Nextcloud with Letsencrypt using OMV and docker-compose - Q&A
-
- OMV 5.x
- WastlJ
-
-
When I am trying to access the url (duckdns one) , I have this error in Chrome.
Any ideas ?
Can you post your stack here (use the code symbol on the editing box </> )?
Again, hide password, website, email, etc
-
-
-
Stack for swag is :
---
version: "2.1"
services:
swag:
image: ghcr.io/linuxserver/swag
container_name: swag
cap_add:
- NET_ADMIN
environment:
- PUID=1000
- PGID=100
- TZ=Europe/London
- URL=******.duckdns.org
- SUBDOMAINS=wildcard
- VALIDATION=duckdns
- DUCKDNSTOKEN=***********************************
volumes:
- /home/aptalca/appdata/swag:/config
ports:
- 443:443
- 80:80
restart: unless-stopped
Log for swag is:
Brought to you by linuxserver.io,
-------------------------------------,
,
To support the app dev(s) visit:,
Certbot: https://supporters.eff.org/donate/support-work-on-certbot,
,
To support LSIO projects visit:,
https://www.linuxserver.io/donate/,
-------------------------------------,
GID/UID,
-------------------------------------,
,
User uid: 1000,
User gid: 100,
-------------------------------------,
,
[cont-init.d] 10-adduser: exited 0.,
[cont-init.d] 20-config: executing... ,
[cont-init.d] 20-config: exited 0.,
[cont-init.d] 30-keygen: executing... ,
using keys found in /config/keys,
[cont-init.d] 30-keygen: exited 0.,
[cont-init.d] 50-config: executing... ,
Variables set:,,
0,
PGID=100,
TZ=Europe/London,
URL=myurl.duckdns.org,
SUBDOMAINS=wildcard,
EXTRA_DOMAINS=,
ONLY_SUBDOMAINS=false,
VALIDATION=duckdns,
CERTPROVIDER=,
DNSPLUGIN=,
EMAIL=,
STAGING=,
,
Using Let's Encrypt as the cert provider,
SUBDOMAINS entered, processing,
Wildcard cert for myurl.duckdns.org will be requested,
No e-mail address entered or address invalid,
duckdns validation is selected,
the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use http://www.subdomain.duckdns.org,
Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created,
Generating new certificate,
Saving debug log to /var/log/letsencrypt/letsencrypt.log,
Account registered.,
Requesting a certificate for *.myurl.duckdns.org,
Hook '--manual-auth-hook' for myurl.duckdns.org ran with output:,
OKsleeping 60,
Hook '--manual-auth-hook' for rtibby.duckdns.org ran with error output:,
% Total % Received % Xferd Average Speed Time Time Time Current,
Dload Upload Total Spent Left Speed,
,
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0,
100 2 0 2 0 0 4 0 --:--:-- --:--:-- --:--:-- 4,
,
Successfully received certificate.,
Certificate is saved at: /etc/letsencrypt/live/myurl.duckdns.org/fullchain.pem,
Key is saved at: /etc/letsencrypt/live/myurl.duckdns.org/privkey.pem,
This certificate expires on 2022-01-21.,
These files will be updated when the certificate renews.,
NEXT STEPS:,
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.,
,
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -,
If you like Certbot, please consider supporting our work by:,
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate,
* Donating to EFF: https://eff.org/donate-le,
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -,
New certificate generated; starting nginx,
Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,,
and add a new env variable "MAXMINDDB_LICENSE_KEY", set to your license key.,
[cont-init.d] 50-config: exited 0.,
[cont-init.d] 60-renew: executing... ,
The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).,
[cont-init.d] 60-renew: exited 0.,
[cont-init.d] 70-templates: executing... ,
[cont-init.d] 70-templates: exited 0.,
[cont-init.d] 90-custom-folders: executing... ,
[cont-init.d] 90-custom-folders: exited 0.,
[cont-init.d] 99-custom-files: executing... ,
[custom-init] no custom files found exiting...,
[cont-init.d] 99-custom-files: exited 0.,
