Nextcloud with Swag in OMV

  • Hey all


    Have OMV 7.6 running on an old AMD desktop. Runs fine and have a Jellyfin instance running in docker with no issues. Trying to get Nextcloud running in a docker file along with Swag and Mariadb. From what I can tell from the logs, the containers seem to be running fine. No errors. Swag is getting the ssl for my duckdns domain, I have the config files adjusted to how it is suggested on linuxserver.io. I've looked at several forums for suggestions and I believe I have it all running right. I can even see that Nextcloud has created folders where it is supposed to but I can't access the web gui. I keep getting ssl errors, specificall


    Error code: SSL_ERROR_UNRECOGNIZED_NAME_ALERT


    This happens when i type in nextcloud.***.duckdns.org. The funny things is that for maybe 5 minutes, it did work. Had the Nextcloud welcome screen up and when I clicked "install" it disappeared and I haven't seen it since.

    I'll paste my config here. I feel like I'm only a step away from getting this work.


    nextcloud config - Pastebin.com
    Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.
    pastebin.com


    Additionally, I have Home Assistant running on a different machine for which port 443 is forwarded to. I believe I got around that with different port forwarding on my router and port 444 being specified in the config. I believe it's working because I'm getting my certs but again I'm missing some step somewhere. I can post my logs if needed.

    Thanks in advance for the help!!

  • macom

    Approved the thread.
  • I'll paste my config here

    Don't use pastebin when you can post CODE boxes.

  • Hey sorry. I've been posting in reddit lately and the only reliable way to paste code is through pastebin.


  • Some mistakes on the YML (which also makes no sense masking the UUID of the drives or the TZ, noone will hack you with them)


    SUBDOMAINS=

    use wildcard to be able to use SWAG certificates with ALL subdomains you need, not just nextcloud


    CERTPROVIDER=zerossl

    Do you have a zerossl account to use this? If not, then just comment/delete it completely



    SWAG ports

    Comment port 80 since with duckdns validation, you don't need it and it's one less port required to be opened on the router and will prevent clashes with OMV (unless you run it with a different port)


    now, post the output of:


    docker logs swag (mask sensible data: email, subdomain, password, etc)

    docker logs nextcloud

    docker logs mariadb

  • I had had wildcard set in the domains but figured I would try something more specific since it was throwing errors. I do have a ZeroSSL account but I'll try letsencrypt to see if it works. I'll make the changes when I get home from work and post again. Thank you so far!

  • This is the error from Swag. I changed over to letsencrypt and I verified that the token is correct both in the file and the config file. ZeroSSL seemed to get past this point and had no errors but didn't work regardless. I also looked at the zerossl account and no certs had been generated either.

  • - DNSPLUGIN=duckdns

    Please, remove this line from the YML (or comment it)


    Did you have made the portforward on the router from wan 443 to LAN_IP 444?


    The error from SWAG is about the DNSPLUGIN but with VALIDATION=duckdns && DUCKDNSTOKEN= you don't need to use the above.

    swag | ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/duckdns.ini file.

    Also, confirm that the TOKEN on that file matches your TOKEN from duckdns:

    cat /PATH-TO-SWAG-CONFIG/dns-conf/duckdns.ini

  • Yep, re-verified the token. It's all ok. Got rid of the dnsplugin line as well. I double checked my ports. Destination port is 444 from 443 on the router.

    Also noticing this in the nextcloud log:

    Code
    nextcloud  | using keys found in /config/keys
    nextcloud  | Initializing nextcloud 30.0.5.1 (this can take a while) ...
    nextcloud  | Setting permissions
    nextcloud  | Initializing finished
    nextcloud  | [custom-init] No custom files found, skipping...
    nextcloud  | [ls.io-init] done.

    Does nextcloud generate it's own certs? Can that conflict with Swag?

    The other thing is that I do have HA running on a different machine with port 443 forwarded to it. I thought the workaround was to specify a different port (444) in my docker config.

  • Also noticing this in the nextcloud log:

    Nextcloud will use the certificate from SWAG.

    No need to concern with it.

    It is swag that need to be sorted.



    The other thing is that I do have HA running on a different machine with port 443 forwarded to it

    Do you mean from WAN to LAN?

    If yes, then no, it won't work.

    You can't have the same external port (443) forward to different apps/devices/ips

  • So with that in mind, if I forward router port 444 to 444 on OMV that should work right? That's what I had set up initially.

    No.

