Nextcloud with Letsencrypt using OMV and docker-compose - Q&A

So just out of curiosity, I just checked my log and it seems to confirm what chente said.... from the looks of the log, certbot automatically runs at certain intervals, so if certs meet the renewal criteria, they are renewed. It looks like this is handled with a cron script inside the container.

Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
Wildcard cert for my-domain.xyz will be requested
E-mail address entered: my-email@aol.com
dns validation via cloudflare plugin is selected
Certificate exists; parameters unchanged; starting nginx
The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).

Zitat von olduser

Does swag auto renew with zerossl or do you have to log in to their web interface every year?

Another possible advantage with zerossl is that you can validate via e-mail. Might be handy for people who can't use port 80 and/or don't want to use TLS; https://zerossl.com/documentation/api/verify-domains/

Yes, if you set your certprovider to use ZEROSSL, both are managed by certbot. So I'm not sure why he thinks this is an advantage. The main advantage I've found with Zero.. is when helping new users who have had multiple failed attemps to get swag installed. LetsEncrypt, only lets you have X amount of failed attempts in a certain time period(I think it's 8)... then it locks you out from getting a cert for 72hrs. ZeroSSL has no such restriction... So I've had to put new users on it many times in order to pull a cert. If you really want to use LE instead.. once you have a ZeroSSL cert.. wait a week or two, then comment it out of your compose and redeploy, and it will pull a LE cert, as that is the default for swag.

https://docs.linuxserver.io/general/swag

Zitat

Cert Provider (Let's Encrypt vs ZeroSSL)

As of January 2021, SWAG supports getting certs validated by either Let's Encrypt or ZeroSSL. Both services use the ACME protocol as the underlying method to validate ownership. Our Certbot client in the SWAG image is ACME compliant and therefore supports both services.

Although very similar, ZeroSSL does (at the time of writing) have a couple of advantages over Let's Encrypt:

• ZeroSSL provides unlimited certs via ACME and has no rate limits or throttling (it's quite common for new users to get throttled by Let's Encrypt due to multiple unsuccessful attempts to validate)
• ZeroSSL provides a web interface that allows users to list and manage the certs they have received

SWAG currently defaults to Let's Encrypt as the cert provider so as not to break existing installs, however users can override that behavior by setting the environment variable CERTPROVIDER=zerossl to retrieve a cert from ZeroSSL instead. The only gotcha is that ZeroSSL requires the EMAIL env var to be set so the certs can be tied to a ZeroSSL account for management over their web interface.

Another very useful variable I've found, is PROPAGATION. swag, by default, gives your domain around 10sec to respond to it's request for a cert. If it is slower than that, then it will just reject it and swag will fail to pull a cert. I've had this issue with cloudflare many times. By setting a value on PROPAGATION, you force swag to wait longer (in seconds). This doesn't seem to be an issue for duckdns users, which I know a lot of folks here use.

I've used the below compose to help a ton of people with cloudflare and swag propagation issues and it has yet to let me down.. If they get the "failed attempts limit" error from LE, I just have them uncomment the CERTPROVIDER variable

---
version: "2.1"
services:
  swag:
    image: ghcr.io/linuxserver/swag
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1000  #ADJUST
      - PGID=100   #ADJUST
      - URL=your-domain.tld  #ADJUST
      - SUBDOMAINS=wildcard
      - VALIDATION=dns
      - DNSPLUGIN=cloudflare
      - PROPAGATION=30
      #- CERTPROVIDER=zerossl
      - EMAIL=email@domain.com
      - DOCKER_MODS=linuxserver/mods:swag-dashboard
    volumes:
      - /path/to/swag:/config  #ADJUST
    ports:
      - 444:443
      - 82:80
      - 81:81
    restart: unless-stopped

FYI to you guys that regularly help with NC ( Soma  macom  chente ) and those of you who are perpetually lost ( Nick0 ). Nextcloud has changed how you must update Nextcloud. This change was basically done to accomodate a bunch of Unraid users who didn't know how to keep their system up to date (funny thing is, I bet this over complicates the matter and they still don't update.. but we'll see)

To put it simply, rather than tagging nextcloud "latest" in your stack/compose file.. You'll now how to have the image version tagged with the version of NC. This of course means you'll have to actually verify that linuxserver has actually released a new image with the new tag. So you can no longer use just "nextcloud:latest" as your image tag.

Announcement link: https://info.linuxserver.io/issues/2023-06-25-nextcloud/

Here's a discussion on the matter..

Updating nextcloud

I’ve used Nextcloud for quite a while and updated it more times than I can count, but never had this issue. Got a notification yesterday there’s an update,…

discourse.linuxserver.io

Edit: Upon reading and thinking about this further, I think you can still use the latest tag. The problem is, as you can see from the pic.. the web updater would check your apps and make sure they were all compatible with the new install. If you're using this new method tagged latest, no such check is done, as the update is now in the image update

This could cause an issue for those using watchtower, if all their apps are not ready for the new version, etc.

I think version tags might be a better way to go because of this, since the web updater has been removed.

Zitat von olduser

What does nexcloud do besides put a filebrowser in a webrowser?

Well, it doesn't really do that. It does pretty much anything Google Drive can do... it's just self hosted.

Just yesterday I decided to try to update Nextcloud from version 26 to version 27. Result = Problems... as always...

So I got fed up with linuxserver and installed Nextcloud AIO, at the same time I switched to Nginx Proxy Manager and also got rid of Swag. We'll see how it works. So far the installation has been relatively easy and I hope the maintenance will be easier too. Theoretically it is a system inspired by Portainer. It is a container that installs/updates other containers from a web interface at the push of a button. It's the official version of Nextcloud so I hope everything works a little better, it even installed Collabora for me in the same package.

The only thing I didn't like is that it didn't let me use a specific user for the container, I have to look into that some more.

Zitat von olduser

What does nexcloud do besides put a filebrowser in a webrowser?

Nextcloud has a built-in universe of plugins that do many other things besides that.

Zitat von Soma

After v27.0.1 is running with the new update system, there's no more issues.

Yes, I saw that thread a while ago. I just waited until yesterday to try to dodge potential teething problems. The procedure I followed is the recommended one. Once updated to 27 it started but with errors. I couldn't say what the errors were, I don't remember in detail. Some database problems and something else. I guess I could have solved it the same way as other times, searching for information and running some commands. But I'm already tired of that. Every update is: "cross your fingers that everything goes well"

Zitat von Soma

Linuxserver mentioned the proper way to do it when they decided to make that change.

macom made a thread giving that info.

Its basic stuff but need to be done correct.

After v27.0.1 is running with the new update system, there's no more issues.

Alles anzeigen

Ah I didn't see that thread. I keep NC up to date pretty religiously, so I was already on 27.0.1 anyway. I have upgraded NC every version since like 18 I do believe, and I don't recall ever having a significant problem upgrading.

I tagged my image yesterday 27.0.1 and repulled it.

Everything went just fine and NC is operating as expected.

Now I'll just have to wait for them to release the 27.0.2 to retag the image and repull it... Still seems kind of a pain, but.. is what it is I guess. I understanding writing for "the lowest common denominator"

Zitat von BlueCoffee

I use it to backup my windows PC folders.

Are you sure it is a backup and not a sync?