Scripted installation of Nextcloud 28 in iocage jail 2018-03-23

[danb35]

Turns out the rc file requires an email address be provided. It isn't used unless you obtain a Let's Encrypt cert, but it must be provided regardless. I'll need to update the README to note this.

 

[Hidyman]

Thanks for all the help. Your script is fantastic, it saves so much time.

 

[danb35]

I'll need to update the README to note this.

Done.

 

[xiSlickix]

Sorry if this has been asked before, I couldn't find it while searching this thread.

For one of my FreeNAS + Nextcloud setups I expected to have a certificate provided by the company who runs our website. When I originally setup all this up, I selected the self-hosted / provide your own certificate route. While the hosting provider was able to add a DNS entry for nextcloud (so we have a FQDN) they have dragged their feet on getting me a cert. IS there a process without rebuilding the entire nextcloud environment to switch over to Lets Encrypt if I originally started with the self-cert route?

 

[danb35]

IS there a process without rebuilding the entire nextcloud environment

Sure. When did you run it? Do you know if you used the Caddy version of the script (which is current), or Apache (which I'd used previously)?

 

[xiSlickix]

It was setup about 1.5 months back, on version 15 with Apache.

 

[danb35]

OK, should be pretty straightforward, then. SSH into your FreeNAS box, then enter the jail with iocage console nextcloud. Install acme.sh using curl https://get.acme.sh | sh. Then issue the cert. If you're going to use HTTP validation (if you have ports 80 and 443 open to your jail), you'd do acme.sh --issue -w /usr/local/www/apache24/data -d ${HOST_NAME} -k 4096 --fullchain-file /usr/local/etc/pki/tls/certs/fullchain.pem --key-file /usr/local/etc/pki/tls/private/privkey.pem --reloadcmd "service apache24 reload". If you'd be using DNS validation, you'll need to modify the command to account for that.

 

[xiSlickix]

If you're going to use HTTP validation (if you have ports 80 and 443 open to your jail).

That's exactly what we are doing - perfect, thanks. I'll give this a shot!

 

[xiSlickix]

.... /usr/local/www/apache24/data -d ${HOST_NAME} -k 4096 --fullchain-file ......

Just to make sure I'm getting the syntax correct. assuming my fqdn is test.example.com

acme.sh --issue -w /usr/local/www/apache24/data -d ${test.example.com} -k 4096 --fullchain

would that be correct?

 

[danb35]

would that be correct?

Close. The $ and braces would come out, so it would be acme.sh --issue -w /usr/local/www/apache24/data -d test.example.com -k 4096 --fullchain

 

[xiSlickix]

Close. The $ and braces would come out, so it would be acme.sh --issue -w /usr/local/www/apache24/data -d test.example.com -k 4096 --fullchain

I'm still getting a self-signed cert, even after restarting apache. Any idea where to throw that force flag in?

--Edit--

just tossed the --force at the very end, and it punched right through, SSL good to go. Thanks so much for your help!

 

[danb35]

just tossed the --force at the very end

It can go anywhere, so not a problem. What was probably happening was that acme.sh had gotten a cert previously, but hadn't deployed it to the right locations. Adding --force makes it go through the issuance process again, and it then deploys the cert and reloads apache--and should update its config files to automatically do that in the future.

 

[jchamie]

Where is apache24 folder located now? In an earlier script it used to be in /usr/local/www/apache24 but in the www folder is only nextcloud and caddyfile.

 

[danb35]

Where is apache24 folder located now?

It isn't; the script doesn't use Apache any more. Instead, it uses Caddy.

 

[jchamie]

It isn't; the script doesn't use Apache any more. Instead, it uses Caddy.

oh I see. I am going to have to look into how to configure Caddy. I am having issues with big uploads not working via public link for nextcloud (even though upload_max etc set 8GB etc). The solution appears to be commenting out LoadModule reqtimeout_module libexec/apache24/mod_reqtimeout.so in the apache httpd.conf file.... But of course now I know why I can't find this anywhere!

 

[danb35]

I'm sure there's a way to make comparable settings on Caddy, but I'm not sure what it would be. I'd start by checking out the log files--in the jail, you'd want /var/log/nextcloud.log, /var/log/nextcloud_access.log, and /var/log/nextcloud_error.log. If you can find where the error is, it will be easier to determine what needs to be done to fix it.

 

[jchamie]

If you can find where the error is, it will be easier to determine what needs to be done to fix it.

The nextcloud_error.log has ERROR 504 ....etc.... read tcp 127.0.0.1:21686->127.0.0.1:9000: i/o timeout . So looks like some sort of timeout error but not sure why

 

[danb35]

You may also find relevant information in /var/log/php-fpm.log.

 

[jchamie]

You may also find relevant information in /var/log/php-fpm.log.

Seems as though it was a bit fussy with memory_limit and max settings. Changing to the following (i.e. lowering them) did the trick
upload_max_filesize=2G
post_max_size=4G
memory_limit=512M

 

[danb35]

Had you previously changed those from the defaults?