[cont-init.d] done.,
[services.d] starting services,
[services.d] done.,
Server ready
-
Your cache need to be cleared (Ctrl+F5 while opening the website)
Have you done all the edits on the files from the guide?Since it's showing the parking SWAG page with the URL http://xxxxxxxxx.duckdns.org/nextcloud , it means the redirect isn't beeing made
[EDIT]
Code
Alles anzeigen--- version: "2.1" services: swag: image: ghcr.io/linuxserver/swag container_name: swag cap_add: - NET_ADMIN environment: - PUID=1000 - PGID=100 - TZ=Europe/London - URL=******.duckdns.org - SUBDOMAINS=wildcard - VALIDATION=duckdns - DUCKDNSTOKEN=*********************************** volumes: - /home/aptalca/appdata/swag:/config ports: - 443:443 - 80:80 restart: unless-stopped
This stack doesn't came from the guide,
-
-
-
-
[EDIT]
If you insist on using the stacks straigth from linuxserver, them use this one which is the example for NC, MariaDB and SWAG:
Edit what needs to be edited:
Code
Alles anzeigen--- version: "2.1" services: nextcloud: image: ghcr.io/linuxserver/nextcloud container_name: nextcloud environment: - PUID=1000 - PGID=1000 - TZ=Europe/London volumes: - /home/aptalca/appdata/nextcloud/config:/config - /home/aptalca/appdata/nextcloud/data:/data depends_on: - mariadb restart: unless-stopped mariadb: image: ghcr.io/linuxserver/mariadb container_name: mariadb environment: - PUID=1000 - PGID=1000 - MYSQL_ROOT_PASSWORD=mariadbpassword - TZ=Europe/London - MYSQL_DATABASE=nextcloud - MYSQL_USER=ncuser - MYSQL_PASSWORD=ncpassword volumes: - /home/aptalca/appdata/mariadb:/config restart: unless-stopped swag: image: ghcr.io/linuxserver/swag container_name: swag cap_add: - NET_ADMIN environment: - PUID=1000 - PGID=1000 - TZ=Europe/London - URL=linuxserver-test.duckdns.org - SUBDOMAINS=wildcard - VALIDATION=duckdns - DUCKDNSTOKEN=97654867496t0877648659765854 volumes: - /home/aptalca/appdata/swag:/config ports: - 443:443 - 80:80 restart: unless-stopped
[/EDIT]
The swag stack does not come from the guide indeed , because thew stack from the guide was NOT generating a certificate, giving an error
Zitat
The swag Stack is coming from here:I know where you get it from,
The volume gave it away, which means that NOW, you have a folder named "aptalca..." inside your "HOME" folderIf you keep mixing things, it will be really hard to fix it and help you.
The way you used that STACK (with wildcard and DUCKDNS validation), for you to have https access (so SWAG can use the certificate), you need to use "https://<something.due.to.wildcard>.<yourduckdns>.duckdns.org/nextcloud"
Also, since I can only assume from seeing that the stack is just for SWAG, that you have separated stacks to launch the containers.
Unless you added them all (MariaDB, Nextcloud and SWAG) to the same network, it won't work.
-
Ok .
Tried with the original stack from the guide, giving up of using duckdns.
I do have a domain of my own xxxxx.com
So, container now all start, BUT swag fails to issue a certificate for my domain (log of swag container screenshot):
forum.openmediavault.org/wsc/index.php?attachment/21027/
My domain DNS looks like this:
config.php now looks like this:
-
-
Nevermind, I see you're using subfolder... I Always says subdomain.
I will say though (don't think it's your prob however).. according to the first pic, in swag setup, you have 2 commas after www in Subdomains.
-
Just a remark (and reminder, especially for those that run WatchTower or any other updater):
SWAG latest (Release 1.20.0-ls94) comes with an important safety update.
If you only update the image, the file in question (proxy.conf) won't be updated.
In order to update the file, you'll have to delete the old one and redeploy SWAG to download the latest version of it.
