Certificate renewal fails, UI also fails


the renewal of certificates wont work, maybe someone help.
the automatice renewal didn’t work. Disabling (alt-text of the button says it deletes the certificate which is not true)/Enabling just deactivates TLS - after enabling i will be back with old certificate - so UI is useless as well.

I tried manual renewal via ssh cli and the command certbot --config-dir /srv/letsencrypt renew

it fails because validation data cannot be fetched:
Type: connection Detail: Fetching https://xxx.yy/.well-known/acme-challenge/pp19aOxX9D5QnS_GTkT_t7cNLyzKoZMlgDEjHLJbbxk: Error getting validation data

i cannot get the data via local browser call either - what is wrong here?

Please prove me wrong that you abondend your product …


Hey @6Sheep,

would be great if you could include some more details what kind of of dynamic DNS method you use. Mainly because the mechanisms differ in the way they verify the domain against let’s encrypt. The guided approach works via a DNS zone entry, while the others are reachability-based.

The latter usually only fail if the port forwarding does not work properly, can you confirm that your NextBox is reachable from the outside? Then typically acquiring the certificate should also work. Assuming you are using the “static Domain” approach, the certbot command your issued is quite similar to what is executed through the UI - which means if both don’t work for you it is quite likely that your NextBox is not reachable from the internet, so I would suggest to verify this first.

i cannot get the data via local browser call either - what is wrong here?

This will by definition not work so far I know, because the challenge is only available shortly during the process and it will be deleted after this process.

Moreover, has this been working before? Did you do any changes using the ssh access in between ?

So, can you be so kind and provide more details, then we happily try to help you.


1 Like

Hi daringer,

i use desec.io as a provider. i think the nextbox itself updates the ip, at least the fritzbox is not doing the job. The nextbox is reachable from outside (if you accept the invalid certificate), the ports 80 and 443 (http and https) are forwarded. i am unsure (and probably unaware) of what information would help you further, so i think i need your help asking mre questions. it worked before (until the certificate runs out) - i am not aware of changes made - i know that i had this update-deadloop-issue which you remotely patched, i further have ssh activated (and working).


Hey @6Sheep ,

so you are using “Guided Dynamic DNS” then? Or do you say you are using desec.io together with the “static domain” configuration? Can you please be more precise? For now I am assuming now that you are using “Guided Dynamic DNS”.

You always have the option to download logs inside “NextBox → System” and send them to us (to support (at) nitrokey (dot) com), but please don’t post them here - they may contain private information.

Generally all what I write here might be flawed, as you obviously did changes via ssh - and you may have read the warning that for obvious reasons we cannot really ensure proper support if you do changes to the system using the ssh access. But let’s try…

As mentioned before the “Guided Dynamic DNS” configuration is using a DNS-zone based verification. This means, during the communication with let’s encrypt the NextBox will also communicate with desec.io and set up a TXT entry inside your dynamic domain - then let’s encrypt will check for this entry using default DNS requests - if this contains the expected contents you have verified this domain and let’s encrypt will issue you a certificate.

If this is not working as expected this typically means the NextBox can for some reason not communicate with desec.io - which usually boils down to authentication, more precisely the desec.io token.

So this would be the first thing to try out:

  • visit desec.io and ensure you can access your account (likely you have to use forget my password with your e-mail you’ve been using for guided dynamic dns)
  • create new token for you through the desec.io user interface
  • now disable TLS inside your nextbox (Nextbox → Remote Access → HTTPS/TLS)
  • now disable the “guided dynamic DNS” configuration, ensure the domain and e-mail is correct
  • now proceed to the next step by pressing the button on the right side “Next (without register)”
  • put in your newly acquired token finish this configuration
  • try to enable HTTPS/TLS

Hope this works, no guarantee thou as I cannot know what other changes you did through ssh - especially certbot might be in a weird state, because renewing the certificate like you described in your recent post is neither a recommended nor the right way to renew the certificate for a “guided dynamic DNS” configuration.



i dunno why configuring ssh is a problem - especially after you guys explicitly explained ssh configuration will be necessary to ensure access after that deadloop-thingy #shrug
i haven’t altered the system before this issue occured - if the usage of certbot can be named “altering process” at all. But i understand, that it might can interfere, point taken.

nevertheless, now i understand your answer - i am definitly not on the static domain path, i think i used guided - out of the ui i cannot gather how it was configured though, only that is is active.

i went through your steps - it wasnt helping /o
It is keeping the old certificate - as i wrote in my original start message even before me manually talk to certbot the UI button disabling tls did not help … and was not doing what it is intended to do in the description.

the log files did not change, same issue still.

Yes, the fact that the old certificate will be brought up again is intended, this is build like that to avoid hitting the let’s encrypt rate limiting - which could easily kick in if a new certificate would be acquired every time disable/enable TLS would be used.

So if you are sure that your desec.io token is valid, please wait 24h for the automatic renewal job to run.

If the error still persist, there is a let’s encrypt log inside the log package you can download via “NextBox → System” - there the reason why the last renewal failed should be logged, this then would be the next thing to investigate.


Hello @daringer ,

it works, thanks for your patience. The certificate starts from October 31st on, so something needed quiet some time to get stuff done - nevertheless the certificate is right now up-2-date and i hope the renewal process will work accordingly.


hey @6Sheep ,

great to hear, happy to help :smiley: