Nextcloud with Letsencrypt using OMV and docker-compose - Q&A

    • OMV 4.x
    • Nextcloud with Letsencrypt using OMV and docker-compose - Q&A

      OMV 4.x| HP Microserver | 256GB Samsung 830 SSD for system | 4x 2TB in a RAID5
      OMV 4.x| Odroid XU4 | 5TB Data drive | 500GB Backup drive
      OMV 5.x| Raspberry Pi 4 | 6TB Data drive | 500GB SSD drive

      The post was edited 1 time, last by WastlJ ().

    • Question: How do I use the subdomain method to access Nextcloud via the Letsencrypt docker?


      Answer:

      • Slight change in the docker-compose.yml - nano docker-compose.yml under environment: in the letsencrypt section

      Source Code

      1. - SUBDOMAINS=www,nextcloud
      • save via CTRL+x and confirm with y
      • rebuild containers docker-compose up -d
      • cd /srv/dev-disk-by-label-disk1/appdata/letsencrypt/nginx/proxy-confs /srv/dev-disk-by-label-disk1 has to be adjusted
      • cp nextcloud.subdomain.conf.sample nextcloud.subdomain.conf this will copy the sample configuration file for nextcloud and removes the .sample so that the file will become active
      • docker restart letsencrypt
      • cd /srv/dev-disk-by-label-disk1/appdata/nextcloud/config/www/nextcloud/config
      • nano config.php
      • change following:
        • add your domain to the trusted domains:

      Source Code

      1. 'trusted_domains' =>
      2. array (
      3. 0 => 'your.ip:445',
      4. 1 => 'nextcloud.your.url',
      5. ),
      • delete the line:

      Source Code

      1. 'overwritewebroot' => '/nextcloud',
      • change/add following lines:

      Source Code

      1. 'overwrite.cli.url' => 'https://nextcloud.your.url',
      2. 'overwritehost' => 'nextcloud.your.url',
      3. 'overwriteprotocol' => 'https',
      • save via CTRL+x and confirm with y
      • docker restart nextcloud
      • Now your Nextcloud should be accessible via https://nextcloud.your.url

      The post was edited 9 times, last by Morlan ().

    • To be able to use the subdomain variant you must make sure to have a CNAME for "nextcloud" set up on your dns provider and it is pointing to your A record that points to your server IP

      For DuckDNS, you do not need to create CNAMES, as all sub-subdomains automatically point to the same IP as your custom subdomain, but you must make sure that it is pointing to the IP address of your server.
      Odroid HC2 - armbian - OMV4.x | Asrock Q1900DC-ITX - Intenso SSD 120GB - OMV4.x
      :!: Backup - Solutions to common problems - OMV setup videos - OMV4 Documentation - user guide :!:
    • @Morlan i am getting right thet the line above isn't correctt ?

      cd /srv/dev-disk-by-label-disk1/appdata/nextcloud/www/nextcloud/config

      it shoul be:

      cd /srv/dev-disk-by-label-disk1/appdata/nextcloud/config/www/nextcloud/config


      Anythig else ist to change the letsencrypt configuration in the docker-compose.yml which @macom has made when u use ony a subdomain for your NC.
      Simply include under enviroment:ONLY_SUBDOMAINS parameter.


      Source Code

      1. environment:
      2. - PUID=1000 #change PUID if needed
      3. - PGID=100 #change PGID if needed
      4. - TZ=Europe/Berlin # change Time Zone if needed
      5. - URL=xxxx.de #insert your domain name - yourdomain.url
      6. - SUBDOMAINS=yoursubdomain #needs to be adjusted
      7. - ONLY_SUBDOMAIS=true
      8. - VALIDATION=http
      9. - EMAIL=xxx.yyy@provider.com # define email; required to renew certificate
      10. volumes:
      11. - /srv/dev-disk-by-label-disk1/appdata/letsencrypt:/config #/srv/dev-disk-by-label-disk1 needs to be adjusted
      12. ports:
      13. - 444:443
      14. - 81:80
      Display All


      SORRY admin for so much editing this thread, but i did not want to mess it up with some selfmade mistakes.


      Tom

      The post was edited 21 times, last by tomspatz ().

