-
-
Notifications
You must be signed in to change notification settings - Fork 216
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Difficulty changing LetsEncrypt certificate domains #406
Comments
Actually, it really should have updated automatically. Running
|
Possibly related I found that the log file
|
renewal configThis is the (censored) content of
|
I found the culprit. The logfile Previously I had two domains that I used (let's call them SolutionMake sure that all domains for the cert points to your server. Also, check the logs before asking questions.
|
Wow, quick investigation! Thank you for sharing the solution here. Indeed, this sounds exactly correct. The snap actually makes some pretty bad assumptions if you want to change the domain and get a new cert, so I'm going to leave this issue open to track the fix for that. Until I fix it, I suggest you toast the cert that's currently there and get a new one. Specifically: First of all, disable HTTPS (this just removes a symlink, it doesn’t remove any certs):
Then blow away any certs that are there (this includes self-signed certs, Let’s Encrypt certs, everything). Make sure you get this command right, you don’t want to delete anything else in the current/ dir:
Then pretend you’re enabling HTTPS for the first time, using only the domains you want:
|
For future reference, you can see helpful logs from the renew-certs service:
|
Ah, great input! Thank you, I will try this.
I'll leave the issue open for you to close when you see fit. |
Just a bump, how does this correlate with the recent revoke of TLS-SNI validation? |
Also curious about the revocation of that validation -- I've been having similar timeouts trying to get a Let's Encrypt cert as the couple other recent reports, been beating my head against a wall for a couple days trying to find something wrong with my router/forwarding/DNS as that seems to be the fix for most people with similar issues, but everything seems fine. Disabling https and connection on port 80 is good, self-signed cert works fine otherwise. I've cleared out the certs and started fresh several times, even removed the snap and reinstalled. Wondering if maybe certbot is configured for the wrong challenge at this point? Does this recent change affect the Let's Encrypt function for the snap? |
@grantwinship You can find the solution here |
I just tried it on a fresh snap install, and it works for me. This change does not seem to affect the snap. |
yeah, tried testing the version @imatasic linked as well as installing the current version outside the snap and running the webroot style auth and got some similar errors, so back to thinking it must be something with my DNS/router/forwarding situation 🤔 -- thought I had it there for a minute! I appreciate the confirmation on that @kyrofa , at least I can narrow it down to my setup now! |
ISP blocking the whole time 😭 --- fixed that and worked like a charm. At least I learned a lot of new stuff about networking trying to troubleshoot 😸 |
Hi I have problem with nextcloud 12 snap 5132 on Ubuntu Server 16.04.3. AH02155: getpwuid: couldn't determine user name from uid 4294967295, you probably need to modify the User directive Solution should be to set User and/or Group directives in apache configuration, probably needed by unixd apache module (chrooting apache), but I do not know how to do this. I tried to create configuration file: Thank you in advance, |
@fdemassis that isn't related to this issue, please log a new one. Note that |
@kyrofa It's complaining on me again. Would you kindly assist in figuring out why? I get emails from LetsEncrypt saying that my cert will expire in 9 days. The logs at my server says:
over and over again. Where do I begin? |
Hello, I have similar problems, my cert did not renew automatically. My ip has changed to different one during this 90 day certificate. I've changed my domain to point into my new ip.
but it gives me this error:
Logfile contains same error message:
Running
Any ideas what to do? |
@Nubzori please log a new issue, that seems completely unrelated. Please include the output of |
Thank you @kyrofa your solution worked for me. |
Hi. I had this issue again, and tried to
|
After deleting the Perhaps I should have read to the bottom of the thread before copy-pasting commands into terminal... |
Try creating an empty directory there, does it change anything? |
for me this now gives me:
|
@ElijahHW that sounds legitimate, you're sure you typed it right/registered it properly? Can you ping that domain name? Any chance you feel like shooting me an email containing the domain so I can make sure it looks okay from here? |
this happens after creating an empty the log:
removing the whole dir was the wrong idea.. |
Finally @home I just setup a fresh install (pi3 with SD is so much slower than a pi4 with an SSD.. -> why did I even bother to update it..) finally I just copied over the removed dir -> worked. |
Ran into the same issue after trying to renew my server url after the old one got purged from afraid.org. (mistake: I created a new cert before disabling https) As @theoneandonly-vector, I stole the folder from a fresh vm install and copied it into my server which fixed it again. New url is running without throwing cert-errors in browsers |
Deleting the folder was ideed usefull, but restoring the certbot files is just 3 lines of cli: #install certbot# #create the new certbot folder# #copy certbot files to nextcloud snap# #unistall certbot snap | optional # i hope you will find this reply usefull |
The certbot snap is not required and indeed not useful in this context. |
You are right, but there is a valid reason: for instance if someone unluky deletes the folder and needs a quick way to recover it this is a valid solution and solved my problem. I started my nextcloud vm with 2 A records (example1.ex.ex; example2.ex.ex) and 2 public ips, everything was behind a dedicated firewall. Then i decided only to use one A record so i disabled https and enabled again with letsencrypt with only one name and disabled the rule for that ip in the firewall. The problem was that the acme client still tried to get a certificate for the second domain. I followed several guides but with no results. I came across this post and deleted the certbot folder. After copying a fresh copy from the snap version and it worked flawlessly again. I don't know if this is an universal fix, i hope this can help someone. |
@codygamer666 Thank You! I must say I don't understand the problem fully, if only the directories are missing or certbots actual files are needed but this fixed it for me. @kyrofa You might want to edit you inital response, to include a warning that deleting may cause problems. I am very thankful though, I scoured the web for 3 hours until I found your fix :) EDIT: |
I'll edit my comment right now to include the folder creation step, thanks for your feedback |
This wasn't intuitive to me. Was surprised that my certificates didn't update automatically, because one of my two domains with certificates wasn't in use anymore. |
Yes, this is simply how Let's Encrypt works. If you have a single cert valid for multiple domains, it has to re-validate all of those domains in order to renew that certificate. The only thing different they could have done was to say "oh, domain A didn't validate. Well, I guess we'll just issue a new cert and strip that domain off." I think they made the right call, there-- an error is definitely better. |
I see the logic behind the implementation of |
Yeah I think ideally the whole process of setting up HTTPS certs would be a Nextcloud app. That requires more time than I have, but we might be able to simply surface the error through the existing notification functionality. |
Three months ago, I ran
sudo nextcloud.enable-https lets-encrypt
and went through the prompts and was very conveniently served a signed cert for my domain. But I thought it would renew automatically, so I just let it be. Two days ago it expired.Yesterday, tried to run
sudo nextcloud.enable-https lets-encrypt
again, and it seemed to succeed (please see output below). But I was not served with a new cert. I still got the old one. I thought that it maybe was cached, but I've waited more than 12 hours now so I thought I'd get the valid one by now.First of all I would like to understand how I update the certificate, and secondly I would like to know how I get it to automatically renew. I really thought that lets-encrypt did so by default.
I'm running nextcloud snap on Ubuntu 16.10 server.
May or may not be related to #401.
The text was updated successfully, but these errors were encountered: