Jeremy Davis's picture

Reposted from account approval/welcome thread


I would like to use the Tunrkey Nextcloud LCX on my Webserver.

As my webserver can only serve the domains with a public IPv6 addresses (no public IPv4 addresses availabe), I use cloudflare DNS proxy, to get a valid pubic Ipv4 address for my nextcloud instance. This works great and I am able to run nextcloud, get updates and installing apps.

But I've come over one problem with renewing the certificates for my domain. For the first three month all was good, and the nextcloud was secured with a cloudflare edge-certificate, but this ran out today and I was not able to renew the certificate.

Openconfconsole shows me an error:

dehydrated-wrapper: FATAL: │ │ dehydrated exited with a non-zero exit code.

In short, I would like to get some help, to solve this issue and learn how to get valid certificates with the use of cloudflares proxy DNS function.

If this forum could help me, would be great!

Forum: 
derpuma's picture

Thanks for approving me!
If you need some logfiles, please let me know how I can provide you with necessary information.

Jeremy Davis's picture

Apologies I'm a bit slow getting back to your issue. I got sidetracked with some priority stuff.

Also FYI, if you sign in with your website account, you can post without needing for me to approve it. So even if I'm a little slow, someone else might jump in to help you in the meantime. You'll also be able to start a new thread if have a different issue in the future. ("guest" users can only post comments on existing threads).

Anyway, to your current issue...


I'm 99% sure that the issue is Cloudflare related. I'm pretty sure that they redirect http to https by default, so even if you have port 80 open, Let's Encrypt won't be able to connect to your server, so the challenge (domain validation) will fail. Although if that is the issue, it's weird that it worked the first time. Although perhaps that was before you configured Cloudflare? Or changed some settings in Cloudflare since?

Regardless, I know it can work as this site is running on a TurnKey server and also uses Cloudflare. Obviously HTTPS is working here. I do vaguely recall needing to adjust something in Cloudflare setting to make it work though.

I'm pretty sure that the change needed does have implications, but I wouldn't expect it to have any impact on the IPv6 IP.

Unfortunately I can't log into Cloudflare at the moment so can't give you specifics. If you want to continue with HTTP-01 validation you'll need to have a poke around in the Cloudflare settings yourself. As I say, it should be something to do with disabling the HTTP to HTTPS redirection. If you can't find it, have a google for "lets encrypt cloudflare http-01 fails" or similar and you should get some helpful results - probably either on the Let's Encrypt or Cloudflare forums. If you go that way and find a solution, it'd be great if you could post back with the info to make it easier for other TurnKey users who might hit the same issue.


Alternatively, if your server is a relatively recent TurnKey server (which it sounds like it is) then you could use "DNS-01" validation instead. Make sure that your TurnKey server is v18.x like this:

turnkey-version

And look for 18.x in the line that returns. E.g. if it's v18.1 you'll get this:

turnkey-nextcloud-18.1-bookworm-amd64

So long as it's v18.x then make sure that you have the latest Confconsole version:

apt update
apt install -y confconsole

Then run confconsole:

confconsole

Select Advanced >> Get certificate >> DNS-01 and follow the prompts.

You will need to provide authentication details so your server can create (and destroy) the DNS records that are needed to validate your domain. IIRC there is some basic Cloudflare config included by default, but you will still need to check what is required for Cloudflare and enter the relevant details into Confconsole. If need be, you can check the Cloudflare docs too.

If I'm wrong and it doesn't already included some basic/example config, please let me know and I'll check it out myself and tell you exactly what you need to do - and include it in future releases of Confconsole.


Good luck and please let me know how it goes regardless.

derpuma's picture

No apologies needed at all. I am glad that you take the time to help me to fix the issue.
How do I sign in with an website account, or how do I get one? The nextcloud is not running on my own domain, so I can not share the domain easily name without permission.

I am on
turnkey-nextcloud-18.1-bookworm-amd64
confconsole is already the newest version (2.1.6+2+ge808780).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

As said the domain on proxmox is only hosted with a public IPv6 and an internat IPv4. Cloudflares proxy option turns it into an publich cloudflare IPv6 plus public IPv4.

I will try to pause cloudflare for 24h and see if that helps and then try to reissue the DNS-01 certificate. Maybe it is cloudflare that cached a previous certificate and needs some time to delete it and to accept a new one?

In Cloudlfare I genereated a DNS token and put it into confonconole setttings, also the domainname + wilcard for the domain with *.
Looks like this works on other LXC turnkey nextcloud containers I use in combination with the domain also hosted on a plesk server with Cloudflares origin certificate there. There only the DNS for the subdomain to the nextcloud has an IPv6, like the domain mentioned above.

So do I need to take some steps to download and install the cloudflare certificate into the turnkey-container if I'd like to use cloudflares origin certificate, which lasts for 15 years?

It would be nice if you could pinpoint me to a manual how to do so, if this is possible.
Otherwise, if auto renewing with Letsencryt would work, I do not have a problem to authenticate the domain with this type of SSL.

I will report back, if pausing cloudflare will do the trick.
Thanks so far. If you have any other input and ideas, please let me know!

Jeremy Davis's picture

You have a website/forums account already and I just double checked and it is approved/activated already. :)

Log in using your email and the password you set when you signed up ~3 days ago. If you don't recall your password, then you can reset it. Please let me know if you have any issues.


Back to your cert issue. My initial thought was that something had changed on your end between you initially (successfully) getting the cert and renewal. As you may be aware, LE certs are only valid 90 days. Is there anything that you can think of that you (or someone else) have changed since you initially got the cert? In particular I'm thinking firewall config, networking & routing config, Cloudflare config, etc. Although please share any server and/or environment changes you can think of between the successful cert and the failure. Even if it doesn't seem relevant, who knows, perhaps it might be?

Regardless, rereading your posts and thinking about it a bit more I wonder if there is some edge case bug/issue with Confconsole that for whatever reason we aren't seeing. TBH I'm fairly confident because as I mentioned we have a number servers getting renewing certs fine - but perhaps?

Assuming that the IPv6 config has existed right from the start, I highly doubt that'd a factor. If that has changed since you launched then perhaps?

