Forcing Docker Nextcloud install to use Letsencrypt cert?

jackster · 31. August 2019

OMV: version 4.1.23-1

First of all I'm a complete noob when it comes to Docker. I have done a fresh install of OMV and on my previous install I had installed Nextcloud and Letsencrypt natively but now I wanted to try it the Docker way. I have both Letsencrypt and Nextcloud installed (followed the TDL youtube videos) in Docker and they both work but I have no idea how to force the Nextcloud install to use the Letsencrypt certificate?

Right now Nextcloud is using a self-signed certificate, which prevents me from opening Nextcloud due to HSTS. This is the error I get when I try to go to the Nextcloud site "Firefox does not trust this site because it uses a certificate that is not valid for [mydomain]:444.
Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT".

Morlan · 31. August 2019

This is the most up to date guide regarding nextcloud and letsencrypt on omv: https://forum.openmediavault.o…g-OMV-and-docker-compose/ (but it requires a reinstall of nextcloud and letsencrypt)

This official guide by Linuxserver is also great: https://blog.linuxserver.io/20…rypt-nginx-starter-guide/

jackster · 31. August 2019

Zitat von Morlan

This is the most up to date guide regarding nextcloud and letsencrypt on omv: https://forum.openmediavault.o…g-OMV-and-docker-compose/ (but it requires a reinstall of nextcloud and letsencrypt)

This official guide by Linuxserver is also great: https://blog.linuxserver.io/20…rypt-nginx-starter-guide/

Thanks for the reply, I deleted all the Docker containers created by following TDL's videos and recreated them by following the instructions in that first link. However it did not work, the certificate is still self-signed and therefore I can't access Nextcloud due to HSTS.

Letsencrypt does work as I did receive the "Congratulations! Your certificate and chain have been saved at" -message but something is apparently broken with the proxy? I'm using no-ip.org as my DDNS. Here is the contents of my /srv/dev-disk-by-label-disk/appdata/nextcloud/config/www/nextcloud/config/config.php:

PHP

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'ocwqcj7tkba9',


 'trusted_proxies' =>
  array (
    0 => 'letsencrypt',
  ),
  'overwritewebroot' => '/nextcloud',
  'overwrite.cli.url' => 'https://[mydomain].no-ip.org/nextcloud',
  'trusted_domains' =>
  array (
    0 => '[mydomain].no-ip.org:443',
  ),
);

Alles anzeigen

macom · 31. August 2019

Have you enabled the proxy configuration for nextcloud in letsencrypt? First two steps of "Configuration of proxy".

cd /srv/dev-disk-by-label-disk1/appdata/letsencrypt/nginx/proxy-confs /srv/dev-disk-by-label-disk1 has to be adjusted
cp nextcloud.subfolder.conf.sample nextcloud.subfolder.conf this will copy the sample configuration file for nextcloud and removes the .sample so that the file will become active

And restarted the container after modifications?

jackster · 31. August 2019

@macom: Yes I did those steps as well, this is what my /srv/dev-disk-by-label-disk/appdata/letsencrypt/nginx/proxy-confs/nextcloud.subfolder.conf looks like:

Code

# Assuming this container is called "letsencrypt", edit your nextcloud container's config
# located at /config/www/nextcloud/config/config.php and add the following lines before the ");":
#  'trusted_proxies' => ['letsencrypt'],
#  'overwritewebroot' => '/nextcloud',
#  'overwrite.cli.url' => 'https://your-domain.com/nextcloud',
#
# Also don't forget to add your domain name to the trusted domains array. It should look somewhat like this:
#  array (
#    0 => '192.168.0.1:444', # This line may look different on your setup, don't modify it.
#    1 => 'your-domain.com',
#  ),


# Redirects for DAV clients
location = /.well-known/carddav {
    return 301 $scheme://$host/nextcloud/remote.php/dav;
}


location = /.well-known/caldav {
    return 301 $scheme://$host/nextcloud/remote.php/dav;
}


location /nextcloud {
    return 301 $scheme://$host/nextcloud/;
}


location ^~ /nextcloud/ {
    include /config/nginx/proxy.conf;
    resolver 127.0.0.11 valid=30s;
    set $upstream_nextcloud nextcloud;
    rewrite /nextcloud(.*) $1 break;
    proxy_pass https://$upstream_nextcloud:443;


    proxy_max_temp_file_size 2048m;


    proxy_set_header Range $http_range;
    proxy_set_header If-Range $http_if_range;
    proxy_set_header Connection $http_connection;
    proxy_redirect off;
    proxy_ssl_session_reuse off;
}

Alles anzeigen

Morlan · 31. August 2019

How do your router port forwards look like?

macom · 31. August 2019

Have you checked the logs of nextcloud container?

macom · 31. August 2019

Zitat von macom

And restarted the container after modifications?

I added this later, so you may have missed it. Have you restarted?

jackster · 31. August 2019

Here are the router port forwards:

jackster · 31. August 2019

Yes I have restarted both the letsencrypt and nextcloud containers. And here is the nextcloud docker log, it has some errors:

Code

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-adduser: executing...