Zitat- If you have NOT modified a file with noted changes in the changelog:
- Delete the config file with listed updates, restart the container
You'll find the file in:
...<path.to.swag.config.folder>/nginx/proxy.conf
- If you have NOT modified a file with noted changes in the changelog:
-
Just a remark (and reminder, especially for those that run WatchTower or any other updater):
SWAG latest (Release 1.20.0-ls94) comes with an important safety update.
If you only update the image, the file in question (proxy.conf) won't be updated.
In order to update the file, you'll have to delete the old one and redeploy SWAG to download the latest version of it.
You'll find the file in:
...<path.to.swag.config.folder>/nginx/proxy.conf
I do not get that if you get the new generic proxy_confs how do you modify the changes to yours old custom proxy confs?
-
-
I do not get that if you get the new generic proxy_confs how do you modify the changes to yours old custom proxy confs?
The file that is mentioned is "proxy.conf" that is inside the folder "nginx.
I didn't said anything about the generic "..sub...proxy.confs"
-
Done it it was confusing between proxy.conf and proxy.confs
Thanks
-
Well after checking got error
The file that is mentioned is "proxy.conf" that is inside the folder "nginx.
I didn't said anything about the generic "..sub...proxy.confs"
-
-
Where did this you saw this?
Go to portainer and access to the console of SWAG.
Run inside the console: nginx -t
Post the output here. Should be something like this:
Coderoot@f7e64b421b3c:/# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
Funny thing is, it has nothing to do with the "proxy.conf" file that was changed before.
[EDIT]
Also, still inside the console of SWAG, run and post the output of:
cat /etc/nginx/nginx.conf
And, for sake of mind:
cat /etc/nginx/proxy.confThe correct path is cat /config/nginx/proxy.conf[/EDIT]
-
Code
root@fc9b4c690308:/#nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful root@fc9b4c690308:/# root@fc9b4c690308:/#cat /etc/nginx/nginx.conf # /etc/nginx/nginx.conf user nginx; # Set number of worker processes automatically based on number of CPU cores. worker_processes auto; # Enables the use of JIT for regular expressions to speed-up their processing. pcre_jit on; # Configures default error logger. error_log /var/log/nginx/error.log warn; # Includes files with directives to load dynamic modules. include /etc/nginx/modules/*.conf; # Uncomment to include files with config snippets into the root context. # NOTE: This will be enabled by default in Alpine 3.15. #include /etc/nginx/conf.d/*.conf; events { # The maximum number of simultaneous connections that can be opened by # a worker process. worker_connections 1024; } http { # Includes mapping of file name extensions to MIME types of responses # and defines the default type. include /etc/nginx/mime.types; default_type application/octet-stream; # Name servers used to resolve names of upstream servers into addresses. # It's also needed when using tcpsocket and udpsocket in Lua modules. #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001; # Don't tell nginx version to the clients. Default is 'on'. server_tokens off; # Specifies the maximum accepted body size of a client request, as # indicated by the request header Content-Length. If the stated content # length is greater than this size, then the client receives the HTTP # error code 413. Set to 0 to disable. Default is '1m'. client_max_body_size 1m; # Sendfile copies data between one FD and other from within the kernel, # which is more efficient than read() + write(). Default is off. sendfile on; # Causes nginx to attempt to send its HTTP response head in one packet, # instead of using partial frames. Default is 'off'. tcp_nopush on; # Enables the specified protocols. Default is TLSv1 TLSv1.1 TLSv1.2. # TIP: If you're not obligated to support ancient clients, remove TLSv1.1. ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; # Path of the file with Diffie-Hellman parameters for EDH ciphers. # TIP: Generate with: `openssl dhparam -out /etc/ssl/nginx/dh2048.pem 2048` #ssl_dhparam /etc/ssl/nginx/dh2048.pem; # Specifies that our cipher suits should be preferred over client ciphers. # Default is 'off'. ssl_prefer_server_ciphers on; # Enables a shared SSL cache with size that can hold around 8000 sessions. # Default is 'none'. ssl_session_cache shared:SSL:2m; # Specifies a time during which a client may reuse the session parameters. # Default is '5m'. ssl_session_timeout 1h; # Disable TLS session tickets (they are insecure). Default is 'on'. ssl_session_tickets off; # Enable gzipping of responses. #gzip on; # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'. gzip_vary on; # Helper variable for proxying websockets. map $http_upgrade $connection_upgrade { default upgrade; '' close; } # Specifies the main log format. log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; # Sets the path, format, and configuration for a buffered log write. access_log /var/log/nginx/access.log main; # Includes virtual hosts configs. include /etc/nginx/http.d/*.conf; } # TIP: Uncomment if you use stream module. #include /etc/nginx/stream.conf; root@fc9b4c690308:/#
-
-
-
C
Alles anzeigenroot@fc9b4c690308:/#nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful root@fc9b4c690308:/# root@fc9b4c690308:/#cat /etc/nginx/nginx.conf # /etc/nginx/nginx.conf user nginx; # Set number of worker processes automatically based on number of CPU cores. worker_processes auto; # Enables the use of JIT for regular expressions to speed-up their processing. pcre_jit on; # Configures default error logger. error_log /var/log/nginx/error.log warn; # Includes files with directives to load dynamic modules. include /etc/nginx/modules/*.conf; # Uncomment to include files with config snippets into the root context. # NOTE: This will be enabled by default in Alpine 3.15. #include /etc/nginx/conf.d/*.conf; events { # The maximum number of simultaneous connections that can be opened by # a worker process. worker_connections 1024; } http { # Includes mapping of file name extensions to MIME types of responses # and defines the default type. include /etc/nginx/mime.types; default_type application/octet-stream; # Name servers used to resolve names of upstream servers into addresses. # It's also needed when using tcpsocket and udpsocket in Lua modules. #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001; # Don't tell nginx version to the clients. Default is 'on'. server_tokens off; # Specifies the maximum accepted body size of a client request, as # indicated by the request header Content-Length. If the stated content # length is greater than this size, then the client receives the HTTP # error code 413. Set to 0 to disable. Default is '1m'. client_max_body_size 1m; # Sendfile copies data between one FD and other from within the kernel, # which is more efficient than read() + write(). Default is off. sendfile on; # Causes nginx to attempt to send its HTTP response head in one packet, # instead of using partial frames. Default is 'off'. tcp_nopush on; # Enables the specified protocols. Default is TLSv1 TLSv1.1 TLSv1.2. # TIP: If you're not obligated to support ancient clients, remove TLSv1.1. ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; # Path of the file with Diffie-Hellman parameters for EDH ciphers. # TIP: Generate with: `openssl dhparam -out /etc/ssl/nginx/dh2048.pem 2048` #ssl_dhparam /etc/ssl/nginx/dh2048.pem; # Specifies that our cipher suits should be preferred over client ciphers. # Default is 'off'. ssl_prefer_server_ciphers on; # Enables a shared SSL cache with size that can hold around 8000 sessions. # Default is 'none'. ssl_session_cache shared:SSL:2m; # Specifies a time during which a client may reuse the session parameters. # Default is '5m'. ssl_session_timeout 1h; # Disable TLS session tickets (they are insecure). Default is 'on'. ssl_session_tickets off; # Enable gzipping of responses. #gzip on; # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'. gzip_vary on; # Helper variable for proxying websockets. map $http_upgrade $connection_upgrade { default upgrade; '' close; } # Specifies the main log format. log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; # Sets the path, format, and configuration for a buffered log write. access_log /var/log/nginx/access.log main; # Includes virtual hosts configs. include /etc/nginx/http.d/*.conf; } # TIP: Uncomment if you use stream module. #include /etc/nginx/stream.conf; root@fc9b4c690308:/#
Jesus, what a mess,
After trying to make some sense out of this, and putting some paragraphs, it looks ok.
