Scripted installation of Nextcloud 28 in iocage jail 2018-03-23

[ornias]

Bloody cloud, I solved it. It turns out that the timeout values used in by haproxy.cfg are in MILLISECONDS!!!!
I scrolled through all HAProxy menu and changed them all to 3600000. It works flawlessly now!
Thank you Ornias and Dan for giving me useful clues to fix this issue.

I just checked my own config, I also have a very long timeout just for nextcloud... It seems to be a princes at times, so it just makes sure it doesn't needlessly timeout.

Is it how it should be setup? DEFINATELY not, but it works so /care.

 

[danb35]

But that line is in config correctly.

The error message you posted strongly indicates to the contrary. Really, it's getting a little frustrating going back and forth with you providing incorrect and/or incomplete answers to my questions. I'm not going to be able to help you if you don't provide complete and correct answers. Once again, please post (copy and paste, don't retype) the contents of nextcloud-config (mask API credentials, domain name, and cert email), and the complete output when you run the script. Use code tags (see the forum rules if you aren't familiar with them) to not mess up the formatting.

 

[Redcoat]

I have successfully installed Nextcloud in default-named jail on 11.3-U1 using the script.
Trying to get the trusted cert - but when I run remove-staging.sh if fails with "permission denied".
I don't know where to start...

 

[ornias]

I have successfully installed Nextcloud in default-named jail on 11.3-U1 using the script.
Trying to get the trusted cert - but when I run remove-staging.sh if fails with "permission denied".
I don't know where to start...

Yeah, had that same issue on a lot of scripts while working on my own Nextcloud install script too...
If you just chmod it with chmod 775 it will work alright.

 

[Redcoat]

I don't know where to start...

Well, I decided I might as well try, so looked at the script, decided what it did, then edited Caddyfile directly. Seems to have worked as I now have a valid certificate.

 

[Redcoat]

Yeah, had that same issue on a lot of scripts while working on my own Nextcloud install script too...
If you just chmod it with chmod 775 it will work alright.

Thanks, but you'll see I worked around it,

 

[ornias]

Well, I decided I might as well try, so looked at the script, decided what it did, then edited Caddyfile directly. Seems to have worked as I now have a valid certificate.

Yeah that script isn't really needed, it's more an extra layer of prevention against people that lock themselves out of letsencrypt by running the install script multiple times...

 

[danb35]

edited Caddyfile directly.

That's what I would have suggested, but you beat me to it. Glad it's working.

 

[mistermanko]

I'm kinda stuck,
I successfully installed the script, registered a domain with easydns, pointed it to cloudflair, forwarded the ports in my router (fritz!box) to the nextcloud jail but I can't reach the nextcloud jail either via the domain or the local IP. whois to the domain from any machine works, I can ping the domain, I can ping the jail. Caddy is running, this is the latest output of var log:

Code:

2020/03/15 19:41:45 [INFO] Caddy version: v1.0.4
2020/03/15 19:41:45 [INFO][cache:0xc0000c29b0] Started certificate maintenance routine
Activating privacy features... 2020/03/15 19:41:50 [INFO][mydomain.de] Obtain certificate
2020/03/15 19:41:50 [INFO][mydomain.de] Obtain: Waiting on rate limiter...
2020/03/15 19:41:50 [INFO][mydomain.de] Obtain: Done waiting
2020/03/15 19:41:50 [INFO] [mydomain.de] acme: Obtaining bundled SAN certificate
2020/03/15 19:41:51 [INFO] [mydomain.de] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/43904406
2020/03/15 19:41:51 [INFO] [mydomain.de] acme: Could not find solver for: tls-alpn-01
2020/03/15 19:41:51 [INFO] [mydomain.de] acme: Could not find solver for: http-01
2020/03/15 19:41:51 [INFO] [mydomain.de] acme: use dns-01 solver
2020/03/15 19:41:51 [INFO] [mydomain.de] acme: Preparing to solve DNS-01
2020/03/15 19:41:52 [INFO] [mydomain.de] acme: Cleaning DNS-01 challenge
2020/03/15 19:41:52 [WARN] [mydomain.de] acme: error cleaning up: cloudflare: failed to find zone mydomain.de.: ListZonesContext command failed: error from makeRequest: HTTP status 400: content "{\"success>
2020/03/15 19:41:52 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/43904406