Probably the first thing I should have asked for was the log file. I.e. the output of:

cat /var/log/confconsole/letsencrypt.log

And the contents of the Confconsole LE config:

cat /etc/dehydrated/confconsole.config

One final thing to check is the permissions of the cron job (what triggers the cert renewal). Given what you've reported (TurnKey server & confconsole versions) I expect it to be ok, but just in case...:

ls -l /etc/cron.daily/confconsole-dehydrated

Hopefully that will help us sort it out...

derpuma's picture

Hi, basically the only thing that changed was, that the certificate ran out after 90 days and renewing did not work. What I saw is, that the site was with a certificate from "google" while it was proxied. I checked the logs and all seems to be good but pausing cloudflare for 24h, disable and enable cloudflares SSL, nothing helped so far. The Nevertheless, ass soon as I turn on cloudflares proxy mode, I get an error:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
I followed these steps here: https://developers.cloudflare.com/ssl/troubleshooting/version-cipher-mis... Not sure how I get out of this. When I unproxy the domain, nextcloud loads with a valid Letsencrypt certificate. But as said, I need the domain proxied, as then I also get a valid IPv4 from cloudflare which is mandatory for a fully functional nextcloud regarding to web-updates an apps. Here are the results of the logs (anonymized):
Debian GNU/Linux 12 cloud-example.xy tty1

cloud-example.xy login: root
Password: 
Welcome to cloud-example.xy, TurnKey GNU/Linux 18.1 (Debian 12/Bookworm)

  System information for Fri Dec 20 10:52:30 2024 - CET (UTC+0100)
  
    System load:  2.72               Memory usage:  8.7%
    Processes:    29                 Swap usage:    0.0%
    Usage of /:   40.0% of 97.87GB   IP address for eth1: 192.168.0.10
  
  TKLBAM (Backup and Migration):  NOT INITIALIZED
  
    To initialize TKLBAM, run the "tklbam-init" command to link this
    system to your TurnKey Hub account. For details see the man page or
    go to:
  
        https://www.turnkeylinux.org/tklbam
  

    For Advanced commandline config run:    confconsole

  For more info see: https://www.turnkeylinux.org/docs/confconsole

Linux cloud-example.xy 6.8.12-2-pve #1 SMP PREEMPT_DYNAMIC PMX 6.8.12-2 (2024-09-05T10:03Z) x86_64
Last login: Fri Dec 20 10:43:57 CET 2024 on pts/1
You have mail.
root@cloud-example.xy ~# ping cloud-example.xy
PING cloud-example.xy(cloud-example.xy (XXXX:XXX:0:XX::XX)) 56 data bytes
64 bytes from cloud-example.xy (XXXX:XXX:0:XX::XX): icmp_seq=1 ttl=64 time=0.018 ms
64 bytes from xy (XXXX:XXX:0:XX::XX): icmp_seq=2 ttl=64 time=0.024 ms
64 bytes from cloud-example.xy (XXXX:XXX:0:XX::XX): icmp_seq=3 ttl=64 time=0.030 ms
64 bytes from cloud-example.xy (XXXX:XXX:0:XX::XX): icmp_seq=4 ttl=64 time=0.032 ms
64 bytes from cloud-example.xy (XXXX:XXX:0:XX::XX): icmp_seq=5 ttl=64 time=0.027 ms
^X^C
--- cloud-example.xy ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4127ms
rtt min/avg/max/mdev = 0.018/0.026/0.032/0.005 ms
root@cloud-example.xy ~# cat /etc/dehydrated/confconsole.config
########################################################
# This is the config file for dehydrated when launched #
# via confconsole on TurnKey GNU/Linux.                #
#                                                      #
# It is loaded by the dehydrated-wrapper script.       #
#                                                      #
# For more information about the confconsole Let's     #
# Encrypt plugin and/or the dehydrated-wrapper please  #
# see:                                                 #
# /usr/share/doc/confconsole/docs/Lets_Encrypt.rst     #
# or:                                                  #
# https://www.turnkeylinux.org/docs/letsencrypt        #
#                                                      #
# For more comprehensive example conf, see             #
#  /usr/share/doc/dehydrated/examples/config           #
########################################################

BASEDIR=/var/lib/dehydrated
WELLKNOWN="${BASEDIR}/acme-challenges"
DOMAINS_TXT="/etc/dehydrated/confconsole.domains.txt"
HOOK="/etc/dehydrated/confconsole.hook.sh"
CHALLENGETYPE="http-01"

# required for DNS-01 only - ignored by HTTP-01 challenge
PROVIDER="cloudflare"
LEXICON_CONFIG_DIR='/etc/dehydrated'

# staging server for testing - leave commented for production
#CA="https://acme-staging-v02.api.letsencrypt.org/directory"




