Scripted installation of Nextcloud 28 in iocage jail 2018-03-23

[Apollo]

But doesn't it then show a page indicating that it's in maintenance mode? Or does it just give a blank page?

Normally it would, but in the process of upgrading, and I believe this is the part where the Nextcloud apps are being replaced, Nextcloud is no longer able to service the page.

When it fails, I believe I get the "The connection has timed out..."

Since the switch to Caddy, I have never been able to make Nextcloud work on my system with my pfsense firewall through Haproxy. When I try to connect I get the white page. If I do not use pfsense and leave port 80 and 443 open, then it works. I think the issue is the lack of support for http2 from what I was able to read on.

 

[notspam]

After weighing the options, I opted to try a fresh install. I tried running the install script after doing the prerequesites and with the following config. This is the config I ran with the last successful install last year except the custom db and files. To preserve my previous db and files, I created new ncdb and ncfiles. After running the script I tried navigating to the domain and local IP both did not work with unable to connect error. I tried blowing the jail away and installing again. No joy. With trying to get certs earlier I think I used up my count for the week, but that does not explain my inability to connect even with a local IP which did not even remap to the registered hostname as it did last week when all of this worked.
Any ideas?

Unsure if it is related but /var/log/messages has:

 

[Apollo]

@notspam , I think you should try the following.

Code:

INTERFACE="igb0"
VNET="off" 

 

[danb35]

With trying to get certs earlier I think I used up my count for the week

Possible, but unlikely--the limit is for certs actually issued, and that's for five identical certs/week (there's also a limit for failed validations, but that's per hour). But in any event, my script obtains certs from the staging environment by default, so the rate limits shouldn't be a problem.

but that does not explain my inability to connect even with a local IP

It does, actually; with the current version of the script the web server (Caddy) obtains certs itself, and will refuse to start if it's unable to do so. Check /var/log/caddy.log in the jail to see if there's anything there.

I think you should try the following.

No, he shouldn't. That isn't what's going on, and it's going to cause more problems than it solves.

 

[xiSlickix]

Does anyone know if this implementation of Nextcloud (or any of the earlier script / Nextcloud iterations) is vulnerable to NextCry? Bleeping Computer has a write up.

New NextCry Ransomware Encrypts Data on NextCloud Linux Servers

A new ransomware has been found in the wild that is currently undetected by antivirus engines on public scanning platforms. Its name is NextCry due to the extension appended to encrypted files and that it targets clients of the NextCloud file sync and share service.

www.bleepingcomputer.com

 

[danb35]

Good question. I don't know; it looks like the Nextcloud team are investigating:

Nextcry? Encrypted all files through my instance

So. First of all. This kind of stuff is exactly why you have a backup. Good for you. We have not heard of this before. However, we are unaware of any exploits in Nextcloud to have remote code execution. So if you could go trough your access logs to find out what was going on please do...

help.nextcloud.com

Regular snapshots of your files and db datasets would always be a good idea, of course, and should greatly ease mitigation if necessary. Nextcloud also enables versioning by default, but rolling back to an earlier snapshot would seem like the easier way to deal with an issue if it were to happen.

From the Bleeping Computer article, though, it looks as though the combination of Nginx and php-fpm may be the attack vector. My script uses php-fpm, but has never used Nginx (older versions used Apache; since the Nextcloud 16 release I've been using Caddy instead).

 

[Elo]

I've updated the script so you should be able to install under 11.2. If you've previously downloaded it and had trouble due to 11.2 being EOL, change to the directory to which you downloaded it and run git pull to download the updated script. You should then be ready to go.

Hi

I have installed the 11.3 BETA and run the script on a completely clean installation. I use DYNDNS to link my dynamic IP to my domain and the config file is according to how i understood the caddy documentation. Running the script went without errors. (I had to set VNET to off because the Jail would not start if set to on). MYSQL and PHP is running but the web interface is not accessible due to caddy not starting. I suspect it has something to do with using DYNDNS but its a guess and i am not able to debug further. Any help would be highly appreciated.

