Nextcloud with Letsencrypt using OMV and docker-compose - Q&A

Installed Nextcloud / swag ...

All working fine.

When I am trying to access the url (duckdns one) , I have this error in Chrome.

Any ideas ?

Zitat von rtibby

When I am trying to access the url (duckdns one) , I have this error in Chrome.

Any ideas ?

Can you post your stack here (use the code symbol on the editing box </> )?

Again, hide password, website, email, etc

[EDIT]

If I try it in a incognito tab, this is showing:

Stack for swag is :

---

version: "2.1"

services:

swag:

image: ghcr.io/linuxserver/swag

container_name: swag

cap_add:

- NET_ADMIN

environment:

- PUID=1000

- PGID=100

- TZ=Europe/London

- URL=******.duckdns.org

- SUBDOMAINS=wildcard

- VALIDATION=duckdns

- DUCKDNSTOKEN=***********************************

volumes:

- /home/aptalca/appdata/swag:/config

ports:

- 443:443

- 80:80

restart: unless-stopped

Log for swag is:

Brought to you by linuxserver.io,

-------------------------------------,

,

To support the app dev(s) visit:,

Certbot: https://supporters.eff.org/donate/support-work-on-certbot,

,

To support LSIO projects visit:,

https://www.linuxserver.io/donate/,

-------------------------------------,

GID/UID,

-------------------------------------,

,

User uid: 1000,

User gid: 100,

-------------------------------------,

,

[cont-init.d] 10-adduser: exited 0.,

[cont-init.d] 20-config: executing... ,

[cont-init.d] 20-config: exited 0.,

[cont-init.d] 30-keygen: executing... ,

using keys found in /config/keys,

[cont-init.d] 30-keygen: exited 0.,

[cont-init.d] 50-config: executing... ,

Variables set:,,

0,

PGID=100,

TZ=Europe/London,

URL=myurl.duckdns.org,

SUBDOMAINS=wildcard,

EXTRA_DOMAINS=,

ONLY_SUBDOMAINS=false,

VALIDATION=duckdns,

CERTPROVIDER=,

DNSPLUGIN=,

EMAIL=,

STAGING=,

,

Using Let's Encrypt as the cert provider,

SUBDOMAINS entered, processing,

Wildcard cert for myurl.duckdns.org will be requested,

No e-mail address entered or address invalid,

duckdns validation is selected,

the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use http://www.subdomain.duckdns.org,

Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created,

Generating new certificate,

Saving debug log to /var/log/letsencrypt/letsencrypt.log,

Account registered.,

Requesting a certificate for *.myurl.duckdns.org,

Hook '--manual-auth-hook' for myurl.duckdns.org ran with output:,

OKsleeping 60,

Hook '--manual-auth-hook' for rtibby.duckdns.org ran with error output:,

% Total % Received % Xferd Average Speed Time Time Time Current,

Dload Upload Total Spent Left Speed,

,

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0,

100 2 0 2 0 0 4 0 --:--:-- --:--:-- --:--:-- 4,

,

Successfully received certificate.,

Certificate is saved at: /etc/letsencrypt/live/myurl.duckdns.org/fullchain.pem,

Key is saved at: /etc/letsencrypt/live/myurl.duckdns.org/privkey.pem,

This certificate expires on 2022-01-21.,

These files will be updated when the certificate renews.,

NEXT STEPS:,

- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.,

,

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -,

If you like Certbot, please consider supporting our work by:,

* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate,

* Donating to EFF: https://eff.org/donate-le,

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -,

New certificate generated; starting nginx,

Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,,

and add a new env variable "MAXMINDDB_LICENSE_KEY", set to your license key.,

[cont-init.d] 50-config: exited 0.,

[cont-init.d] 60-renew: executing... ,

The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).,

[cont-init.d] 60-renew: exited 0.,

[cont-init.d] 70-templates: executing... ,

[cont-init.d] 70-templates: exited 0.,

[cont-init.d] 90-custom-folders: executing... ,

[cont-init.d] 90-custom-folders: exited 0.,

[cont-init.d] 99-custom-files: executing... ,

[custom-init] no custom files found exiting...,

[cont-init.d] 99-custom-files: exited 0.,

[cont-init.d] done.,

[services.d] starting services,

[services.d] done.,

Server ready

Zitat von rtibby

[EDIT]

If I try it in a incognito tab, this is showing:

Your cache need to be cleared (Ctrl+F5 while opening the website)

Have you done all the edits on the files from the guide?