root@cloud-example.xy ~# ls -l /etc/cron.daily/confconsole-dehydrated
-rwxr-xr-x 1 root root 889 Sep 18 10:49 /etc/cron.daily/confconsole-dehydrated
root@cloud-example.xy ~# #
root@cloud-example.xy ~# cat /var/log/confconsole/letsencrypt.log
[2024-12-17 10:08:16] dehydrated-wrapper: INFO: started
# INFO: Using main config file /etc/dehydrated/confconsole.config
+ Account already registered!
[2024-12-17 10:08:16] dehydrated-wrapper: INFO: found apache2 listening on port 80
[2024-12-17 10:08:16] dehydrated-wrapper: INFO: stopping apache2
[2024-12-17 10:08:17] dehydrated-wrapper: INFO: running dehydrated
# INFO: Using main config file /etc/dehydrated/confconsole.config
Processing cloud-example.xy with alternative names: *.cloud-example.xy 
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for cloud-example.xy
ERROR: Validating this certificate is not possible using http-01. Possible validation methods are: dns-01 
[2024-12-17 10:08:20] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2024-12-17 10:08:20] dehydrated-wrapper: WARNING: Python is still listening on port 80
[2024-12-17 10:08:20] dehydrated-wrapper: INFO: attempting to kill add-water server
[2024-12-17 10:08:20] dehydrated-wrapper: INFO: Cleaning backup cert & key
[2024-12-17 10:08:20] dehydrated-wrapper: INFO: (Re)starting apache2
[2024-12-17 10:08:20] dehydrated-wrapper: INFO: (Re)starting webmin.service
[2024-12-17 10:08:22] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully.
[2024-12-20 09:32:47] dehydrated-wrapper: INFO: started
# INFO: Using main config file /etc/dehydrated/confconsole.config
+ Account already registered!
[2024-12-20 09:32:47] dehydrated-wrapper: INFO: found apache2 listening on port 443
[2024-12-20 09:32:47] dehydrated-wrapper: INFO: running dehydrated
# INFO: Using main config file /etc/dehydrated/confconsole.config
Processing cloud-example.xy with alternative names: *.cloud-example.xy 
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for cloud-example.xy
 + Handling authorization for cloud-example.xy
 + 2 pending challenge(s)
 + Deploying challenge tokens...
[2024-12-20 09:32:52] confconsole.hook.sh: INFO: Deploying challenge for cloud-example.xy.
[2024-12-20 09:32:52] confconsole.hook.sh: INFO: Creating a TXT challenge-record with cloudflare.
RESULT
------
True
[2024-12-20 09:33:26] confconsole.hook.sh: INFO: Deploying challenge for cloud-example.xy.
[2024-12-20 09:33:26] confconsole.hook.sh: INFO: Creating a TXT challenge-record with cloudflare.
RESULT
------
True
 + Responding to challenge for cloud-example.xy authorization...
[2024-12-20 09:34:30] confconsole.hook.sh: FATAL: Challenge response for *.cloud-example.xy failed: ["type"]     "dns-01"
["url"] "https://acme-v02.api.letsencrypt.org/acme/chall/1953129806/446179525055/mITcAg"
["status"]      "invalid"
["validated"]   "2024-12-20T08:33:58Z"
["error","type"]        "urn:ietf:params:acme:error:dns"
["error","detail"]      "DNS problem: query timed out looking up TXT for _acme-challenge.cloud-example.xy"
["error","status"]      400
["error"]       {"type":"urn:ietf:params:acme:error:dns","detail":"DNS problem: query timed out looking up TXT for _acme-challenge.cloud-example.xy","status":400}
["token"]       "6PKWRNaaXCgd-cLWnlCdpB7dnJrT9a70Pk40eweXey8".
ERROR: invalid_challenge hook returned with non-zero exit code
[2024-12-20 09:34:30] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2024-12-20 09:34:30] dehydrated-wrapper: INFO: Cleaning backup cert & key
[2024-12-20 09:34:30] dehydrated-wrapper: INFO: (Re)starting apache2
[2024-12-20 09:34:32] dehydrated-wrapper: INFO: (Re)starting webmin.service
[2024-12-20 09:34:35] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully.
[2024-12-20 09:55:45] dehydrated-wrapper: INFO: started
# INFO: Using main config file /etc/dehydrated/confconsole.config
+ Account already registered!
[2024-12-20 09:55:46] dehydrated-wrapper: INFO: found apache2 listening on port 443
[2024-12-20 09:55:46] dehydrated-wrapper: INFO: running dehydrated
# INFO: Using main config file /etc/dehydrated/confconsole.config
Processing cloud-example.xy
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Feb 16 04:40:00 2025 GMT (Longer than 30 days). Skipping renew!
[2024-12-20 09:55:47] confconsole.hook.sh: INFO: cert for cloud-example.xy is unchanged - nothing to do
[2024-12-20 09:55:47] dehydrated-wrapper: INFO: dehydrated complete
[2024-12-20 09:55:47] dehydrated-wrapper: INFO: Cleaning backup cert & key
[2024-12-20 09:55:47] dehydrated-wrapper: INFO: (Re)starting apache2
[2024-12-20 09:55:47] dehydrated-wrapper: INFO: (Re)starting webmin.service
[2024-12-20 09:55:49] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully.
[2024-12-20 09:56:36] dehydrated-wrapper: INFO: started
# INFO: Using main config file /etc/dehydrated/confconsole.config
+ Account already registered!
[2024-12-20 09:56:36] dehydrated-wrapper: INFO: found apache2 listening on port 443
[2024-12-20 09:56:36] dehydrated-wrapper: INFO: running dehydrated
# INFO: Using main config file /etc/dehydrated/confconsole.config
Processing cloud-example.xy
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Feb 16 04:40:00 2025 GMT (Longer than 30 days). Skipping renew!
[2024-12-20 09:56:37] confconsole.hook.sh: INFO: cert for cloud-example.xy is unchanged - nothing to do
[2024-12-20 09:56:37] dehydrated-wrapper: INFO: dehydrated complete
[2024-12-20 09:56:37] dehydrated-wrapper: INFO: Cleaning backup cert & key
[2024-12-20 09:56:37] dehydrated-wrapper: INFO: (Re)starting apache2
[2024-12-20 09:56:37] dehydrated-wrapper: INFO: (Re)starting webmin.service
[2024-12-20 09:56:40] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully.
[2024-12-20 09:58:48] dehydrated-wrapper: INFO: started
# INFO: Using main config file /etc/dehydrated/confconsole.config
+ Account already registered!
[2024-12-20 09:58:49] dehydrated-wrapper: INFO: found apache2 listening on port 443
[2024-12-20 09:58:49] dehydrated-wrapper: INFO: running dehydrated
# INFO: Using main config file /etc/dehydrated/confconsole.config
Processing cloud-example.xy
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Feb 16 04:40:00 2025 GMT (Longer than 30 days). Skipping renew!
[2024-12-20 09:58:50] confconsole.hook.sh: INFO: cert for cloud-example.xy is unchanged - nothing to do
[2024-12-20 09:58:50] dehydrated-wrapper: INFO: dehydrated complete
[2024-12-20 09:58:50] dehydrated-wrapper: INFO: Cleaning backup cert & key
[2024-12-20 09:58:50] dehydrated-wrapper: INFO: (Re)starting apache2
[2024-12-20 09:58:50] dehydrated-wrapper: INFO: (Re)starting webmin.service
[2024-12-20 09:58:51] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully.
[2024-12-20 10:36:25] dehydrated-wrapper: INFO: started
# INFO: Using main config file /etc/dehydrated/confconsole.config
+ Account already registered!
[2024-12-20 10:36:26] dehydrated-wrapper: INFO: found apache2 listening on port 443
[2024-12-20 10:36:26] dehydrated-wrapper: INFO: running dehydrated
# INFO: Using main config file /etc/dehydrated/confconsole.config
Processing cloud-example.xy
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Feb 16 04:40:00 2025 GMT (Longer than 30 days). Skipping renew!
[2024-12-20 10:36:27] confconsole.hook.sh: INFO: cert for cloud-example.xy is unchanged - nothing to do
[2024-12-20 10:36:27] dehydrated-wrapper: INFO: dehydrated complete
[2024-12-20 10:36:27] dehydrated-wrapper: INFO: Cleaning backup cert & key
[2024-12-20 10:36:27] dehydrated-wrapper: INFO: (Re)starting apache2
[2024-12-20 10:36:28] dehydrated-wrapper: INFO: (Re)starting webmin.service
[2024-12-20 10:36:30] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully.
[2024-12-20 10:39:45] dehydrated-wrapper: INFO: started
# INFO: Using main config file /etc/dehydrated/confconsole.config
+ Account already registered!
[2024-12-20 10:39:46] dehydrated-wrapper: INFO: found apache2 listening on port 80
[2024-12-20 10:39:46] dehydrated-wrapper: INFO: stopping apache2
[2024-12-20 10:39:46] dehydrated-wrapper: INFO: running dehydrated
# INFO: Using main config file /etc/dehydrated/confconsole.config
Processing cloud-example.xy
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Feb 16 04:40:00 2025 GMT (Longer than 30 days). Skipping renew!
[2024-12-20 10:39:47] confconsole.hook.sh: INFO: cert for cloud-example.xy is unchanged - nothing to do
[2024-12-20 10:39:47] dehydrated-wrapper: INFO: dehydrated complete
[2024-12-20 10:39:47] dehydrated-wrapper: WARNING: Python is still listening on port 80
[2024-12-20 10:39:47] dehydrated-wrapper: INFO: attempting to kill add-water server
[2024-12-20 10:39:47] dehydrated-wrapper: INFO: Cleaning backup cert & key
[2024-12-20 10:39:47] dehydrated-wrapper: INFO: (Re)starting apache2
[2024-12-20 10:39:47] dehydrated-wrapper: INFO: (Re)starting webmin.service
[2024-12-20 10:39:48] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully.
BASEDIR=/var/lib/dehydrated
WELLKNOWN="${BASEDIR}/acme-challenges"
DOMAINS_TXT="/etc/dehydrated/confconsole.domains.txt"
HOOK="/etc/dehydrated/confconsole.hook.sh"
CHALLENGETYPE="http-01"

# required for DNS-01 only - ignored by HTTP-01 challenge
PROVIDER="cloudflare"
LEXICON_CONFIG_DIR='/etc/dehydrated'

# staging server for testing - leave commented for production
#CA="https://acme-staging-v02.api.letsencrypt.org/directory"
-rwxr-xr-x 1 root root 889 Sep 18 10:49 /etc/cron.daily/confconsole-dehydrated
derpuma's picture

If I use the dns-01 challenge with domain proxied and cloudflare token, i do get this log:
root@cloud-example.xy ~# cat /var/log/confconsole/letsencrypt.log
[2024-12-17 10:08:16] dehydrated-wrapper: INFO: started
# INFO: Using main config file /etc/dehydrated/confconsole.config
+ Account already registered!
[2024-12-17 10:08:16] dehydrated-wrapper: INFO: found apache2 listening on port 80
[2024-12-17 10:08:16] dehydrated-wrapper: INFO: stopping apache2
[2024-12-17 10:08:17] dehydrated-wrapper: INFO: running dehydrated
# INFO: Using main config file /etc/dehydrated/confconsole.config
Processing cloud-example.xy.de with alternative names: *.cloud-example.xy.de 
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for cloud-example.xy.de
ERROR: Validating this certificate is not possible using http-01. Possible validation methods are: dns-01 
[2024-12-17 10:08:20] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2024-12-17 10:08:20] dehydrated-wrapper: WARNING: Python is still listening on port 80
[2024-12-17 10:08:20] dehydrated-wrapper: INFO: attempting to kill add-water server
[2024-12-17 10:08:20] dehydrated-wrapper: INFO: Cleaning backup cert & key
[2024-12-17 10:08:20] dehydrated-wrapper: INFO: (Re)starting apache2
[2024-12-17 10:08:20] dehydrated-wrapper: INFO: (Re)starting webmin.service
[2024-12-17 10:08:22] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully.
[2024-12-20 09:32:47] dehydrated-wrapper: INFO: started
# INFO: Using main config file /etc/dehydrated/confconsole.config
+ Account already registered!
[2024-12-20 09:32:47] dehydrated-wrapper: INFO: found apache2 listening on port 443
[2024-12-20 09:32:47] dehydrated-wrapper: INFO: running dehydrated
# INFO: Using main config file /etc/dehydrated/confconsole.config
Processing cloud-example.xy.de with alternative names: *.cloud-example.xy.de 
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for cloud-example.xy.de
 + Handling authorization for cloud-example.xy.de
 + 2 pending challenge(s)
 + Deploying challenge tokens...
[2024-12-20 09:32:52] confconsole.hook.sh: INFO: Deploying challenge for cloud-example.xy.de.
[2024-12-20 09:32:52] confconsole.hook.sh: INFO: Creating a TXT challenge-record with cloudflare.
RESULT
------
True
[2024-12-20 09:33:26] confconsole.hook.sh: INFO: Deploying challenge for cloud-example.xy.de.
[2024-12-20 09:33:26] confconsole.hook.sh: INFO: Creating a TXT challenge-record with cloudflare.
RESULT
------
True
 + Responding to challenge for cloud-example.xy.de authorization...
[2024-12-20 09:34:30] confconsole.hook.sh: FATAL: Challenge response for *.cloud-example.xy.de failed: ["type"]     "dns-01"
["url"] "https://acme-v02.api.letsencrypt.org/acme/chall/1953129806/446179525055/mITcAg"
["status"]      "invalid"
["validated"]   "2024-12-20T08:33:58Z"
["error","type"]        "urn:ietf:params:acme:error:dns"
["error","detail"]      "DNS problem: query timed out looking up TXT for _acme-challenge.cloud-example.xy.de"
["error","status"]      400
["error"]       {"type":"urn:ietf:params:acme:error:dns","detail":"DNS problem: query timed out looking up TXT for _acme-challenge.cloud-example.xy.de","status":400}
["token"]       "6PKWR***************************************Xey8".
ERROR: invalid_challenge hook returned with non-zero exit code
[2024-12-20 09:34:30] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2024-12-20 09:34:30] dehydrated-wrapper: INFO: Cleaning backup cert & key
[2024-12-20 09:34:30] dehydrated-wrapper: INFO: (Re)starting apache2
[2024-12-20 09:34:32] dehydrated-wrapper: INFO: (Re)starting webmin.service
[2024-12-20 09:34:35] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully.
[2024-12-20 09:55:45] dehydrated-wrapper: INFO: started
# INFO: Using main config file /etc/dehydrated/confconsole.config
+ Account already registered!
[2024-12-20 09:55:46] dehydrated-wrapper: INFO: found apache2 listening on port 443
[2024-12-20 09:55:46] dehydrated-wrapper: INFO: running dehydrated
# INFO: Using main config file /etc/dehydrated/confconsole.config
Processing cloud-example.xy.de
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Feb 16 04:40:00 2025 GMT (Longer than 30 days). Skipping renew!
[2024-12-20 09:55:47] confconsole.hook.sh: INFO: cert for cloud-example.xy.de is unchanged - nothing to do
[2024-12-20 09:55:47] dehydrated-wrapper: INFO: dehydrated complete
[2024-12-20 09:55:47] dehydrated-wrapper: INFO: Cleaning backup cert & key
[2024-12-20 09:55:47] dehydrated-wrapper: INFO: (Re)starting apache2
[2024-12-20 09:55:47] dehydrated-wrapper: INFO: (Re)starting webmin.service
[2024-12-20 09:55:49] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully.
[2024-12-20 09:56:36] dehydrated-wrapper: INFO: started
# INFO: Using main config file /etc/dehydrated/confconsole.config
+ Account already registered!
[2024-12-20 09:56:36] dehydrated-wrapper: INFO: found apache2 listening on port 443
[2024-12-20 09:56:36] dehydrated-wrapper: INFO: running dehydrated
# INFO: Using main config file /etc/dehydrated/confconsole.config
Processing cloud-example.xy.de
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Feb 16 04:40:00 2025 GMT (Longer than 30 days). Skipping renew!
[2024-12-20 09:56:37] confconsole.hook.sh: INFO: cert for cloud-example.xy.de is unchanged - nothing to do
[2024-12-20 09:56:37] dehydrated-wrapper: INFO: dehydrated complete
[2024-12-20 09:56:37] dehydrated-wrapper: INFO: Cleaning backup cert & key
[2024-12-20 09:56:37] dehydrated-wrapper: INFO: (Re)starting apache2
[2024-12-20 09:56:37] dehydrated-wrapper: INFO: (Re)starting webmin.service
[2024-12-20 09:56:40] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully.
[2024-12-20 09:58:48] dehydrated-wrapper: INFO: started
# INFO: Using main config file /etc/dehydrated/confconsole.config
+ Account already registered!
[2024-12-20 09:58:49] dehydrated-wrapper: INFO: found apache2 listening on port 443
[2024-12-20 09:58:49] dehydrated-wrapper: INFO: running dehydrated
# INFO: Using main config file /etc/dehydrated/confconsole.config
Processing cloud-example.xy.de
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Feb 16 04:40:00 2025 GMT (Longer than 30 days). Skipping renew!
[2024-12-20 09:58:50] confconsole.hook.sh: INFO: cert for cloud-example.xy.de is unchanged - nothing to do
[2024-12-20 09:58:50] dehydrated-wrapper: INFO: dehydrated complete
[2024-12-20 09:58:50] dehydrated-wrapper: INFO: Cleaning backup cert & key
[2024-12-20 09:58:50] dehydrated-wrapper: INFO: (Re)starting apache2
[2024-12-20 09:58:50] dehydrated-wrapper: INFO: (Re)starting webmin.service
[2024-12-20 09:58:51] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully.
[2024-12-20 10:36:25] dehydrated-wrapper: INFO: started
# INFO: Using main config file /etc/dehydrated/confconsole.config
+ Account already registered!
[2024-12-20 10:36:26] dehydrated-wrapper: INFO: found apache2 listening on port 443
[2024-12-20 10:36:26] dehydrated-wrapper: INFO: running dehydrated
# INFO: Using main config file /etc/dehydrated/confconsole.config
Processing cloud-example.xy.de
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Feb 16 04:40:00 2025 GMT (Longer than 30 days). Skipping renew!
[2024-12-20 10:36:27] confconsole.hook.sh: INFO: cert for cloud-example.xy.de is unchanged - nothing to do
[2024-12-20 10:36:27] dehydrated-wrapper: INFO: dehydrated complete
[2024-12-20 10:36:27] dehydrated-wrapper: INFO: Cleaning backup cert & key
[2024-12-20 10:36:27] dehydrated-wrapper: INFO: (Re)starting apache2
[2024-12-20 10:36:28] dehydrated-wrapper: INFO: (Re)starting webmin.service
[2024-12-20 10:36:30] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully.
[2024-12-20 10:39:45] dehydrated-wrapper: INFO: started
# INFO: Using main config file /etc/dehydrated/confconsole.config
+ Account already registered!
[2024-12-20 10:39:46] dehydrated-wrapper: INFO: found apache2 listening on port 80
[2024-12-20 10:39:46] dehydrated-wrapper: INFO: stopping apache2
[2024-12-20 10:39:46] dehydrated-wrapper: INFO: running dehydrated
# INFO: Using main config file /etc/dehydrated/confconsole.config
Processing cloud-example.xy.de
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Feb 16 04:40:00 2025 GMT (Longer than 30 days). Skipping renew!
[2024-12-20 10:39:47] confconsole.hook.sh: INFO: cert for cloud-example.xy.de is unchanged - nothing to do
[2024-12-20 10:39:47] dehydrated-wrapper: INFO: dehydrated complete
[2024-12-20 10:39:47] dehydrated-wrapper: WARNING: Python is still listening on port 80
[2024-12-20 10:39:47] dehydrated-wrapper: INFO: attempting to kill add-water server
[2024-12-20 10:39:47] dehydrated-wrapper: INFO: Cleaning backup cert & key
[2024-12-20 10:39:47] dehydrated-wrapper: INFO: (Re)starting apache2
[2024-12-20 10:39:47] dehydrated-wrapper: INFO: (Re)starting webmin.service
[2024-12-20 10:39:48] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully.
[2024-12-20 11:14:46] dehydrated-wrapper: INFO: started
# INFO: Using main config file /etc/dehydrated/confconsole.config
+ Account already registered!
[2024-12-20 11:14:46] dehydrated-wrapper: INFO: found apache2 listening on port 443
[2024-12-20 11:14:46] dehydrated-wrapper: INFO: running dehydrated
# INFO: Using main config file /etc/dehydrated/confconsole.config
Processing cloud-example.xy.de
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Feb 16 04:40:00 2025 GMT (Longer than 30 days). Skipping renew!
[2024-12-20 11:14:47] confconsole.hook.sh: INFO: cert for cloud-example.xy.de is unchanged - nothing to do
[2024-12-20 11:14:47] dehydrated-wrapper: INFO: dehydrated complete
[2024-12-20 11:14:47] dehydrated-wrapper: INFO: Cleaning backup cert & key
[2024-12-20 11:14:47] dehydrated-wrapper: INFO: (Re)starting apache2
[2024-12-20 11:14:47] dehydrated-wrapper: INFO: (Re)starting webmin.service
[2024-12-20 11:14:50] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully.
[2024-12-20 11:41:55] dehydrated-wrapper: INFO: started
# INFO: Using main config file /etc/dehydrated/confconsole.config
+ Account already registered!
[2024-12-20 11:41:56] dehydrated-wrapper: INFO: found apache2 listening on port 443
[2024-12-20 11:41:56] dehydrated-wrapper: INFO: running dehydrated
# INFO: Using main config file /etc/dehydrated/confconsole.config
Processing cloud-example.xy.de with alternative names: *.cloud-example.xy.de 
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for cloud-example.xy.de
 + Handling authorization for cloud-example.xy.de
 + 2 pending challenge(s)
 + Deploying challenge tokens...
[2024-12-20 11:42:00] confconsole.hook.sh: INFO: Deploying challenge for cloud-example.xy.de.
[2024-12-20 11:42:00] confconsole.hook.sh: INFO: Creating a TXT challenge-record with cloudflare.
RESULT
------
True
[2024-12-20 11:42:34] confconsole.hook.sh: INFO: Deploying challenge for cloud-example.xy.de.
[2024-12-20 11:42:34] confconsole.hook.sh: INFO: Creating a TXT challenge-record with cloudflare.
RESULT
------
True
 + Responding to challenge for cloud-example.xy.de authorization...
[2024-12-20 11:43:39] confconsole.hook.sh: FATAL: Challenge response for *.cloud-example.xy.de failed: ["type"]     "dns-01"
["url"] "https://acme-v02.api.letsencrypt.org/acme/chall/1953129806/446179525065/g-1fBA"
["status"]      "invalid"
["validated"]   "2024-12-20T10:43:07Z"
["error","type"]        "urn:ietf:params:acme:error:dns"
["error","detail"]      "DNS problem: query timed out looking up TXT for _acme-challenge.cloud-example.xy.de"
["error","status"]      400
["error"]       {"type":"urn:ietf:params:acme:error:dns","detail":"DNS problem: query timed out looking up TXT for _acme-challenge.cloud-example.xy.de","status":400}
["token"]       "6_ECdp1***********************************8Gjhe8".
ERROR: invalid_challenge hook returned with non-zero exit code
[2024-12-20 11:43:39] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2024-12-20 11:43:39] dehydrated-wrapper: INFO: Cleaning backup cert & key
[2024-12-20 11:43:39] dehydrated-wrapper: INFO: (Re)starting apache2
[2024-12-20 11:43:39] dehydrated-wrapper: INFO: (Re)starting webmin.service
[2024-12-20 11:43:41] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully.
[2024-12-20 11:44:49] dehydrated-wrapper: INFO: started
# INFO: Using main config file /etc/dehydrated/confconsole.config
+ Account already registered!
[2024-12-20 11:44:49] dehydrated-wrapper: INFO: found apache2 listening on port 443
[2024-12-20 11:44:49] dehydrated-wrapper: INFO: running dehydrated
# INFO: Using main config file /etc/dehydrated/confconsole.config
Processing cloud-example.xy.de with alternative names: *.cloud-example.xy.de 
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for cloud-example.xy.de
 + Handling authorization for cloud-example.xy.de
 + 2 pending challenge(s)
 + Deploying challenge tokens...
[2024-12-20 11:44:54] confconsole.hook.sh: INFO: Deploying challenge for cloud-example.xy.de.
[2024-12-20 11:44:54] confconsole.hook.sh: INFO: Creating a TXT challenge-record with cloudflare.
Traceback (most recent call last):
  File "/usr/local/src/venv/lexicon/bin/lexicon", line 8, in 
    sys.exit(main())
             ^^^^^^
  File "/usr/local/src/venv/lexicon/lib/python3.11/site-packages/lexicon/_private/cli.py", line 135, in main
    results = client.execute()
              ^^^^^^^^^^^^^^^^
  File "/usr/local/src/venv/lexicon/lib/python3.11/site-packages/lexicon/client.py", line 217, in execute
    return executor.create_record(rtype, name, content)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/src/venv/lexicon/lib/python3.11/site-packages/lexicon/client.py", line 36, in create_record
    return self.provider.create_record(rtype, name, content)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/src/venv/lexicon/lib/python3.11/site-packages/lexicon/_private/providers/cloudflare.py", line 94, in create_record
    payload = self._post(f"/zones/{self.domain_id}/dns_records", data)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/src/venv/lexicon/lib/python3.11/site-packages/lexicon/interfaces.py", line 171, in _post
    return self._request("POST", url, data=data, query_params=query_params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/src/venv/lexicon/lib/python3.11/site-packages/lexicon/_private/providers/cloudflare.py", line 218, in _request
    response.raise_for_status()
  File "/usr/local/src/venv/lexicon/lib/python3.11/site-packages/requests/models.py", line 1024, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://api.cloudflare.com/client/v4/zones/0c55471829c4b9c5736f1d2e4770623e/dns_records
ERROR: deploy_challenge hook returned with non-zero exit code
[2024-12-20 11:44:56] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2024-12-20 11:44:56] dehydrated-wrapper: INFO: Cleaning backup cert & key
[2024-12-20 11:44:56] dehydrated-wrapper: INFO: (Re)starting apache2
[2024-12-20 11:44:56] dehydrated-wrapper: INFO: (Re)starting webmin.service
[2024-12-20 11:44:58] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully.
Jeremy Davis's picture