    In order for https to work, and swag get the certificate, wan comm is done on port 443.

    There's no other way.

  • sorry to jump into this thread - not hijacking - but I have similar challenges and have solved most so I might be able to help the OP a bit...


    OMV is on port 80 - not using ssl

    I use duckdns with a couple of wildcard domains (e.g. *.domain1.duckdns.org and *.domain2.duckdns.org)

    I have swag running on two OMV servers as i need to be able to reverse proxy to services on both servers

    On one server/container the host port is 443 and on the other 444

    on my router, I have 2 port forwards one for 443 to server1 and 444 to server2

    services on server1 are reached using https://service.domain1.duckdns.org

    services on server2 are reached using https://service.domain2.duckdns.org:444


    This all works but it's not ideal. I am working on a better solution with a single reverse proxy but I can't get it to work yet...


    I have tried service.server.domain.duckdns.org (e.g. https://ha.server1.domain1.duckdns.org) but it doesn't seem to work


    I am thinking duckdns wildcard only allows/handles *.domain and not *.server.domain


    Can anyone confirm?

  • I have to say, you're over complicating it.


    You only need (can have) 1 SWAG (or other reverse-proxy) instance running on the LAN.


    I can give you a rundown in a few hours.

    I'm just leaving to work, ATM

  • I use duckdns with a couple of wildcard domains (e.g. *.domain1.duckdns.org and *.domain2.duckdns.org)

    Your duckdns account can have up till 5 subdomains pointing to the same IP but for simplicity sake, let's just use 1

    Let's call it

    jata1


    Run SWAG on the device with IP 192.x.y.100 (with port 444:443) with wildcard

    Portforward on the router WAN:443 to LAN-192.x.y.100:444


    Now, all sub.jata1.duckdns.org are running on https.


    Now, on all YML running on the same host, bind the network to the one that is SWAG.

    For eg:


    YML of SWAG snippet:

    Code
    #  This section creates a custom docker bridge network called swagnet. 
    #  The driver line makes sure it is a bridge that can be used by other containers
    networks:
      default:
        name: swagnet
        driver: bridge


    YML of other services:

    Code
    #This section attaches the container to the custom network created by the SWAG container.
    networks:
      default:
        name: swagnet
        external: true

    With the above, every service running on the HOST can use the subdomain reverse-proxy conf from SWAG as is. No need to edit anything on them.


    For the services that run on another device IP:

    In your case, homeassistant is running on another IP (192.u.v.200 for eg)


    Edit the SWAG subdomain conf on the IP 100 and change ALL instances where it says set $upstream_app homeassistant; with set $upstream_app 192.u.v.200;


    Restart SWAG and you will have https access to homeassistant.jata1.duckdns.org without any hassle.

    The https protocol is coming from WAN, portforwarded to SWAG LAN_IP 100 and reverse-proxied to LAN_IP 200 where the homeassistant is running.


    Easy.

    Only con is, you will need to edit it everytime there's un update to the reverse-proxy conf.sample of the one's used on the LAN_IP 200


    Hope this helps, ;)

  • Thanks Soma for the help and detailed explanation. That is exactly how I have each docker/swag host setup so I'm happy that I have got the base setup correctly and working well. But...


    I still have not found a way to:

    • use one SWAG reverse proxy AND
    • be able to resolve internally and externally using the same URL AND
    • have services running on two servers in the lan


    I think the tricky part is the internal (lan) side of things as I need some subdomains to point to 192.x.y.100 and some to 192.x.y.200 internally. I have this working but I need to have swag on each server using different subdomains to achieve it.


    I use overrides (redirection) on my router so that *.jata1.duckdns.org points to 192.x.y.100 and *.jata2.duckdns.org points to 192.x.y.200


    I have been able to config my router so that *.server1.jata1.duckdns.org points to 192.x.y.100 and *.server2.jata1.duckdns.org points to 192.x.y.200 but I don't think duckdns supports sub subdomains - duckdns does not recognise sub.server1.jata1.duckdns.org


    I am thinking cloudflare + a $10 per year hosted domain name might be the way forward (and more secure too)...

  • OMG - I am an idiot and I think I have overcomplicated this... There is no need to run swag on each server!


    Just need redirect *.jata1.duckdns.org to 192.x.y.100 running swag and use reverse proxy configs to redirect subdomains to either server1 or server2.


    I have no idea why I didn't set it up like this in the first place - probably because I didn't fully understand how it all works.


    So thanks again Soma for the help.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!