Since it's showing the parking SWAG page with the URL http://xxxxxxxxx.duckdns.org/nextcloud , it means the redirect isn't beeing made

[EDIT]

---

version: "2.1"
services:
swag:
image: ghcr.io/linuxserver/swag
container_name: swag
cap_add:
- NET_ADMIN
environment:
- PUID=1000
- PGID=100
- TZ=Europe/London
- URL=******.duckdns.org
- SUBDOMAINS=wildcard
- VALIDATION=duckdns
- DUCKDNSTOKEN=***********************************
volumes:
- /home/aptalca/appdata/swag:/config
ports:
- 443:443
- 80:80
restart: unless-stopped

This stack doesn't came from the guide,

Done this from the guide:

and my config.php looks like this:

The swag stack does not come from the guide indeed , because thew stack from the guide was NOT generating a certificate, giving an error

The swag Stack is coming from here:

[EDIT]

If you insist on using the stacks straigth from linuxserver, them use this one which is the example for NC, MariaDB and SWAG:

Edit what needs to be edited:

SOURCE

---
version: "2.1"
services:
  nextcloud:
    image: ghcr.io/linuxserver/nextcloud
    container_name: nextcloud
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/London
    volumes:
      - /home/aptalca/appdata/nextcloud/config:/config
      - /home/aptalca/appdata/nextcloud/data:/data
    depends_on:
      - mariadb
    restart: unless-stopped
  mariadb:
    image: ghcr.io/linuxserver/mariadb
    container_name: mariadb
    environment:
      - PUID=1000
      - PGID=1000
      - MYSQL_ROOT_PASSWORD=mariadbpassword
      - TZ=Europe/London
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=ncuser
      - MYSQL_PASSWORD=ncpassword
    volumes:
      - /home/aptalca/appdata/mariadb:/config
    restart: unless-stopped
  swag:
    image: ghcr.io/linuxserver/swag
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/London
      - URL=linuxserver-test.duckdns.org
      - SUBDOMAINS=wildcard
      - VALIDATION=duckdns
      - DUCKDNSTOKEN=97654867496t0877648659765854
    volumes:
      - /home/aptalca/appdata/swag:/config
    ports:
      - 443:443
      - 80:80
    restart: unless-stopped

[/EDIT]

Zitat von rtibby

The swag stack does not come from the guide indeed , because thew stack from the guide was NOT generating a certificate, giving an error

Zitat

The swag Stack is coming from here:

I know where you get it from,
The volume gave it away, which means that NOW, you have a folder named "aptalca..." inside your "HOME" folder

If you keep mixing things, it will be really hard to fix it and help you.

The way you used that STACK (with wildcard and DUCKDNS validation), for you to have https access (so SWAG can use the certificate), you need to use "https://<something.due.to.wildcard>.<yourduckdns>.duckdns.org/nextcloud"

Also, since I can only assume from seeing that the stack is just for SWAG, that you have separated stacks to launch the containers.

Unless you added them all (MariaDB, Nextcloud and SWAG) to the same network, it won't work.

Ok .

Tried with the original stack from the guide, giving up of using duckdns.

I do have a domain of my own xxxxx.com

So, container now all start, BUT swag fails to issue a certificate for my domain (log of swag container screenshot):

forum.openmediavault.org/wsc/index.php?attachment/21027/

My domain DNS looks like this:

config.php now looks like this:

Just a remark (and reminder, especially for those that run WatchTower or any other updater):

SWAG latest (Release 1.20.0-ls94) comes with an important safety update.

If you only update the image, the file in question (proxy.conf) won't be updated.

In order to update the file, you'll have to delete the old one and redeploy SWAG to download the latest version of it.

More Info Here...

Howto update configs.

Zitat

• If you have NOT modified a file with noted changes in the changelog:
  1. Delete the config file with listed updates, restart the container

You'll find the file in:

...<path.to.swag.config.folder>/nginx/proxy.conf

Zitat von Soma

Just a remark (and reminder, especially for those that run WatchTower or any other updater):

SWAG latest (Release 1.20.0-ls94) comes with an important safety update.

If you only update the image, the file in question (proxy.conf) won't be updated.

In order to update the file, you'll have to delete the old one and redeploy SWAG to download the latest version of it.

More Info Here...

Howto update configs.

You'll find the file in:

...<path.to.swag.config.folder>/nginx/proxy.conf

Alles anzeigen

I do not get that if you get the new generic proxy_confs how do you modify the changes to yours old custom proxy confs?

Zitat von Nefertiti

I do not get that if you get the new generic proxy_confs how do you modify the changes to yours old custom proxy confs?

The file that is mentioned is "proxy.conf" that is inside the folder "nginx.