    • Firstly, I have to say this is an excellent guide. Thanks very much for putting it all together and posting it. I'm impressed and grateful.

      I followed the guide with the following modifications:
      • The URL for letsencrypt was changed to cloud.mydomain.com. I added no subdomains. This is because mydomain.com is hosted by my ISP.
      • I added the internal IP of my server to the config.php file so that I could get to nextcloud internally via xxx.xxx.xxx.xxx:445. This works okay.
      • I used the modifications in post 4 above to use the cloud.mydomain.com subdomain.
      I can now access nextcloud via the internal IP: xxx.xxx.xxx.xxx:445.
      I cannot access nextcloud via cloud.mydomain.com. This returns ERR_CONNECTION_REFUSED.
      I can ping to cloud.mydomain.com and it returns the correct IP. Ports are forwarded as described in the guide.

      If I clear the letsencrypt docker container log and restart the letsencrypt docker I get:

      Shell-Script

      1. [s6-init] making user provided files available at /var/run/s6/etc...exited 0.
      2. [s6-init] ensuring user provided files have correct perms...exited 0.
      3. [fix-attrs.d] applying ownership & permissions fixes...
      4. [fix-attrs.d] done.
      5. [cont-init.d] executing container initialization scripts...
      6. [cont-init.d] 10-adduser: executing...
      7. -------------------------------------
      8. _ ()
      9. | | ___ _ __
      10. | | / __| | | / \
      11. | | \__ \ | | | () |
      12. |_| |___/ |_| \__/
      13. Brought to you by linuxserver.io
      14. We gratefully accept donations at:
      15. https://www.linuxserver.io/donate/
      16. -------------------------------------
      17. GID/UID
      18. -------------------------------------
      19. User uid: 1000
      20. User gid: 100
      21. -------------------------------------
      22. [cont-init.d] 10-adduser: exited 0.
      23. [cont-init.d] 20-config: executing...
      24. [cont-init.d] 20-config: exited 0.
      25. [cont-init.d] 30-keygen: executing...
      26. using keys found in /config/keys
      27. [cont-init.d] 30-keygen: exited 0.
      28. [cont-init.d] 50-config: executing...
      29. Variables set:
      30. PUID=1000
      31. PGID=100
      32. TZ=Australia/Melbourne
      33. URL=cloud.mydomain.com
      34. SUBDOMAINS=
      35. EXTRA_DOMAINS=
      36. ONLY_SUBDOMAINS=false
      37. DHLEVEL=2048
      38. VALIDATION=http
      39. DNSPLUGIN=
      40. EMAIL=me@myserver.com
      41. STAGING=
      42. 2048 bit DH parameters present
      43. No subdomains defined
      44. E-mail address entered: me@mydomain.com
      45. http validation is selected
      46. Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
      47. Generating new certificate
      48. Saving debug log to /var/log/letsencrypt/letsencrypt.log
      49. Plugins selected: Authenticator standalone, Installer None
      50. Obtaining a new certificate
      51. Performing the following challenges:
      52. http-01 challenge for cloud.mydomain.com
      53. Waiting for verification...
      54. Challenge failed for domain cloud.mydomain.com
      55. http-01 challenge for cloud.mydomain.com
      56. Cleaning up challenges
      57. Some challenges have failed.
      58. IMPORTANT NOTES:
      59. - The following errors were reported by the server:
      60. Domain: cloud.mydomain.com
      61. Type: connection
      62. Detail: Fetching
      63. http://cloud.mydomain.com/.well-known/acme-challenge/5YcXjtOUq5VT5bmw5uCPV9RqXIalDkEx6H1G_u_qA3o:
      64. Connection refused
      65. To fix these errors, please make sure that your domain name was
      66. entered correctly and the DNS A/AAAA record(s) for that domain
      67. contain(s) the right IP address. Additionally, please check that
      68. your computer has a publicly routable IP address and that no
      69. firewalls are preventing the server from communicating with the
      70. client. If you're using the webroot plugin, you should also verify
      71. that you are serving files from the webroot path you provided.
      72. - Your account credentials have been saved in your Certbot
      73. configuration directory at /etc/letsencrypt. You should make a
      74. secure backup of this folder now. This configuration directory will
      75. also contain certificates and private keys obtained by Certbot so
      76. making regular backups of this folder is ideal.
      77. ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container
      Display All
      Is there anything obvious I'm doing wrong?

