Nextcloud with Letsencrypt using OMV and docker-compose - Q&A

I configure system according to the guidance, then I met two problems.

the system is OMV5, installed docker letsencrypt, nextcloud, mariadb.

problem1, the domain when access without wildcard like http://www.xxxx.duckdns.org, the browser will report the site is not safety.means the letsencrypt is not work. but if I added wildcard, the browser report system refused the connection.

problem2, the domain I have added it in config.php, but it report the site is not in trust domain after I finished nextcloud initial installation.

Could someone give me some help about it, thanks!

below is configuration of docker-compose.yml and config.php, the system is not report any error.

-----------------------------------------------docker-compose.yml

version: "2"

services:

nextcloud:

image: linuxserver/nextcloud

container_name: nextcloud

environment:

- PUID=1001 #change PUID if needed

- PGID=1001 #change PGID if needed

- TZ=Asia/xxxxx #change Time Zone if needed

volumes:

- /srv/dev-disk-by-label-xxxxx/appdata/nextcloud/config:/config #/srv/dev-disk-by-label-disk1 needs to be adjusted

- /srv/dev-disk-by-label-xxxxx/appdata/nextcloud/data:/data #/srv/dev-disk-by-label-disk1 needs to be adjusted

depends_on:

- mariadb

# ports: # uncomment this and the next line if you want to bypass the proxy

# - 450:443

restart: unless-stopped

mariadb:

image: linuxserver/mariadb

container_name: nextclouddb

environment:

- PUID=1001 #change PUID if needed

- PGID=1001 #change PGID if needed

- MYSQL_ROOT_PASSWORD=xxxxxx #change password

- TZ=Asia/xxxxx #Change Time Zone if needed

volumes:

- /srv/dev-disk-by-label-xxxxx/appdata/nextclouddb:/config #/srv/dev-disk-by-label-disk1 needs to be adjusted

restart: unless-stopped

letsencrypt:

image: linuxserver/letsencrypt

container_name: letsencrypt

cap_add:

- NET_ADMIN

environment:

- PUID=1001 #change PUID if needed

- PGID=1001 #change PGID if needed

- TZ=Asia/xxxxx # change Time Zone if needed

- URL=xxxxx.duckdns.org #insert your domain name - yourdomain.url

- SUBDOMAINS=wildcard

- VALIDATION=duckdns

- DUCKDNSTOKEN=xxxxxx

- EMAIL=xxxxxx.com # define email; required to renew certificate

# - ONLY_SUBDOMAINS=true #If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to true

volumes:

- /srv/dev-disk-by-label-xxxx/appdata/letsencrypt:/config #/srv/dev-disk-by-label-disk1 needs to be adjusted

ports:

- 43xx:443

- 81:80

restart: unless-stopped

-----------------------------------config.php

<?php

$CONFIG = array (

'memcache.local' => '\\OC\\Memcache\\APCu',

'datadirectory' => '/data',

'trusted_proxies' =>

array (

0 => 'letsencrypt',

),

'overwritewebroot' => '/nextcloud',

'overwrite.cli.url' => 'xxxx.duckdns.org/nextcloud',

'trusted_domains' =>

array (

0 => 'xxxx.duckdns.org:43xx',

),

'instanceid' => 'xxxx',

'passwordsalt' => 'xxxxx',

'secret' => 'xxxx',

'dbtype' => 'mysql',

'version' => '19.0.0.12',

'dbname' => 'nextcloud',

'dbhost' => 'nextclouddb',

'dbport' => '',

'dbtableprefix' => 'oc_',

'mysql.utf8mb4' => true,

'dbuser' => 'oc_xxx',

'dbpassword' => 'xxxx',

'installed' => true,

);

From the documentation of the letsencrypt container:

Zitat

For duckdns validation, either leave the SUBDOMAINS variable empty or set it to wildcard, and set the DUCKDNSTOKEN variable with your duckdns token. Due to a limitation of duckdns, the resulting cert will only cover either main subdomain (ie. yoursubdomain.duckdns.org), or sub-subdomains (ie. *.yoursubdomain.duckdns.org), but will not both at the same time.

So for subfolder method you need to leave SUBDOMAINS blank or you use subdomain method.

Also in your config.php I think you have to change

'trusted_domains' =>
array (
0 => 'xxxx.duckdns.org:43xx',
),

to

'trusted_domains' =>
array (
0 => 'xxxx.duckdns.org:443',
),

Zitat von Agricola

PGID should be something like 100. Find your users values in the command line-my user is wayne. Yours will probably be different

wayne@m4:~$ id wayne

uid=1000(wayne) gid=100(users) groups=100(users),27(sudo),112(ssh),1000(wayne),995(docker)

I stopped looking at your yml file when I saw that. There may be other things wrong.