-------------------------------------
          _         ()
         | |  ___   _    __
         | | / __| | |  /  \
         | | \__ \ | | | () |
         |_| |___/ |_|  \__/




Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------


User uid:    1002
User gid:    100
-------------------------------------


[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 40-config: executing...
[cont-init.d] 40-config: exited 0.
[cont-init.d] 50-install: executing...
[cont-init.d] 50-install: exited 0.
[cont-init.d] 60-memcache: executing...
[cont-init.d] 60-memcache: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
{"reqId":"nPksvVCT7YY0DgivNVQ8","level":3,"time":"2019-08-31T06:45:00+00:00","remoteAddr":"","user":"--","app":"cron","method":"","url":"\/nextcloud\/cron.php","message":{"Exception":"Exception","Message":"Not installed","Code":0,"Trace":[{"file":"\/config\/www\/nextcloud\/lib\/base.php","line":646,"function":"checkInstalled","class":"OC","type":"::","args":[]},{"file":"\/config\/www\/nextcloud\/lib\/base.php","line":1056,"function":"init","class":"OC","type":"::","args":[]},{"file":"\/config\/www\/nextcloud\/cron.php","line":41,"args":["\/config\/www\/nextcloud\/lib\/base.php"],"function":"require_once"}],"File":"\/config\/www\/nextcloud\/lib\/base.php","Line":277,"CustomMessage":"--"},"userAgent":"--","version":""}

Alles anzeigen

Morlan · 31. August 2019

please change your router forward from external 443 to internal 444 and delete the other rule with 444

jackster · 31. August 2019

Zitat von Morlan

please change your router forward from external 443 to internal 444 and delete the other rule with 444

Thanks a lot for the help, that was the problem! I fixed the port forwards and I can now access the Nextcloud setup page. I had to also activate Pure NAT for NAT reflection in my pfSense advanced settings in order to access the site from within the LAN.

One more question; what should I set as the "Database host" in the Nextcloud setup page? I have tried localhost:3306 but I just get this error message when trying to finish the setup:

Error while trying to create admin user: Failed to connect to the database: An exception occurred in driver: SQLSTATE[HY000] [2002] No such file or directory

If i try 127.0.0.1:3306 I get this error message:

Error while trying to create admin user: Failed to connect to the database: An exception occurred in driver: SQLSTATE[HY000] [2002] Connection refused

jackster · 31. August 2019

Zitat von Morlan

please change your router forward from external 443 to internal 444 and delete the other rule with 444

Thanks a lot for the help, that was the problem! I fixed the port forwards and I can now access the Nextcloud setup page. I had to also activate Pure NAT for NAT reflection in my pfSense advanced settings in order to access the site from within the LAN.

One more question; what should I set as the "Database host" in the Nextcloud setup page? I have tried localhost:3306 but I just get this error message when trying to finish the setup:

Error while trying to create admin user: Failed to connect to the database: An exception occurred in driver: SQLSTATE[HY000] [2002] No such file or directory

If i try 127.0.0.1:3306 I get this error message:

Error while trying to create admin user: Failed to connect to the database: An exception occurred in driver: SQLSTATE[HY000] [2002] Connection refused

macom · 31. August 2019

Zitat von jackster

what should I set as the "Database host" in the Nextcloud setup page?

If you used the docker-compose file: nextclouddb

from the guide:
select MySQL/MariaDB

Database user --> "root"
Database password --> password which has been specified in the docker-compose file with MYSQL_ROOT_PASSWORD
Database name --> "nextcloud"
localhost host --> "nextclouddb"

ANYmal · 29. Januar 2020

I have same problem - Nextcloud don't use letsencrypt certificate, but reason is - router. It's can't NAT'ing ports to other value, just 443-443 etc.
Qwestion is can I use additional software to solve this problem, or should I buy a new router?

Morlan · 29. Januar 2020

if your omv gui does not use ssl, port 443 should be free to use.
And you can change omv http port to something other than 80. Or use a verification method which does not need port 80, e.g. Cloudflare or duckdns

ANYmal · 29. Januar 2020

I'm sorry for misunderstanding. Let's make it clear.
I want to be able to connect to my Nextcloud from Internet. OMV-GUI available only from innerspace.

-----------------case1------------------------
NAT rules on router 443-443, 80-80.

Docker network rules for:

letsencrypt 443-443, 80-80

nextcloud 444-443, 8080-80

VERIFICATION = http
------------------------------------------------

Letsencrypt can verifying, but NC on 444 port and don't answer from outerspace.

-----------------case2------------------------
NAT rules on router 443-443, 80-80.

Docker network rules for:

letsencrypt 443-443, 90-80

nextcloud 444-443, 8080-80

VERIFICATION = dns
------------------------------------------------

443 port still belongs to LE =(

Maybe virtual host is the answer (nextcloud.domain.ru)? But it will be redirects on 444 port that wil be closed. Yes, I can open it on my router, but I don't want more holes outside. Paranoia detected =)

I have own IP&domain. CNAME record is required for this.

Morlan · 29. Januar 2020

choose case 1. The connection will be routed through the reverse proxy inside the letsencrypt docker. You have to configure the letsencrypt docker to connect to your nextcloud. Like in the guide metioned above.

ANYmal · 30. Januar 2020

You where right, Morlan.
Thanx alot for help.

If you don't mind, one more question.
Can I use letsencrypt reverse proxy for many containers? I've activate one config - nextcloud.subfolder.conf. What if I do it with other conf's?

Morlan · 30. Januar 2020

Yes. You can connect other containers. You have to activate the other .conf files. If you are using subdomains you have to include them in your ssl Certificate by adding them to the SUBDOMAINS variable (comma-Separated without spaces) and rebuild the container.

Jetzt mitmachen!