Nextcloud and Letsencrypt

Having issues with your DietPi installation, or, found a bug? Post it here.
carltonb
Posts: 6
Joined: Mon Oct 17, 2016 9:57 pm

Nextcloud and Letsencrypt

Post by carltonb »

Every few months my Nextcloud installation crashes.
I have created a bunch of instructions to reinstall it and it has always worked fine up until today.
I am on a Odroid C2
I go through the basic setup of Dietpi.
I install Nextcloud, which installs lightpd.
I install NoIP.
I install Certbot.
At this point my site works fine.
Today I go to install Letsencrypt. I complete the dialog and install it.
Now my site is dead. Can not access it at all.

Has anything changed? Am I missing a step?
Thanks
carltonb
User avatar
Fourdee
Site Admin
Posts: 2788
Joined: Tue Feb 06, 2007 1:36 pm

Re: Nextcloud and Letsencrypt

Post by Fourdee »

Hi,

Officially, NextCloud does not support Lighttpd (although it seems "fine" in our tests). So it may be worth selecting Apache2/Nginx for webserver choice, before installation:
https://docs.nextcloud.com/server/9/adm ... hp-modules
Today I go to install Letsencrypt. I complete the dialog and install it.
Now my site is dead. Can not access it at all.

Has anything changed? Am I missing a step?
Nothing has changed our end, however, Cerbot may have. If you get the same results with Apache2/Nginx, let me know and i'll create a ticket to investigate.
If you find our project or support useful, then we’d really appreciate it if you’d consider contributing to the project however you can.
Donating is the easiest – you can use PayPal or become a DietPi patron.
carltonb
Posts: 6
Joined: Mon Oct 17, 2016 9:57 pm

Re: Nextcloud and Letsencrypt

Post by carltonb »

Though I am still having problems, possibly you could provide me with a few more details.
I load on to my emcc card the latest c2 image.
Set up my config files. Create static IP, change localization files. Activate NOIP
I then go and install Apache w/maria. Reboot.
Then change so that Apache is prefered Webserver. Reboot.
Landing page works for apache.
Install Nextcloud. Reboot.
IP address /nextcloud brings up nextcloud.
Install Certbot. Reboot.
IP address /nextcloud still works.
Install dietpi-letsencrypt. Add my NOIP domain, email address, enable refer, enable cron.
I get a pop up message about my certificate, then at end of install of letsencrypt I get errors.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for brookscloud.noip.me
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Waiting for verification...
Cleaning up challenges
An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: brookscloud.noip.me
Please see the logfiles in /var/log/letsencrypt for more details.
Shut down droid, then restart.

At this point I go to browser and put in IP address /nextcloud. Comes up telling me that the site is not secure.
I go to my domaine address and it tells me the site can not be reached.
I also check the log files at /var/log/letsencrypt they are empty.

Where am I going wrong.
I appreciate any help you could provide.
carltonb
dinesh88
Posts: 13
Joined: Thu Dec 14, 2017 4:59 pm

Re: Nextcloud and Letsencrypt

Post by dinesh88 »

HI,

I am also having the same problem, if you have found a fix then please share.

Thank you
User avatar
MichaIng
Site Admin
Posts: 2294
Joined: Sat Nov 18, 2017 6:21 pm

Re: Nextcloud and Letsencrypt

Post by MichaIng »

Hi dinesh88,

meanwhile our Nextcloud and LetsEncrypt (CertBot) implementations have vastly changed. We do support Lighttpd for both. Installing Nextcloud (with any webstack) + CertBot and running "dietpi-letsencrypt" should work.

If you face any issue, please give some more information about exact error messages, in case related log entries and service status.
shredderwoods
Posts: 3
Joined: Mon Apr 23, 2018 4:27 am

Re: Nextcloud and Letsencrypt

Post by shredderwoods »

MichaIng,

I have a similar issue. Installed dietpi and then installed NextCloud and CertBot and proceeded to run dietpi-letsencrypt. Everything went well until I got the following message in the terminal

Code: Select all

Requested name xxx.xxx.xxx.xxx is an IP address. The Let's Encrypt certificate authority will not issue certificates for a bare IP address. 
I had used a local IP address assigned by my router, and had left the email field NULL.

Now, even the web server does not work (site cannot be reached), https does not work ofcourse, and running Letsencrypt again says

Code: Select all

Error:  No compatible and/or active webserver was found. Aborting.
Don't know how to roll it back because uninstall fails too. I have flashed my SDcard twice now and tried to replace the IP to my domain name with Google/Hostgator - to no avail.