I'm sorry (again) for my slow reply. Unfortunately your post came just after I left for some time off over Christmas/New Year. I'm back this week but I've only just noticed your post now... :(

Anyway, the first thing I noticed is that the base domain appears to have a valid certificate!? So the current cert should work ok as is. Here's the relevant log output:

Processing cloud-example.xy.de
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Feb 16 04:40:00 2025 GMT (Longer than 30 days). Skipping renew!

However it looks like it's also trying to generate a certificate for a wildcard domain: *.cloud-example.xy - which is failing

Processing cloud-example.xy with alternative names: *.cloud-example.xy 
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for cloud-example.xy
ERROR: Validating this certificate is not possible using http-01. Possible validation methods are: dns-01 

Certificates for wildcard domains can't be renewed via a HTTP-01 challenge. So even though it appears that you have a valid cert for the "main" domain, it is failing on the wildcard one. IIRC the way that the TurnKey Let's Encrypt plugin works is that it won't consider the process successful unless all domains configured are updated successfully. It still doesn't explain why it stopped working though, it should have never worked! I can only assume that initially it wasn't configured to get a wildcard cert and sometime within the 90 days while it was working, someone added the wildcard domain.

A wildcard domain is possible via DNS-01 validation. However there is something wrong with the DNS-01 Cloudflare config. The DNS record is not being created, so the Let's Encrypt validation fails. It looks like for some reason when Confconsole tries to create the required DNS record accessing Cloudflare fails.

Either there is something wrong with your Cloudflare credentials or other Confconsole DNS-01 config; or there is a bug in Confconsole. It's working fine for me, but I use AWS Router53. I do have a Cloudflare account though, so if you remain stuck, then when I get a chance, I'll test it out.

Regardless, I suggest that you delete all the config files starting with 'confconsole' in /etc/dehydrated, then start again via Confconsole. If you don't need a wildcard domain, then getting a cert via HTTP-01 should work fine - so long as you have "Always Use HTTPS" disabled in Cloudflare (SSL/TLS >> Edge Certificates). If you need/want the wildcard domain then you'll need to persevere with the DNS-01 config. I suggest deleting the API key you generated (assuming that it's not used for anything else) and generate a new one.

Let me know if you have any joy...

derpuma's picture

No worries, at all! Maybe it has had something to do with a couple of reasons you mentioned!

What I did, I created a new container and transfered database and data to the new nextcloud.

Then Certification worked out of the box with HTTP-01 challenge.

And yes, I tried several time with and without wildcard, maybe that was source of an error too. But maybe also, that in the new instance of the container all files in /etc/dehydrated from the old installation where gone.

I will observe now, how it looks like in about three month, when the renewing starts again.

For now I am good. I will get back and report and I really appreciate your help and time you put in your answers!

Jeremy Davis's picture

Glad to hear that you are back up and running. Why it stopped working is still something of a mystery, but at least you found a workaround.

Hopefully it will just keep working this time. But please feel free to post back if you have issues again.

Please also feel free to start another thread(s) if you have any new/different issues, general questions, suggestions for us or any other Turnkey Linux feedback (good or bad).

Metron6's picture

i also get this message: [2025-01-13 01:15:50] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
cat /var/log/confconsole/letsencrypt.log
[2025-01-13 01:19:33] dehydrated-wrapper: INFO: started
# INFO: Using main config file /etc/dehydrated/confconsole.config
+ Account already registered!
[2025-01-13 01:19:34] dehydrated-wrapper: INFO: found apache2 listening on port 80
[2025-01-13 01:19:34] dehydrated-wrapper: INFO: stopping apache2
[2025-01-13 01:19:34] dehydrated-wrapper: INFO: running dehydrated
# INFO: Using main config file /etc/dehydrated/confconsole.config
Processing nextcloud.solidarit.gr
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for nextcloud.solidarit.gr
 + 1 pending challenge(s)
 + Deploying challenge tokens...
[2025-01-13 01:19:39] confconsole.hook.sh: INFO: Deploying challenge for nextcloud.solidarit.gr
[2025-01-13 01:19:39] confconsole.hook.sh: INFO: Serving /var/lib/dehydrated/acme-challenges/-c-ReulHjRCtvakcv19ABt4wHJJEZPwucPHa4p7LtlY on http://nextcloud.solidarit.gr/.well-known/acme-challenge/-c-ReulHjRCtvakcv19ABt4wHJJEZPwucPHa4p7LtlY
 + Responding to challenge for nextcloud.solidarit.gr authorization...
 + Cleaning challenge tokens...
[2025-01-13 01:19:43] confconsole.hook.sh: INFO: Clean challenge for nextcloud.solidarit.gr
 + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]      "http-01"
["url"] "https://acme-v02.api.letsencrypt.org/acme/chall/2160407515/459756646175/6V_BTw"
["status"]      "invalid"
["validated"]   "2025-01-12T23:19:39Z"
["error","type"]        "urn:ietf:params:acme:error:unauthorized"
["error","detail"]      "178.63.130.142: Invalid response from https://nextcloud.solidarit.gr/index.php/.well-known/acme-challenge/-c-ReulHjRCtvakcv19ABt4wHJJEZPwucPHa4p7LtlY: 502"
["error","status"]      403
["error"]       {"type":"urn:ietf:params:acme:error:unauthorized","detail":"178.63.130.142: Invalid response from https://nextcloud.solidarit.gr/index.php/.well-known/acme-challenge/-c-ReulHjRCtvakcv19ABt4wHJJEZPwucPHa4p7LtlY: 502","status":403}
["token"]       "-c-ReulHjRCtvakcv19ABt4wHJJEZPwucPHa4p7LtlY"
["validationRecord",0,"url"]    "http://nextcloud.solidarit.gr/.well-known/acme-challenge/-c-ReulHjRCtvakcv19ABt4wHJJEZPwucPHa4p7LtlY"
["validationRecord",0,"hostname"]       "nextcloud.solidarit.gr"
["validationRecord",0,"port"]   "80"
["validationRecord",0,"addressesResolved",0]    "178.63.130.142"
["validationRecord",0,"addressesResolved"]      ["178.63.130.142"]
["validationRecord",0,"addressUsed"]    "178.63.130.142"
["validationRecord",0]  {"url":"http://nextcloud.solidarit.gr/.well-known/acme-challenge/-c-ReulHjRCtvakcv19ABt4wHJJEZPwucPHa4p7LtlY","hostname":"nextcloud.solidarit.gr","port":"80","addressesResolved":["178.63.130.142"],"addressUsed":"178.63.130.142"}
["validationRecord",1,"url"]    "https://nextcloud.solidarit.gr/.well-known/acme-challenge/-c-ReulHjRCtvakcv19ABt4wHJJEZPwucPHa4p7LtlY"
["validationRecord",1,"hostname"]       "nextcloud.solidarit.gr"
["validationRecord",1,"port"]   "443"
["validationRecord",1,"addressesResolved",0]    "178.63.130.142"
["validationRecord",1,"addressesResolved"]      ["178.63.130.142"]
["validationRecord",1,"addressUsed"]    "178.63.130.142"
["validationRecord",1]  {"url":"https://nextcloud.solidarit.gr/.well-known/acme-challenge/-c-ReulHjRCtvakcv19ABt4wHJJEZPwucPHa4p7LtlY","hostname":"nextcloud.solidarit.gr","port":"443","addressesResolved":["178.63.130.142"],"addressUsed":"178.63.130.142"}
["validationRecord",2,"url"]    "https://nextcloud.solidarit.gr/index.php/.well-known/acme-challenge/-c-ReulHjRCtvakcv19ABt4wHJJEZPwucPHa4p7LtlY"
["validationRecord",2,"hostname"]       "nextcloud.solidarit.gr"
["validationRecord",2,"port"]   "443"
["validationRecord",2,"addressesResolved",0]    "178.63.130.142"
["validationRecord",2,"addressesResolved"]      ["178.63.130.142"]
["validationRecord",2,"addressUsed"]    "178.63.130.142"
["validationRecord",2]  {"url":"https://nextcloud.solidarit.gr/index.php/.well-known/acme-challenge/-c-ReulHjRCtvakcv19ABt4wHJJEZPwucPHa4p7LtlY","hostname":"nextcloud.solidarit.gr","port":"443","addressesResolved":["178.63.130.142"],"addressUsed":"178.63.130.142"}
["validationRecord"]    [{"url":"http://nextcloud.solidarit.gr/.well-known/acme-challenge/-c-ReulHjRCtvakcv19ABt4wHJJEZPwucPHa4p7LtlY","hostname":"nextcloud.solidarit.gr","port":"80","addressesResolved":["178.63.130.142"],"addressUsed":"178.63.130.142"},{"url":"https://nextcloud.solidarit.gr/.well-known/acme-challenge/-c-ReulHjRCtvakcv19ABt4wHJJEZPwucPHa4p7LtlY","hostname":"nextcloud.solidarit.gr","port":"443","addressesResolved":["178.63.130.142"],"addressUsed":"178.63.130.142"},{"url":"https://nextcloud.solidarit.gr/index.php/.well-known/acme-challenge/-c-ReulHjRCtvakcv19ABt4wHJJEZPwucPHa4p7LtlY","hostname":"nextcloud.solidarit.gr","port":"443","addressesResolved":["178.63.130.142"],"addressUsed":"178.63.130.142"}])
[2025-01-13 01:19:43] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2025-01-13 01:19:44] dehydrated-wrapper: WARNING: Python is still listening on port 80
[2025-01-13 01:19:44] dehydrated-wrapper: INFO: attempting to kill add-water server
[2025-01-13 01:19:44] dehydrated-wrapper: INFO: Cleaning backup cert & key
[2025-01-13 01:19:44] dehydrated-wrapper: INFO: (Re)starting apache2
[2025-01-13 01:19:44] dehydrated-wrapper: INFO: (Re)starting webmin.service
[2025-01-13 01:19:46] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully.

