Scripted installation of Nextcloud 28 in iocage jail 2018-03-23

[danb35]

Outstanding!

 

[thethe]

Hi danb35, great script. I’m having a curious problem. Whenever I try to use it with a certificate (Using no certificate gives no error), I get a “Too many redirects” error. Now I’ve attempted the fix outlined here, however, I don’t have the

Code:

usr/local/share/nextcloud/fix-apps_paths.json”

file. Not really sure where to go from here.

 

[jchamie]

Thank you danb35!! Really appreciate your fab script. It saved the day and we have an up an running Nextcloud. A question about certificates: How can I add another domain to the certificate using your acme.sh script? (I am only familiar with certbot i.e. pkg install py27-cerbot to create and renew the certificates and not sure how yours works)

*update - I think you are using the Neilpang/acme.sh script. I am looking at it now and I see that is has some guidelines. Looks like it is as simple as adding with -d.

e.g.

acme.sh --issue -d example.com -d www.example.com -d cp.example.com -w /home/wwwroot/example.com

 

[danb35]

I think you are using the Neilpang/acme.sh script.

Correct.

Looks like it is as simple as adding with -d.

That's it. If you're going to add another domain to the same cert (as opposed to making a different cert with a different domain), make sure you specify the cert/key paths and reload command--you'll find the original command to issue at or about line 171 of the script.

 

[danb35]

I get a “Too many redirects” error.

I haven't been able to duplicate this when using a self-signed or a Let's Encrypt cert. Can you give it a try again? If you're still having trouble, post the exact steps you took along with what's happening, and I'll see if I can get to the bottom of it.

 

[thethe]

I haven't been able to duplicate this when using a self-signed or a Let's Encrypt cert. Can you give it a try again? If you're still having trouble, post the exact steps you took along with what's happening, and I'll see if I can get to the bottom of it.

So I actually managed to get it working albeit by using a different (self signed cert) encryption method. As far as using the Lets Encrypt method, I followed your directions to the letter. I didn't even get any error messages when running the script.

 

[danb35]

Running is good, but it's odd that it wasn't working with the LE cert. However, if you have the port forwarded properly, you should be able to get the LE cert now by running

Code:

iocage console nextcloud
acme.sh --issue -w /usr/local/www/apache24/data/ -d ${HOST_NAME} -k 4096 --fullchain-file /usr/local/etc/pki/tls/certs/fullchain.pem --key-file /usr/local/etc/pki/tls/private/privkey.pem --reloadcmd "service apache24 reload"

 

[neopolitan6]

Excellent script, thank you very much!

I ran it, and everything appears to have gone well, according to the shell output. But when I try to login to the nextcloud web page, it gives me the FreeNAS GUI login, not a Nextcloud login. Same thing happens using FQDN, or the local IP.

Not sure if this is pertinent: the Nextcloud install is behind a reverse proxy, taking https requests from the internet and forwarding to one of two local hosts, depending on which domain is used. The reverse proxy is forwarding to the local IP of the jail.

What would cause the IP of the jail to show the FreeNAS GUI login?

I've done netstat on the jail:

Code:

netstat -na | grep -i LISTEN

No results.

Edit: I can ping the jail IP.

 

[danb35]

But when I try to login to the nextcloud web page, it gives me the FreeNAS GUI login, not a Nextcloud login.

I've seen other reports of this when people didn't use vnet. If you had vnet turned off, try re-running the script with it turned on and see if you see the same thing.

 

[neopolitan6]

try re-running the script with it turned on

OK, trying that now.

I got a lot of warnings like this:

Code:

nextcloud is not running, starting jail
mount_nullfs: /mnt/iocage/jails/nextcloud/root/usr/ports: Resource deadlock avoided
jail: /sbin/mount -t nullfs -o rw /mnt/WCT-Pool/LeesData/NextCloud/portsnap/ports /mnt/iocage/jails/nextcloud/root/usr/ports: failed

The jail refuses to start now. I would experiment more now, but got evening plans. I'll look at it tomorrow again. Thanks for any insight you might have.

 

[GTT]

Hi danb35,
I installed nextcloud with the script you posted on github and it worked well, on FreeNAS-11.1-U6. So thanks for putting it together!
I'm having issues after there was a power outage. FreeNAS is up, I use the GUI, but the nextcloud jail is not listed. Also, the pool (Storage->Volumes) shows as status LOCKED.
Do you know how I can bring nextcloud back up? And if there is a way to automate this for the next time the power goes down so I don't have to do it manually?
Thanks

 

[danb35]

Also, the pool (Storage->Volumes) shows as status LOCKED.

I'm pretty sure this is your actual problem. Unlock your pool, and you should be fine.

 

[GTT]

I'm pretty sure this is your actual problem. Unlock your pool, and you should be fine.

I did unlock but nextcloud isn't coming up.

I created the pool as an encrypted volume. It looks like that every time freenas restarts the volume needs to be unlocked. I will need to look if this can be automated.

But even after unlock nextcloud isn't running. I tried "iocage restart nextcloud" but I get

Code:

[root@freenas ~]# iocage restart nextcloud									 
nextcloud is not running!													   
* Starting nextcloud															
  + Start FAILED																
mount: /mnt/iocage: No such file or directory								   
jail: /sbin/mount -t nullfs -o rw /mnt/HomeServer/portsnap/ports /mnt/iocage/jai
ls/nextcloud/root/usr/ports: failed											 

any ideas?

 

[GTT]

Let me close my own enquiry, and hopefully this will save few other sorry souls some searching.

#1 Problem statement: nextcloud restart fails with a mount error message.
Related to the fstab file for the jail.
A command like this
iocage fstab -a ${JAIL_NAME} ${PORTS_PATH}/ports /usr/ports nullfs rw 0 0
would actually add "/mnt/iocage/jails/nextcloud/root/" in front of "/usr/ports".
In my case, iocage/jails/... is under $POOL_PATH. Don't know why.
I manually edited the fstab to the correct paths. Nextcould up and running.
Some similar discussion on fstab here:
https://forums.freenas.org/index.ph...ckett-and-transmission-with-vpn.55502/page-21

#2 Problem statement: If $POOL_PATH is on an encrypted volume, the volume needs to be unlocked before nextcloud can be started.
This is probably too much of a corner case for this thread. Basically, if you don't like the need for manual unlock on FreeNAS boot, don't use encrypted volume.
Some similar discussion here:
https://forums.freenas.org/index.php?threads/plugins-wont-start-after-reboot.15885/#post-80077

#3 Possible enhancement to autostart iocage jails like nextcloud on FreeNAS boot (for volumes that are not encrypted). I can't confirm this because I can't test it.
https://forums.freenas.org/index.ph...ill-not-starting-automatically-at-boot.57811/

 

[danb35]

I'm running 11.1-U5 without an encrypted pool, and my (iocage and warden) jails start on boot without any special tunables. I haven't tried -U6 to see if it does anything different that way. Similarly, the mount points are working fine on those jails, without any manual fiddling.

 

[jag131990]

Hi guys what is the easiest way to upgrade nextcloud if using this install method?

 

[danb35]

Use the built-in Nextcloud updater.

 

[wille1101]

Hi man, could you possibly help me?

I'm trying to use your Nextcloud script but I can't get it working. It installs everthing correctly except for acme.sh.

Code:

[Sat Oct 27 00:25:41 CEST 2018] Using stage ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
[Sat Oct 27 00:25:42 CEST 2018] Standalone mode.
[Sat Oct 27 00:25:42 CEST 2018] Registering account
[Sat Oct 27 00:25:43 CEST 2018] Registered
[Sat Oct 27 00:25:44 CEST 2018] ACCOUNT_THUMBPRINT='k9fyyB4-vl8BG6MTW3hY7v5Qo9mRjvNXZUaBP1fbcWQ'
[Sat Oct 27 00:25:44 CEST 2018] Creating domain key
[Sat Oct 27 00:25:44 CEST 2018] The domain key is here: /root/.acme.sh/domain.xyz/domain.xyz.key
[Sat Oct 27 00:25:44 CEST 2018] Single domain='domain.xyz'
[Sat Oct 27 00:25:44 CEST 2018] Getting domain auth token for each domain
[Sat Oct 27 00:25:44 CEST 2018] Getting webroot for domain='domain.xyz'
[Sat Oct 27 00:25:44 CEST 2018] Getting new-authz for domain='domain.xyz'
[Sat Oct 27 00:25:45 CEST 2018] The new-authz request is ok.
[Sat Oct 27 00:25:45 CEST 2018] Verifying:domain.xyz
[Sat Oct 27 00:25:45 CEST 2018] Standalone mode server
[Sat Oct 27 00:25:49 CEST 2018] Pending
[Sat Oct 27 00:25:51 CEST 2018] Pending
[Sat Oct 27 00:25:54 CEST 2018] Pending
[Sat Oct 27 00:25:56 CEST 2018] Pending
[Sat Oct 27 00:25:58 CEST 2018] Pending
[Sat Oct 27 00:26:01 CEST 2018] Pending
[Sat Oct 27 00:26:03 CEST 2018] Pending
[Sat Oct 27 00:26:05 CEST 2018] Pending
[Sat Oct 27 00:26:08 CEST 2018] Pending
[Sat Oct 27 00:26:10 CEST 2018] Pending
[Sat Oct 27 00:26:12 CEST 2018] Pending
[Sat Oct 27 00:26:14 CEST 2018] Pending
[Sat Oct 27 00:26:17 CEST 2018] Pending
[Sat Oct 27 00:26:19 CEST 2018] domain.xyz:Verify error:Invalid response fromhttp://domain.xyz/.well-known/acme-challenge/sl5rvS862-zjMjOZ-bFQORnX_tsNuwX-BFkbPQ16Qws:
[Sat Oct 27 00:26:19 CEST 2018] Please add '--debug' or '--log' to check more details.
[Sat Oct 27 00:26:19 CEST 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh

When I later go to root@nextcloud and check service apache24 status it's not running. When I try to start it with service apache24 start I get:

Code:

[root@nextcloud ~]# service apache24 start
Performing sanity check on apache24 configuration:
AH00526: Syntax error on line 27 of /usr/local/etc/apache24/Includes/domain.xyz.conf:
SSLCertificateFile: file '/usr/local/etc/pki/tls/certs/fullchain.pem' does not exist or is empty
Starting apache24.
AH00526: Syntax error on line 27 of /usr/local/etc/apache24/Includes/domain.xyz.conf:
SSLCertificateFile: file '/usr/local/etc/pki/tls/certs/fullchain.pem' does not exist or is empty
/usr/local/etc/rc.d/apache24: WARNING: failed to start apache24

I saw an other user who failed to start apache24 with the same error and you recommended him to use cloudflare:

Code:

iocage console nextcloud
export CF_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export CF_Email="xxxx@sss.com"
acme.sh --issue --dns dns_cf -d your_fqdn --fullchain-file /usr/local/etc/pki/tls/certs/fullchain.pem --key-file /usr/local/etc/pki/tls/private/privkey.pem --reloadcmd "service apache24 reload"

However I can't run that last command since I don't have acme.sh:

Code:

-bash: acme.sh: command not found

 

[danb35]

[Sat Oct 27 00:25:45 CEST 2018] Verifying:domain.xyz
[Sat Oct 27 00:25:45 CEST 2018] Standalone mode server
[Sat Oct 27 00:25:49 CEST 2018] Pending
[Sat Oct 27 00:25:51 CEST 2018] Pending

All the "Pending" lines indicate that the connection from Let's Encrypt isn't reaching your server. Do you own domain.xyz? Do its DNS records point to your server? Have you forwarded port 80 on your router to the IP address of your jail? Is your ISP blocking port 80?

check service apache24 status it's not running.

That's expected--its configuration requires a cert and key that aren't there, so it can't start. Once you obtain the cert, this problem will go away.

 

[wille1101]

When I do:

Code:

iocage console nextcloud
cd /usr/local/etc/apache24/Includes/
mv $FQDN.conf $FQDN.conf_old
service apache24 start

I can reach it from outside the LAN using my domain and get the "It works". Does that mean DNS and port forwarding is set up correctly?