      The post was edited 1 time, last by Kritta ().

    • tomspatz wrote:

      @Morlan i am getting right thet the line above isn't correctt ?

      cd /srv/dev-disk-by-label-disk1/appdata/nextcloud/www/nextcloud/config

      it shoul be:

      cd /srv/dev-disk-by-label-disk1/appdata/nextcloud/config/www/nextcloud/config
      Yes you are right, thanks for pointing it out. Changed it in the guide.

      tomspatz wrote:


      Anythig else ist to change the letsencrypt configuration in the docker-compose.yml which @macom has made when u use ony a subdomain for your NC.
      Simply include under enviroment:ONLY_SUBDOMAINS parameter.
      It is not necessary to add this parameter and should only be added if you exclusively want to exlude the main domain from your cert.

      The offical documentation states for this parameter: If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to true



      Kritta wrote:

      Firstly, I have to say this is an excellent guide. Thanks very much for putting it all together and posting it. I'm impressed and grateful.

      I followed the guide with the following modifications:
      • The URL for letsencrypt was changed to cloud.mydomain.com. I added no subdomains. This is because mydomain.com is hosted by my ISP.
      • I added the internal IP of my server to the config.php file so that I could get to nextcloud internally via xxx.xxx.xxx.xxx:445. This works okay.
      • I used the modifications in post 4 above to use the cloud.mydomain.com subdomain.
      I can now access nextcloud via the internal IP: xxx.xxx.xxx.xxx:445.
      I cannot access nextcloud via cloud.mydomain.com. This returns ERR_CONNECTION_REFUSED.
      I can ping to cloud.mydomain.com and it returns the correct IP. Ports are forwarded as described in the guide.

      If I clear the letsencrypt docker container log and restart the letsencrypt docker I get:

      Shell-Script

      1. [s6-init] making user provided files available at /var/run/s6/etc...exited 0.
      2. [s6-init] ensuring user provided files have correct perms...exited 0.
      3. [fix-attrs.d] applying ownership & permissions fixes...
      4. [fix-attrs.d] done.
      5. [cont-init.d] executing container initialization scripts...
      6. [cont-init.d] 10-adduser: executing...
      7. -------------------------------------
      8. _ ()
      9. | | ___ _ __
      10. | | / __| | | / \
      11. | | \__ \ | | | () |
      12. |_| |___/ |_| \__/
      13. Brought to you by linuxserver.io
      14. We gratefully accept donations at:
      15. https://www.linuxserver.io/donate/
      16. -------------------------------------
      17. GID/UID
      18. -------------------------------------
      19. User uid: 1000
      20. User gid: 100
      21. -------------------------------------
      22. [cont-init.d] 10-adduser: exited 0.
      23. [cont-init.d] 20-config: executing...
      24. [cont-init.d] 20-config: exited 0.
      25. [cont-init.d] 30-keygen: executing...
      26. using keys found in /config/keys
      27. [cont-init.d] 30-keygen: exited 0.
      28. [cont-init.d] 50-config: executing...
      29. Variables set:
      30. PUID=1000
      31. PGID=100
      32. TZ=Australia/Melbourne
      33. URL=cloud.mydomain.com
      34. SUBDOMAINS=
      35. EXTRA_DOMAINS=
      36. ONLY_SUBDOMAINS=false
      37. DHLEVEL=2048
      38. VALIDATION=http
      39. DNSPLUGIN=
      40. EMAIL=me@myserver.com
      41. STAGING=
      42. 2048 bit DH parameters present
      43. No subdomains defined
      44. E-mail address entered: me@mydomain.com
      45. http validation is selected
      46. Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
      47. Generating new certificate
      48. Saving debug log to /var/log/letsencrypt/letsencrypt.log
      49. Plugins selected: Authenticator standalone, Installer None
      50. Obtaining a new certificate
      51. Performing the following challenges:
      52. http-01 challenge for cloud.mydomain.com
      53. Waiting for verification...
      54. Challenge failed for domain cloud.mydomain.com
      55. http-01 challenge for cloud.mydomain.com
      56. Cleaning up challenges
      57. Some challenges have failed.
      58. IMPORTANT NOTES:
      59. - The following errors were reported by the server:
      60. Domain: cloud.mydomain.com
      61. Type: connection
      62. Detail: Fetching
      63. http://cloud.mydomain.com/.well-known/acme-challenge/5YcXjtOUq5VT5bmw5uCPV9RqXIalDkEx6H1G_u_qA3o:
      64. Connection refused
      65. To fix these errors, please make sure that your domain name was
      66. entered correctly and the DNS A/AAAA record(s) for that domain
      67. contain(s) the right IP address. Additionally, please check that
      68. your computer has a publicly routable IP address and that no
      69. firewalls are preventing the server from communicating with the
      70. client. If you're using the webroot plugin, you should also verify
      71. that you are serving files from the webroot path you provided.
      72. - Your account credentials have been saved in your Certbot
      73. configuration directory at /etc/letsencrypt. You should make a
      74. secure backup of this folder now. This configuration directory will
      75. also contain certificates and private keys obtained by Certbot so
      76. making regular backups of this folder is ideal.
      77. ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container
      Display All
      Is there anything obvious I'm doing wrong?
      The letsencrypt container fails to get your cert either because your port forwardings dont work or your dns is service is not correctly configured. As @macom stated:

      macom wrote:

      To be able to use the subdomain variant you must make sure to have a CNAME for "nextcloud" set up on your dns provider and it is pointing to your A record that points to your server IP
      The changes provided bei @tomspatz might not be necessary depending on your dns host.
    • If you're using a subdomain other than "nextcloud" then you will also need to:

      Edit nextcloud.subdomain.conf which is found in /srv/dev-disk-by-label-disk1/appdata/letsencrypt/nginx/proxy-confs (Change 'disk1' in the path to match your disk name.)

      Change server_name nextcloud.*; to server_name yoursubdomain.*; where "yoursubdomain" is whatever subdomain you've chosen.

      For example, I wanted NextCloud to be accessible at cloud.mysite.com, so I changed the line to become server_name cloud.*;. You can use whatever subdomain you like as long as you have the appropriate CNAME set up on your DNS records and you edit the server_name property in the file as mentioned above.

      I also had to comment-out proxy_max_temp_file_size 2048m; in the above-mentioned file. Prior to doing that I was seeing nginx: [emerg] "proxy_max_temp_file_size" directive invalid value in /config/nginx/proxy-confs/nextcloud.subdomain.conf:29 appear repeatedly in the letsencrypt docker log file. I don't know why this is.
    • one Question

      As i understand and so in my System the generated Letsencrypt Cert is only for the connection outside your network:
      Internet -> provider A record for my subdomain to IP -> router Port 443 to Port 444 Letsencrypt/Nginx Proxy -> NC

      Inside my network a Windows Server do a Forward-Lookupzone for my subdomain. So it is not possible to reach the Letsencrypt Cert.

      Am I right, and this is how this configuration has to work ?


      Tom
    • Sorry for noob question

      My appdata is in

      /sharedfolders/appdata$

      on disk

      /dev/sdb1

      disk is labeled

      omvdisk1

      what I have to chage here:

      - /srv/dev-disk-by-label-disk1/appdata/nextcloud/config:/config #/srv/dev-disk-by-label-disk1 needs to be adjusted

      - /srv/dev-disk-by-label-disk1/appdata/nextcloud/data:/data #/srv/dev-disk-by-label-disk1 needs to be adjusted
    • New problem:

      after

      sudo docker-compose up -d

      I receive error

      ERROR: for nextcloud Cannot start service nextcloud: driver failed programming external connectivity on endpoint nextcloud (26f5d205bceee9057b87724716c00a94a68c489fcda224810001c0046d7bad38): Error starting userland proxy: listen tcp 0.0.0.0:445: bind: address already in use
      ERROR: Encountered errors while bringing up the project.

      Port 443 is forwarded to 445

      EDIT> I try with port 443 forwarded to 444, same error
    • Users Online 3

      3 Guests