This is my caddy file:

Code:

mydomain.de 192.168.111.200 {

        root   /usr/local/www/nextcloud
        log    /var/log/nextcloud_access.log
        errors /var/log/nextcloud_errors.log

        tls {
                ca https://acme-v02.api.letsencrypt.org/directory
                dns cloudflare
        }

        fastcgi / 127.0.0.1:9000 php {
                env PATH /bin
                env modHeadersAvailable true
                env front_controller_active true
                connect_timeout 60s
                read_timeout 3600s
                send_timeout 300s
        }

        header / {
                Strict-Transport-Security               "max-age=15768000;"
                X-Content-Type-Options                  "nosniff"
                X-XSS-Protection                        "1; mode=block"
                X-Robots-Tag                            "none"
                X-Download-Options                      "noopen"
                X-Permitted-Cross-Domain-Policies       "none"
                X-Frame-Options "SAMEORIGIN"
                Referrer-Policy                         "no-referrer"
        }

        header /core/fonts {
                Cache-Control                           "max-age=604800"
        }

        # checks for images
        rewrite {
                ext .png .html .ttf .ico .jpg .jpeg .css .js .woff .woff2 .svg .gif .map
                r ^/index.php/.*$
                to /{1} /index.php?{query}
        }

        rewrite {
                r ^/\.well-known/host-meta$
                to /public.php?service=host-meta&{query}
        }
        rewrite {
                r ^/\.well-known/host-meta\.json$
                to /public.php?service=host-meta-json&{query}
        }
        rewrite {
                r ^/\.well-known/webfinger$
                to /public.php?service=webfinger&{query}
        }

I would really appreciate some help here.

 

[ornias]

...

I would really appreciate some help here.

I personally use a reverse proxy and either plain http or self-signed (well, own-ca signed but same story) certs...
However self-signed doesn't play nice with caddy and reverse proxies so I currently use plain http -> reverse proxy -> tls-to-client

 

[Basil Hendroff]

@mistermanko The issue is that it isn't possible to set up the Fritz!Box (I have one too) to resolve the FQDN for the jail to the jail's IP address. You can set up the local host file to resolve this.

 

[mistermanko]

@mistermanko The issue is that it isn't possible to set up the Fritz!Box (I have one too) to resolve the FQDN for the jail to the jail's IP address. You can set up the local host file to resolve this.

So what do I need to add there? external IP _ mydomain.de? Jail IP? Is the port forwarding still needed than?

 

[Basil Hendroff]

Note: The approach I used was to set up DNSMasq to be the local DNS resolver. The local hosts file should work just as well, but I haven't used or tested this approach myself. Let me know how it works for you.

So what do I need to add there? external IP _ mydomain.de?

No. jail_ip FQDN.

Is the port forwarding still needed than?

Yes. e.g. in the Fritz!Box: Permit Access > Port Sharing

 

[mistermanko]

Let me know how it works for you.

It doesn't. As I understand it, the local host file serves only as a local network lookup for FN. When the fritzbox is not forwarding my public ip to local devices (even though I forwarded the ports) the host file cannot help.

public ip > fritzbox > local dns (pihole) > freenas > jail

step two is the culprit accord to you, how is the host file helping me here? I don't get it.

 

[ornias]

@mistermanko The issue is that it isn't possible to set up the Fritz!Box (I have one too) to resolve the FQDN for the jail to the jail's IP address. You can set up the local host file to resolve this.

Sorry, but how do you think this works?
Thats not how DNS works.

A DNS server just answers: This IP is the IP for this Domain.
Thats (in TLDR) all it does. As long as your domain points to your IP, your fritzbox/pihole/whatever-you-use is either:
A. Using the upstream DNS server
B. Having a local cached copy of the upstream DNS server/request.