cat /etc/dehydrated/confconsole.config
########################################################
# This is the config file for dehydrated when launched #
# via confconsole on TurnKey GNU/Linux.                #
#                                                      #
# It is loaded by the dehydrated-wrapper script.       #
#                                                      #
# For more information about the confconsole Let's     #
# Encrypt plugin and/or the dehydrated-wrapper please  #
# see:                                                 #
# /usr/share/doc/confconsole/docs/Lets_Encrypt.rst     #
# or:                                                  #
# https://www.turnkeylinux.org/docs/letsencrypt        #
#                                                      #
# For more comprehensive example conf, see             #
#  /usr/share/doc/dehydrated/examples/config           #
########################################################

BASEDIR=/var/lib/dehydrated
WELLKNOWN="${BASEDIR}/acme-challenges"
DOMAINS_TXT="/etc/dehydrated/confconsole.domains.txt"
HOOK="/etc/dehydrated/confconsole.hook.sh"
CHALLENGETYPE="http-01"

# required for DNS-01 only - ignored by HTTP-01 challenge
PROVIDER='auto'
LEXICON_CONFIG_DIR='/etc/dehydrated'

# staging server for testing - leave commented for production
#CA="https://acme-staging-v02.api.letsencrypt.org/directory"


ls -l /etc/cron.daily/confconsole-dehydrated
-rwxr-xr-x 1 root root 889 Jan  9 16:38 /etc/cron.daily/confconsole-dehydrated

i hope you can help me..

maybe i should post my nginx conf ?
server {
  server_name nextcloud.solidarit.gr cloud.solidarit.gr;
  access_log /var/log/nginx/solidarit_cloud_access.log;
  error_log /var/log/nginx/solidarit_cloud_error.log;
  client_max_body_size 10G;
  client_body_buffer_size 400M;

  location / {
    proxy_pass https://10.107.91.105;
    proxy_read_timeout 300;
    proxy_connect_timeout 300;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_headers_hash_max_size 512;
    proxy_headers_hash_bucket_size 128;          
}
location /.well-known/carddav {
    return 301 $scheme://$host/remote.php/dav;
}

location /.well-known/caldav {
    return 301 $scheme://$host/remote.php/dav;
}

location ^~ /.well-known {
    return 301 $scheme://$host/index.php$uri;
}

Jeremy Davis's picture

Great thinking to also post your nginx.conf! Thanks for that, I can now see exactly what is going on. And perhaps that was even the problem before and I just missed it?

Anyway, looking at your confconsole LE log output, Let's Encrypt is expecting the change to be served from this URL: http://nextcloud.solidarit.gr/.well-known/acme-challenge/

But your Nginx config is redirecting https://nextcloud.solidarit.gr/.well-known to https://nextcloud.solidarit.gr/index.php/.well-known (note the 'index.php' in there). This bit of your nginx.conf:

location ^~ /.well-known {
    return 301 $scheme://$host/index.php$uri;
}

Nextcloud isn't running while the challenge is being served. That means that the url your Nginx proxy is trying to redirect to is not available so Nginx returns a 502 (Bad Gateway - proxy can't connect to the backend).

Even if that URL returned the correct challenge and gave a 200 (ok) I'm fairly sure it would still fail because LE only works on http URLs it will fail with a https URL and IIRC their docs note that there should be no redirect regardless.

Having said that, I am unfamiliar with how NC uses those urls for the web dav functionality. I have a suspicion that you probably want that redirect for Nextcloud (although I could be wrong). If that's the case then you still want to redirect /.well-known while NC is running - but not while your server should be serving a LE challenge.

So I see a few options:

  • Just remove that redirect in nginx conf and cross your fingers; maybe it will stop web dav working, maybe not?
  • Change the nginx proxy redirect so it only redirects https - not http; anything trying to connect to NC via /.well-known via http other than the LE challenges will fail.
  • Move that redirect to the Apache config of your Turnkey NC server.

I think that the last is the best solution. Because the Apache server in the NC appliance won't be running when the challenge is served there will be no redirect, but when the webserver in your NC server is running, the redirect will occur just like it does now.

Actually, just looking at the NC docs it appears that the NC .htaccess file should already include this:


  RewriteEngine on
  RewriteRule ^/\.well-known/carddav /nextcloud/remote.php/dav [R=301,L]
  RewriteRule ^/\.well-known/caldav /nextcloud/remote.php/dav [R=301,L]
  RewriteRule ^/\.well-known/webfinger /nextcloud/index.php/.well-known/webfinger [R=301,L]
  RewriteRule ^/\.well-known/nodeinfo /nextcloud/index.php/.well-known/nodeinfo [R=301,L]

That should redirect those NC urls already. But when I was testing our appliance before I noticed that NC was complaining about those urls not redirecting as they should. TBH I'm not sure why because the config we ship looks right - it should process the NC .htaccess file so already do those redirects?!

Anyway, that doesn't seem to be the case, so I suggest removing the redirects from Nginx (at least that last one) and update the NC apache config on your NC server to include the code snippet from the NC docs.

Put it in the 443 virtual server block in /etc/apache2/sites-available/nextcloud.conf - i.e. between these 2 lines.

Then restart your Nginx proxy (to apply the updated proxy config) and for good measure, also restart Apache on your Nextcloud server. Clear your cache and cookies (at least for your NC url) and then double check that all works as it should with NC. Assuming it does, then try again to get a cert. I would expect it to "just work".

Fingers crossed...

Add new comment