Thanks for your feedback!

I checked the PGID and it looks like below:

@home:~# id docker1

uid=1001(docker1) gid=1001(docker1) groups=1001(docker1)

Zitat von Morlan

From the documentation of the letsencrypt container:

So for subfolder method you need to leave SUBDOMAINS blank or you use subdomain method.

Also in your config.php I think you have to change

Code

'trusted_domains' =>
array (
0 => 'xxxx.duckdns.org:43xx',
),

to

Code

'trusted_domains' =>
array (
0 => 'xxxx.duckdns.org:443',
),

Thanks for your reply!

You mean I should change the port of trust domains?

I'm confusing about your sample, Could it possible to help to clarify it, thanks!

Zitat von thksd

You mean I should change the port of trust domains?

Yes

Zitat von Morlan

Yes

After I implemented the configuration according to your advice, today I tried to refresh browser about 3 times then browser (edge) could display the login windows, but after input password and click login in then the system halt again, I have to refresh browser again, , it looks it finished log in, but first the address jump into https://xxx.duckdns.org/nextcloud/apps/files/, due to the address without special port it will display server refused. I have to manual add port number like: https://xxx.duckdns.org:43xx/nextcloud/apps/files/, then it could display nextcloud file window.

At the same time, I met another issue, the domain xxx.duckdns.org could reach, I tried to use ping and nslookup, it looks OK, but I tried to access it by xxx.duckdns.org:43xx, the domain looks unreachable, I tried to use nc xxx.duckdns.org:43xx , it report no address associated with hostname. here I have to add the domain into my local dns server to finish above test, but I didn't find out what the issue for it.

When you set up letsencrypt according to the guide only port 443 and 80 should be open. Naturally you can’t use your custom port on your duckdns address. And you should not have to, because if configured correctly the reverse proxy will guide the traffic to the container without the need for additional port inserts.

Zitat von Morlan

When you set up letsencrypt according to the guide only port 443 and 80 should be open. Naturally you can’t use your custom port on your duckdns address. And you should not have to, because if configured correctly the reverse proxy will guide the traffic to the container without the need for additional port inserts.

Hi, Morlan,

Thanks for your explanation!

I checked again about the guide, it is not use default port 443 and 80 for letsencrypt proxy, it use 444 and 81 port for outside access, if I understand it correct.

  letsencrypt:
    image: linuxserver/letsencrypt
    container_name: letsencrypt
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1000 #change PUID if needed
      - PGID=100  #change PGID if needed
      - TZ=Europe/Berlin # change Time Zone if needed
      - URL=xxxx.de #insert your domain name - yourdomain.url
      - SUBDOMAINS=www,
      - VALIDATION=http
      - EMAIL=xxx.yyy@provider.com # define email; required to renew certificate
    volumes:
      - /srv/dev-disk-by-label-disk1/appdata/letsencrypt:/config  #/srv/dev-disk-by-label-disk1 needs to be adjusted
    ports:
      - 444:443
      - 81:80
    restart: unless-stopped

You said"

When you set up letsencrypt according to the guide only port 443 and 80 should be open. Naturally you can’t use your custom port on your duckdns address. And you should not have to, because if configured correctly the reverse proxy will guide the traffic to the container without the need for additional port inserts."

I'm not sure I understand it correctly.

I draw a flow map as I understand of the total process. please help to clarify on my network condition, how should I to configure it, thanks for your patient!

Note:

ISP blocked port 443 and 80, I used DDNS to update home network IP to duckdns.

Zitat von thksd

Hi, Morlan,

Thanks for your explanation!

I checked again about the guide, it is not use default port 443 and 80 for letsencrypt proxy, it use 444 and 81 port for outside access, if I understand it correct.

Code

  letsencrypt:
    image: linuxserver/letsencrypt
    container_name: letsencrypt
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1000 #change PUID if needed
      - PGID=100  #change PGID if needed
      - TZ=Europe/Berlin # change Time Zone if needed
      - URL=xxxx.de #insert your domain name - yourdomain.url
      - SUBDOMAINS=www,
      - VALIDATION=http
      - EMAIL=xxx.yyy@provider.com # define email; required to renew certificate
    volumes:
      - /srv/dev-disk-by-label-disk1/appdata/letsencrypt:/config  #/srv/dev-disk-by-label-disk1 needs to be adjusted
    ports:
      - 444:443
      - 81:80
    restart: unless-stopped

Alles anzeigen

You said"

When you set up letsencrypt according to the guide only port 443 and 80 should be open. Naturally you can’t use your custom port on your duckdns address. And you should not have to, because if configured correctly the reverse proxy will guide the traffic to the container without the need for additional port inserts."