The output should be this:
C
Alles anzeigenroot@f7e64b421b3c:/# cat /etc/nginx/nginx.conf # /etc/nginx/nginx.conf user nginx; # Set number of worker processes automatically based on number of CPU cores. worker_processes auto; # Enables the use of JIT for regular expressions to speed-up their processing. pcre_jit on; # Configures default error logger. error_log /var/log/nginx/error.log warn; # Includes files with directives to load dynamic modules. include /etc/nginx/modules/*.conf; # Uncomment to include files with config snippets into the root context. # NOTE: This will be enabled by default in Alpine 3.15. #include /etc/nginx/conf.d/*.conf; events { # The maximum number of simultaneous connections that can be opened by # a worker process. worker_connections 1024; } http { # Includes mapping of file name extensions to MIME types of responses # and defines the default type. include /etc/nginx/mime.types; default_type application/octet-stream; # Name servers used to resolve names of upstream servers into addresses. # It's also needed when using tcpsocket and udpsocket in Lua modules. #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001; # Don't tell nginx version to the clients. Default is 'on'. server_tokens off; # Specifies the maximum accepted body size of a client request, as # indicated by the request header Content-Length. If the stated content # length is greater than this size, then the client receives the HTTP # error code 413. Set to 0 to disable. Default is '1m'. client_max_body_size 1m; # Sendfile copies data between one FD and other from within the kernel, # which is more efficient than read() + write(). Default is off. sendfile on; # Causes nginx to attempt to send its HTTP response head in one packet, # instead of using partial frames. Default is 'off'. tcp_nopush on; # Enables the specified protocols. Default is TLSv1 TLSv1.1 TLSv1.2. # TIP: If you're not obligated to support ancient clients, remove TLSv1.1. ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; # Path of the file with Diffie-Hellman parameters for EDH ciphers. # TIP: Generate with: `openssl dhparam -out /etc/ssl/nginx/dh2048.pem 2048` #ssl_dhparam /etc/ssl/nginx/dh2048.pem; # Specifies that our cipher suits should be preferred over client ciphers. # Default is 'off'. ssl_prefer_server_ciphers on; # Enables a shared SSL cache with size that can hold around 8000 sessions. # Default is 'none'. ssl_session_cache shared:SSL:2m; # Specifies a time during which a client may reuse the session parameters. # Default is '5m'. ssl_session_timeout 1h; # Disable TLS session tickets (they are insecure). Default is 'on'. ssl_session_tickets off; # Enable gzipping of responses. #gzip on; # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'. gzip_vary on; # Helper variable for proxying websockets. map $http_upgrade $connection_upgrade { default upgrade; '' close; } # Specifies the main log format. log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; # Sets the path, format, and configuration for a buffered log write. access_log /var/log/nginx/access.log main; # Includes virtual hosts configs. include /etc/nginx/http.d/*.conf; } # TIP: Uncomment if you use stream module. #include /etc/nginx/stream.conf; root@f7e64b421b3c:/#
And for the proxy.conf: EDIT- On the previous post, I made an error: The path to proxy.conf is /config/nginx/proxy.conf
Code
Alles anzeigenroot@f7e64b421b3c:/# cat /config/nginx/proxy.conf ## Version 2021/10/26 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf # Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Proxy Connection Settings proxy_buffers 32 4k; proxy_connect_timeout 240; proxy_headers_hash_bucket_size 128; proxy_headers_hash_max_size 1024; proxy_http_version 1.1; proxy_read_timeout 240; proxy_redirect http:// $scheme://; proxy_send_timeout 240; # Proxy Cache and Cookie Settings proxy_cache_bypass $cookie_session; #proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps proxy_no_cache $cookie_session; # Proxy Header Settings proxy_set_header Connection $connection_upgrade; proxy_set_header Early-Data $ssl_early_data; proxy_set_header Host $host; proxy_set_header Proxy ""; proxy_set_header Upgrade $http_upgrade; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Real-IP $remote_addr; root@f7e64b421b3c:/#
-
Your "proxy.conf" (the zip I downloaded)
Code## Version 2020/10/04 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf
The new "proxy.conf"
Code## Version 2021/10/26 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf
You didn't delete the file prior to restart SWAG.
Bash again to the console of SWAG (via portainer or CLI)
cp -a /config/nginx/proxy.conf /config/nginx/proxy.conf.bak
rm -f /config/nginx/proxy.conf
exit
Restart SWAG
Jetzt mitmachen!
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!