Nextcloud Plugin - Certbot renewal webroot challenge fails

DonGui

Cadet
Joined
Feb 26, 2019
Messages
3
Hi all,

I'm kind of stuck getting the certificate from letsencrypt to renew on my nextcloud (official plugin) install.

I'm using the certbot webroot method to do so. The command I'm using (to test) :

Code:
certbot certonly -d mydomain


After which I choose the webroot option and input the webroot of my nextcloud install : /usr/local/www/nextcloud

The error I get from certbot is the following :

Code:
Domain: cloud.mydomain.com
Type:   connection
Detail: Fetching http://cloud.mydomain.com/.well-known/acme-challenge/Mj1vxrbQl1J6UVxGQGwYeIUh3Q_eO0EPrTitZqL-Lxs: Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.


Thing is, I can access the webroot from a web browser without any issue. To double check this, I started the certbot script with the above command, but stopped its execution before it could arrive at timeout. Checking on the command line, there was indeed a challenge file that had appeared at :

Code:
/usr/local/www/nextcloud/.well-known/acme-challenge/Mj1vxrbQl1J6UVxGQGwYeIUh3Q_eO0EPrTitZqL-Lxs


So I just pointed my web browser at the url :

Code:
cloud.mydomain.com/.well-known/acme-challenge/Mj1vxrbQl1J6UVxGQGwYeIUh3Q_eO0EPrTitZqL-Lxs


...and it did serve me the file, I was able to download it.

So why does the letsencrypt CA server have trouble fetching the challenge from my nextcloud server ? Does anyone have any clues to possible explanations ?

All the best,
Guillaume
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,462
Thing is, I can access the webroot from a web browser without any issue.
Can you do that outside your network? Because that's the most likely problem.
 

DonGui

Cadet
Joined
Feb 26, 2019
Messages
3
Yes, I can. I have OpenVPN installed on a seperate jail, and I've been working on getting this certificate renewal remotely through OpenVPN. After executing the certbot renewal command and stopping it, I then disabled the VPN to get back to my regular internet connection, and accessed the "cloud.mydomain.com/.well-known/acme-challenge/xxx" on my server with a web browser.
 

Jailer

Not strong, but bad
Joined
Sep 12, 2014
Messages
4,975
So why does the letsencrypt CA server have trouble fetching the challenge from my nextcloud server ?
Check you certbot logs and see what it says. /var/log/letsencrypt
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,462
I then disabled the VPN to get back to my regular internet connection, and accessed the "cloud.mydomain.com/.well-known/acme-challenge/xxx" on my server with a web browser.
I'm not sure why you'd be using a VPN here--is your FreeNAS server remote to you?
 

DonGui

Cadet
Joined
Feb 26, 2019
Messages
3
@Jailer

Here is the content of the log after I try renewing the certificate :

Code:
2019-08-27 12:26:10,141:DEBUG:acme.client:Storing nonce: 0001PEBS_XBJOQojy9CsckYsfGktwL4y_V-tCOjqmlhhxvY
2019-08-27 12:26:10,141:WARNING:certbot.auth_handler:Challenge failed for domain cloud.mydomain.com
2019-08-27 12:26:10,141:INFO:certbot.auth_handler:http-01 challenge for cloud.mydomain.com
2019-08-27 12:26:10,141:DEBUG:certbot.reporter:Reporting to user: The followingerrors were reported by the server:

Domain: cloud.mydomain.com
Type:   connection
Detail: Fetching http://cloud.mydomain.com/.well-known/acme-challenge/TFxfQNQuyMy-IXQHhqX0fwigRbeDRfvl182Ty-lDZTk: Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2019-08-27 12:26:10,142:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/certbot/auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/local/lib/python3.6/site-packages/certbot/auth_handler.py", line 154, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2019-08-27 12:26:10,142:DEBUG:certbot.error_handler:Calling registered functions
2019-08-27 12:26:10,142:INFO:certbot.auth_handler:Cleaning up challenges
2019-08-27 12:26:10,142:DEBUG:certbot.plugins.webroot:Removing /usr/local/www/nextcloud/.well-known/acme-challenge/TFxfQNQuyMy-IXQHhqX0fwigRbeDRfvl182Ty-lDZTk
2019-08-27 12:26:10,142:DEBUG:certbot.plugins.webroot:All challenges cleaned up
2019-08-27 12:26:10,142:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.35.1', 'console_scripts', 'certbot')()
  File "/usr/local/lib/python3.6/site-packages/certbot/main.py", line 1379, in main
    return config.func(config, plugins)
  File "/usr/local/lib/python3.6/site-packages/certbot/main.py", line 1262, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/local/lib/python3.6/site-packages/certbot/main.py", line 115, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/local/lib/python3.6/site-packages/certbot/renewal.py", line 307, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/local/lib/python3.6/site-packages/certbot/client.py", line 349, inobtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/local/lib/python3.6/site-packages/certbot/client.py", line 385, in_get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/local/lib/python3.6/site-packages/certbot/auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/local/lib/python3.6/site-packages/certbot/auth_handler.py", line 154, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.


@danb35 Yes, the reason I'm using VPN to do these tests is because I'm not currently in the same location as the FreeNAS.

Thank you both !
 
Top