I'm not sure I understand it correctly.

I draw a flow map as I understand of the total process. please help to clarify on my network condition, how should I to configure it, thanks for your patient!

Note:

ISP blocked port 443 and 80, I used DDNS to update home network IP to duckdns.

Alles anzeigen

Finally, today I search in line and found a solution in a history forum talk.

https://help.nextcloud.com/t/s…loud-to-nextcloud/4076/14

* The automatic hostname detection of Nextcloud can fail in certain reverse

* proxy and CLI/cron situations. This option allows you to manually override

* the automatic detection; for example ``http://www.example.com``, or specify the port

* ``http://www.example.com:8080``.

*/

'overwritehost' => 'www.test00.duckdns.org:4444',

They mentioned it need to add upper sentence into config.php of nextcloud.

After I added it into my system, it works and the link in browser will not jump to https://www.test00.duckdns.org/nextcloud/login again, it keeps port all times when link jump.

It looks work well!

Thanks everybody of your help!

I hope my finding could help someone when find same issue!

thksd Sorry I didn't see your previous message. The drawings looks correct. Only a small detail. When the containers are connected in a user defined bridge network (which they are automatically when in the same docker-compose-file) the container find each other by container name due to the internal dns service in the docker network.

The crucial information I was not aware of was, that you were not able to open port 443 and 80 on your router due to ISP restrictions.

Im glad you found a solution.

Zitat von thksd

Finally, today I search in line and found a solution in a history forum talk.

https://help.nextcloud.com/t/s…loud-to-nextcloud/4076/14

* The automatic hostname detection of Nextcloud can fail in certain reverse

* proxy and CLI/cron situations. This option allows you to manually override

* the automatic detection; for example ``http://www.example.com``, or specify the port

* ``http://www.example.com:8080``.

*/

'overwritehost' => 'www.test00.duckdns.org:4444',

They mentioned it need to add upper sentence into config.php of nextcloud.

After I added it into my system, it works and the link in browser will not jump to https://www.test00.duckdns.org/nextcloud/login again, it keeps port all times when link jump.

It looks work well!

Thanks everybody of your help!

I hope my finding could help someone when find same issue!

Alles anzeigen

Thank you for bringing this up. That exactly solved my problem of changing the nextcloud port to a custom port.

Maybe i should mention here a bit more precisely how to do it:

1. Add this to your config.php of nextcloud:

'overwritehost' => 'yourDynHost:444',

Where 444 is the port of your letsencrypt docker for https. In the original howto this port is where you forward your traffic from external access on 443 to

(443 -> 444).

2. Add a rule in your router config to forward 444 external (WAN) to 444 internal (LAN).

Of course you do not need the 443 to 444 rule anymore afterwards.

This is how i got it running here now.

Did you also find out how to access nextcloud directly with it's LAN IP? (in parallel to the domain of course)

When i open “photos” i dont see any of my picutres under “my photos”.
I can navigate from there to “your albums” and then manually open the subfolder with my photos. I can then see and open the photos.
But they dont show up as expected under "my photos" as thumbs.

I cant find anything related in the logs. Anyone have an idea what's issue here?

Is a bug on tracker related to the new photos app. Quite nasty, since in shares photos won't open at all.

It was supposed to be fixed with 19, but its still there. I wait day by day for a new release.

Well I can view the photos by navigating there manually inside the photo app. But they are not thumbnailed under "my photos". The photos are not on a share but come from an "external storage" of the type "local" (that's the nextcloud naming). So in fact from one of the drives of this machine.

So you think that is caused by this bug? I asked this question on the nextcloud forum and got no answer.

Do you have redis in use and preview-generation active in config?

  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => 'your.redis.container.ip.here',
    'port' => 6379,
  ),
  'preview_max_filesize_image' => 300,
  'enable_previews' => true,
  'enabledPreviewProviders' =>
  array (
    0 => 'OC\\Preview\\JPEG',
    1 => 'OC\\Preview\\PDF',
    2 => 'OC\\Preview\\PNG',
    3 => 'OC\\Preview\\GIF',
    4 => 'OC\\Preview\\BMP',
    5 => 'OC\\Preview\\TXT',
    6 => 'OC\\Preview\\JPG',
  ),

I have Redis in use but did not set up any preview-generation.

I just added the preview generation as suggested to the config.php and restarted nextcloud.

Did not help. Nothing changed.