

Hello Markus,

thanks a lot for your fast answer.

Port 80/tcp was still forwarded to the very old server, I changed that. then I disabled and re-enabled the certificate in the Nextcloud app… this did not help right away… I’ll wait till tommorrow.

The Dyndns IPs are correct.

Thanks a lot!

Best regards,

Frank

mrmarkuz · April 29, 2025, 8:19pm

Sorry for confusion, where did I write it?

I just found this:

It should work immediately. Please try to hard refresh the browser or check using following command:

openssl s_client -connect sub.domain.com:443 | echo

frankn · April 29, 2025, 8:26pm

Hard reset of the browser did not help… the openssl command pointed me to the myfritz.net certificate

I have a different issue open… and ordered the Unifi Cloud Gateway which was recommended… to avoid the Fritz certificate. I think I’ll have to install that during the weekend… although it worked with the Letsencrypt certificate up to this morning, when that cert expired.

mrmarkuz · April 29, 2025, 8:44pm

Did you forward the HTTPS port 443 to the NS8?

Does it work when you try it from outside the LAN?

frankn · April 30, 2025, 8:48am

Yes

no

frankn · April 30, 2025, 8:50am

That was the solution, I’m quite sure, the renewed cert was created yesterday evening at 21:54h.

Thank you very much for the great help!

davidep · April 30, 2025, 3:12pm

If you want, follow the Release Notes instructions to switch to port 443-based challenge:

New TLS-ALPN-01 default ACME challenge format – Let’s Encrypt TLS certificates are now obtained using the TLS-ALPN-01 challenge type through TCP port 443. Port 80 is no longer used by new installations of NethServer 8 core. Existing systems retain the previous HTTP-01 challenge type and still require port 80 to be open. – Release notes — NS8 documentation

capote · May 4, 2025, 9:32am

How can I check which challenge my server is using?

mrmarkuz · May 4, 2025, 9:46am

You can check it by using get-acme-server:

[root@ns8rockytest ~]# api-cli run module/traefik1/get-acme-server
Warning: using user "cluster" credentials from the environment
{"url": "https://acme-v02.api.letsencrypt.org/directory", "email": "", "challenge": "HTTP-01"}