For DNS the fritzbox doesn't know if a DNS requets for ABC.COM is your own domain, or someone else's.
When thats all said and done, in all cases you would just be left with an IP (and from this point onwards DNS is mostly irrelevant)

So you have an external IP now, great...
Now all you need is a port forward, for a port forward (which is perfectly possible with the fritzbox afaik) it is totally irrelevant if someone got that IP using DNS or you yourself just entered it in the adress-bar.

If a request comes in for (for example) 123.123.123.66 on port 80 and the forward is set to forward this to: 192.168.1.50 on port 80, on almost anyt consumer router it would do so regardless from which source (lan or wan) this request actually came from.

Remember on the WAN side of a forward, is the router ITSELF, it is never supposed to point to a local system.

So how would this work in practice?
- Create a A record pointing to your home IP
- Setup the required port forwards

Thats all thats needed for the sake of setting up a webserver and TLS.

There never was any requirement for DNS to resolve to a local IP from the LAN side, I've done a lot of setups, read a lot of guides... but no one ever had the idea to even suggest this as a requirement. I can't even phantom why it would be relevant for the way Letsencrypt works, it never even tries to connect to itself on the lan side afaik....

I might sound harsh, but I am serieusly flabbergasted about this...

 

[mistermanko]

Thanks @ornias for proving my point. So how do I get on with my issue? dump caddy? I just followed the guide and it doesn't work.

 

[ornias]

Thanks @ornias for proving my point. So how do I get on with my issue? dump caddy? I just followed the guide and it doesn't work.

I see 0 enabled, are you sure the forward is enabled?

Anyhow:
To test if basic port forwards on port 80 are working, try installing nextcloud using the no-ssl option... If that works you are least know for sure it's just the SSL side of things thats working. Don't forget to check using a device outside ofyour network (phone with wifi off for example)...

That being said, I even contemplate moving Nextcloud from Caddy to NGINX myself...
I've had too many odd bugs with caddy and certs.

 

[dimitrow]

Hello ,

First of all -Thanks to @danb35 for the script!

I did everything as described in the description, but encountered a strange problem.

After the installation was successful, I tried to open NextCloud, but instead of the NC interface page - its loading the Freenas login page.

This is the content of the nextcloud-config file:

Code:

JAIL_IP="10.10.1.12"
DEFAULT_GW_IP="10.10.1.1"
POOL_PATH="/mnt/tank"
TIME_ZONE="Europe/Sofia"
HOST_NAME="cloud.betaone.eu"
STANDALONE_CERT=1
CERT_EMAIL="v.dimitrow@gmail.com"
INTERFACE="em0"
VNET="off"

No matter if I try to open the domain or the local IP of the jail where the NC is located - the result is the same :( Any suggestions?

 

[danb35]

Thats not how DNS works.

Yes, that's exactly how DNS works, if you have a moderately-capable router. You set it up to provide DNS to your LAN, and you configure it to return the LAN IP address of your jail for your jail--e.g., cloud.mydomain.org returns 192.168.1.24. This is a trivial configuration in pfSense or OPNSense, it's supported in dd-wrt, and a quick Google suggests that Linksys supports it in their official firmware as well. I can't speak for Fritzbox, but this link (https://en.avm.de/service/fritzbox/...63_No-DNS-resolution-of-private-IP-addresses/) indicates there may be a way to do it there as well. There's absolutely no reason any device on your LAN needs to be using hairpin NAT to access the jail, unless your router is too brain-dead to support this.

but no one ever had the idea to even suggest this as a requirement.

You should have read my guide more carefully; this has been in there since day 1. Not as a "requirement", it's true, but as a strong recommendation.

 

[danb35]

Thanks @ornias for proving my point.

He hasn't even addressed your point, and you've completely misunderstood Basil's recommendation (though he inexplicably included a link to the FreeNAS docs, when the "local hosts file" you need to edit is on the computer you're using to (try to) access your jail).