NOTE: I have a domain name with Google and my shared webhosting is at hostgator but I do not want to use that to set up SSL on my home Nextcloud, partly because I thought that that would be an even more difficult task. By the way, letsencrypt was unable to communicate with my personal domain too.

Kindly help. If there is a detailed guide for Odroid C2 - DietPi - NextCloud - Lighttpd - Certbot from recent times, please let me know.
User avatar
MichaIng
Site Admin
Posts: 2294
Joined: Sat Nov 18, 2017 6:21 pm

Re: Nextcloud and Letsencrypt

Post by MichaIng »

@shredderwoods
It appears that dietpi-letsencrypt precedes with adjusting the webserver config or does some before calling certbot. You can check the code to see adjustments and revert them manually. I will do myself later this evening: https://github.com/Fourdee/DietPi/blob/ ... crypt#L128

Will implement check on valid domain entry and break script if some error occurred during certbot execution. Also all adjustments should be done after certbot execution went fine.
shredderwoods
Posts: 3
Joined: Mon Apr 23, 2018 4:27 am

Re: Nextcloud and Letsencrypt

Post by shredderwoods »

Thank you @MichaIng,

Will wait for you to look into the problem. I can read the file you referenced, but am not versed enough to fix the problem myself.

I reinstalled from fresh and currently have a working installation of plexserver + samba share (external network drive) working. Next I wish to enable SSL (for https) and use it for Nextcloud (as well as for Plex Media Server). I am afraid that I will break my current plex server and samba share if I start experimenting with letsencrypt again. I'll make an image of the SD card tonight.

Some noob questions, if you (or someone else) can answer -
1) Do I need to have a domain name on the world wide web (internet), like http://abcd.com, to be able to use letsencrypt? Or can it be used for local (intranet) servers like http://192.168.1.10 as well?
2) If letsencrypt can be used for local (intranet) servers too, do I need to use No-Ip to attach a domain name (say mylocalserver.ddns.net) to 192.168.1.10 (through router's port-forwarding)? I ask this because I remember letsencrypt throwing an error like 'cannot do it for IP addresses, need a domain name' or something like that the last time I ran into the problem.

In the light of 1) and 2) above, all I wish to do is the enable https (or SSL) for 192.168.1.10 - which is the same machine on which diet-pi is installed. And then I wish for both plex media server and nextcloud to be able to use it. Is there something fundamentally wrong in my goals?

Thanks a bunch
User avatar
MichaIng
Site Admin
Posts: 2294
Joined: Sat Nov 18, 2017 6:21 pm

Re: Nextcloud and Letsencrypt

Post by MichaIng »

@shredderwoods
Sorry for the later reply.
  1. Yes, LetsEncrypt just accepts domains, no raw IP addresses, as also CertBot mentioned with error message.
  2. LetsEncrypt cannot be used for local/intranet-only servers. For the authentication process it need to be reached from outside of local network, thus via direct internet access or forwarded ports 80+443.
Of course you could just enable internet access to the server to get the certificate and then use it just with the local network, but you would need to enable internet access at least every 90 days to renew the certificates life time.

If you just want to enable HTTPS within your local network, then maybe some self-signed certificate would be enough and easier to handle, as it does not depend on www access:
openssl req -x509 -sha256 -newkey rsa:2048 -nodes -keyout privkey.pem -out cert.pem -days 365
  • For a 2048 bit RSA cert with 365 days life time.
  • Only your clients/browsers need to be able to allow self-signed certs/import oneself as trusted CA, to hide warnings. Some browsers are quite strict with this nowadays ;).
About how to revert changes made, when DietPi-LetsEncrypt fails (Odroids/Jessie + Lighttpd):
rm /etc/cron.weekly/dietpi-letsencrypt
rm /etc/lighttpd/conf-enabled/letsencrypt.conf
rm /etc/lighttpd/conf-enabled/redirect.conf
lighttpd-disable-mod dietpi-hsts
rm /etc/lighttpd/conf-available/99-dietpi-hsts.conf
/etc/init.d/lighttpd force-reload
User avatar
MichaIng
Site Admin
Posts: 2294
Joined: Sat Nov 18, 2017 6:21 pm

Re: Nextcloud and Letsencrypt

Post by MichaIng »

Made some rework on DietPi-LetsEncrypt to include error handling of CertBot execution and prevent webserver config adjustments if error was found: https://github.com/Fourdee/DietPi/pull/1738

Testing of this branch is welcome, as there are much versions/combinations of certbot/webservers. But I will test through all I can imagine as well 8).
Post Reply