I didn't said anything about the generic "..sub...proxy.confs"

Done it it was confusing between proxy.conf and proxy.confs

Thanks

Well after checking got error

Zitat von Soma

The file that is mentioned is "proxy.conf" that is inside the folder "nginx.

I didn't said anything about the generic "..sub...proxy.confs"

nginx: [emerg] unknown "connection_upgrade" variable

Zitat von Nefertiti

Well after checking got error

Code

nginx: [emerg] unknown "connection_upgrade" variable

Where did this you saw this?

Go to portainer and access to the console of SWAG.

Run inside the console: nginx -t

Post the output here. Should be something like this:

root@f7e64b421b3c:/# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Funny thing is, it has nothing to do with the "proxy.conf" file that was changed before.

[EDIT]

Also, still inside the console of SWAG, run and post the output of:

cat /etc/nginx/nginx.conf

And, for sake of mind:

cat /etc/nginx/proxy.conf The correct path is cat /config/nginx/proxy.conf

[/EDIT]

The funny thing is

cat: /etc/nginx/proxy.conf: No such file or directory
root@OMV-MSI:~#

but the file is there

Zitat von Nefertiti

C

root@fc9b4c690308:/#nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

root@fc9b4c690308:/#
root@fc9b4c690308:/#cat /etc/nginx/nginx.conf
# /etc/nginx/nginx.conf
user nginx;
# Set number of worker processes automatically based on number of CPU cores.
worker_processes auto;
# Enables the use of JIT for regular expressions to speed-up their processing.
pcre_jit on;
# Configures default error logger.
error_log /var/log/nginx/error.log warn;
# Includes files with directives to load dynamic modules.
include /etc/nginx/modules/*.conf;
# Uncomment to include files with config snippets into the root context.
# NOTE: This will be enabled by default in Alpine 3.15.
#include /etc/nginx/conf.d/*.conf;
events { # The maximum number of simultaneous connections that can be opened by # a worker process. worker_connections 1024; }
http { # Includes mapping of file name extensions to MIME types of responses # and defines the default type. 
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Name servers used to resolve names of upstream servers into addresses.
# It's also needed when using tcpsocket and udpsocket in Lua modules.
#resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001;
# Don't tell nginx version to the clients. Default is 'on'. server_tokens off;
# Specifies the maximum accepted body size of a client request, as
# indicated by the request header Content-Length. If the stated content
# length is greater than this size, then the client receives the HTTP
# error code 413. Set to 0 to disable. Default is '1m'.
client_max_body_size 1m;
# Sendfile copies data between one FD and other from within the kernel,
# which is more efficient than read() + write(). Default is off.
sendfile on;
# Causes nginx to attempt to send its HTTP response head in one packet,
# instead of using partial frames. Default is 'off'.
tcp_nopush on;
# Enables the specified protocols. Default is TLSv1 TLSv1.1 TLSv1.2.
# TIP: If you're not obligated to support ancient clients, remove TLSv1.1.
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
# Path of the file with Diffie-Hellman parameters for EDH ciphers.
# TIP: Generate with: `openssl dhparam -out /etc/ssl/nginx/dh2048.pem 2048`
#ssl_dhparam /etc/ssl/nginx/dh2048.pem;
# Specifies that our cipher suits should be preferred over client ciphers.
# Default is 'off'.
ssl_prefer_server_ciphers on;
# Enables a shared SSL cache with size that can hold around 8000 sessions.
# Default is 'none'.
ssl_session_cache shared:SSL:2m;
# Specifies a time during which a client may reuse the session parameters.
# Default is '5m'.
ssl_session_timeout 1h;
# Disable TLS session tickets (they are insecure). Default is 'on'.
ssl_session_tickets off;
# Enable gzipping of responses.
#gzip on;
# Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
gzip_vary on;
# Helper variable for proxying websockets.
map $http_upgrade $connection_upgrade { default upgrade; '' close; }
# Specifies the main log format.
log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"';
# Sets the path, format, and configuration for a buffered log write.
access_log /var/log/nginx/access.log main;
# Includes virtual hosts configs.
include /etc/nginx/http.d/*.conf; }
# TIP: Uncomment if you use stream module.
#include /etc/nginx/stream.conf;
root@fc9b4c690308:/#

Alles anzeigen

Jesus, what a mess,

After trying to make some sense out of this, and putting some paragraphs, it looks ok.

The output should be this:

root@f7e64b421b3c:/# cat /etc/nginx/nginx.conf 
# /etc/nginx/nginx.conf

user nginx;

# Set number of worker processes automatically based on number of CPU cores.
worker_processes auto;

# Enables the use of JIT for regular expressions to speed-up their processing.
pcre_jit on;

# Configures default error logger.
error_log /var/log/nginx/error.log warn;

# Includes files with directives to load dynamic modules.
include /etc/nginx/modules/*.conf;

# Uncomment to include files with config snippets into the root context.
# NOTE: This will be enabled by default in Alpine 3.15.
#include /etc/nginx/conf.d/*.conf;

events {
        # The maximum number of simultaneous connections that can be opened by
        # a worker process.
        worker_connections 1024;
}

http {
        # Includes mapping of file name extensions to MIME types of responses
        # and defines the default type.
        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        # Name servers used to resolve names of upstream servers into addresses.
        # It's also needed when using tcpsocket and udpsocket in Lua modules.
        #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001;

        # Don't tell nginx version to the clients. Default is 'on'.
        server_tokens off;

        # Specifies the maximum accepted body size of a client request, as
        # indicated by the request header Content-Length. If the stated content
        # length is greater than this size, then the client receives the HTTP
        # error code 413. Set to 0 to disable. Default is '1m'.
        client_max_body_size 1m;

        # Sendfile copies data between one FD and other from within the kernel,
        # which is more efficient than read() + write(). Default is off.
        sendfile on;

        # Causes nginx to attempt to send its HTTP response head in one packet,
        # instead of using partial frames. Default is 'off'.
        tcp_nopush on;


        # Enables the specified protocols. Default is TLSv1 TLSv1.1 TLSv1.2.
        # TIP: If you're not obligated to support ancient clients, remove TLSv1.1.
        ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;

        # Path of the file with Diffie-Hellman parameters for EDH ciphers.
        # TIP: Generate with: `openssl dhparam -out /etc/ssl/nginx/dh2048.pem 2048`
        #ssl_dhparam /etc/ssl/nginx/dh2048.pem;

        # Specifies that our cipher suits should be preferred over client ciphers.
        # Default is 'off'.
        ssl_prefer_server_ciphers on;

        # Enables a shared SSL cache with size that can hold around 8000 sessions.
        # Default is 'none'.
        ssl_session_cache shared:SSL:2m;

        # Specifies a time during which a client may reuse the session parameters.
        # Default is '5m'.
        ssl_session_timeout 1h;

        # Disable TLS session tickets (they are insecure). Default is 'on'.
        ssl_session_tickets off;


        # Enable gzipping of responses.
        #gzip on;

        # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
        gzip_vary on;


        # Helper variable for proxying websockets.
        map $http_upgrade $connection_upgrade {
                default upgrade;
                '' close;
        }


        # Specifies the main log format.
        log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                        '$status $body_bytes_sent "$http_referer" '
                        '"$http_user_agent" "$http_x_forwarded_for"';

        # Sets the path, format, and configuration for a buffered log write.
        access_log /var/log/nginx/access.log main;


        # Includes virtual hosts configs.
        include /etc/nginx/http.d/*.conf;
}

# TIP: Uncomment if you use stream module.
#include /etc/nginx/stream.conf;
root@f7e64b421b3c:/# 

And for the proxy.conf: EDIT- On the previous post, I made an error: The path to proxy.conf is /config/nginx/proxy.conf

root@f7e64b421b3c:/# cat /config/nginx/proxy.conf
## Version 2021/10/26 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf

# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Proxy Connection Settings
proxy_buffers 32 4k;
proxy_connect_timeout 240;
proxy_headers_hash_bucket_size 128;
proxy_headers_hash_max_size 1024;
proxy_http_version 1.1;
proxy_read_timeout 240;
proxy_redirect  http://  $scheme://;
proxy_send_timeout 240;

# Proxy Cache and Cookie Settings
proxy_cache_bypass $cookie_session;
#proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps
proxy_no_cache $cookie_session;

# Proxy Header Settings
proxy_set_header Connection $connection_upgrade;
proxy_set_header Early-Data $ssl_early_data;
proxy_set_header Host $host;
proxy_set_header Proxy "";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Real-IP $remote_addr;
root@f7e64b421b3c:/#

Your "proxy.conf" (the zip I downloaded)

## Version 2020/10/04 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf

The new "proxy.conf"

## Version 2021/10/26 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf

You didn't delete the file prior to restart SWAG.

Bash again to the console of SWAG (via portainer or CLI)

cp -a /config/nginx/proxy.conf /config/nginx/proxy.conf.bak

rm -f /config/nginx/proxy.conf

exit

Restart SWAG