Config:
JAIL_IP="192.168.111.15"
DEFAULT_GW_IP="192.168.111.1"
INTERFACE="igb0"
VNET='off'
POOL_PATH="/mnt/Main_Pool/Jails/nextcloud"
JAIL_NAME="nextcloud"
TIME_ZONE="Europe/Oslo" # See http://php.net/manual/en/timezones.php
HOST_NAME="xxxxxxxxxx.com"
STANDALONE_CERT=0
DNS_CERT=1
SELFSIGNED_CERT=1
NO_CERT=0
CERT_EMAIL="ole.berg@xxxxxxx.com"
DB_PATH="/mnt/Main_Pool/db"
FILES_PATH="/mnt/Main_Pool/files"
DNS_PLUGIN="dyn"
DNS_ENV="DYN_CUSTOMER_NAME=ole berg DYN_USER_NAME=oleberg DYN_PASSWORD=xxxxxxxxxx"

Caddy.log:
env: berg: No such file or directory

Messages:
Nov 15 14:26:43 nextcloud root: /etc/rc: WARNING: failed to start caddy
Nov 15 14:35:56 nextcloud root: /usr/local/etc/rc.d/caddy: WARNING: failed to start caddy

 

[danb35]

I hope those aren't your actual dyndns credentials you just posted, though I'm pretty sure the space in the "customer name" field is what's causing the problem. But there should be more in /var/log/messages--what else about caddy do you see there?

 

[notspam]

It does, actually; with the current version of the script the web server (Caddy) obtains certs itself, and will refuse to start if it's unable to do so. Check /var/log/caddy.log in the jail to see if there's anything there.

I did not know that Caddy was the webserver.
/var/log/caddy.log is non-existant.
/var/log/nextcloud.log exists but is 0 bytes.

How to I get Caddy running? Or why is it not running? Or why am I not seeing errors about it starting in messages?

 

[Elo]

I hope those aren't your actual dyndns credentials you just posted, though I'm pretty sure the space in the "customer name" field is what's causing the problem. But there should be more in /var/log/messages--what else about caddy do you see there?

NO NOT correct credentials but valid for the instal.
No there is nothing else about caddy in messages. can I fix the "space in name " or do i run the script again?
Can I put the name like this ole.berg or 'ole berg' or can I just omit it?

 

[danb35]

I've updated the script so you should be able to install under 11.2.

Well, so I'd thought. The ports build, but it looks like php-fpm is now built in such a way that it won't run in a FreeBSD 11.2 environment any more. Once iX release 11.2-U7 it should be possible to build a FreeBSD 11.3 jail, and at that point this should work, though I'll still likely need some further tweaks to the script.

 

[notspam]

Well, so I'd thought. The ports build, but it looks like php-fpm is now built in such a way that it won't run in a FreeBSD 11.2 environment any more. Once iX release 11.2-U7 it should be possible to build a FreeBSD 11.3 jail, and at that point this should work, though I'll still likely need some further tweaks to the script.

So does this mean we are out of luck until 11.2-U7? Do you happen to know when that will be available?

 

[Elo]

Once iX release 11.2-U7 it should be possible to build a FreeBSD 11.3 jail, and at that point this should work, though I'll still likely need some further tweaks to the script.

Hi Dan. Thanks for your suggestion in post 989. It worked and Nextcloud is running under 11.3 BETA in a 11.3 Jail. I will play some more with the certificates, import my data and run a manual sync in Newxtcloud and wait to put it into production until the 11.3 is properly released (Now running in a VM) as I have a manually installed version that is working OK installed according to Joshua Parker's suggestions. Have a good weekend!

 

[danb35]

So does this mean we are out of luck until 11.2-U7?

I think so, if you want to use a stable release. Otherwise, if you're willing to use a beta, you can install it under 11.3-BETA and reports are that it works fine.

 

[notspam]

I think so, if you want to use a stable release. Otherwise, if you're willing to use a beta, you can install it under 11.3-BETA and reports are that it works fine.

My experience has generally been that beta has more bugs that a "stable" release. So I am reluctant to jump on beta with the hope of getting a more stable situation. I have been digging around in FreeNAS and noticed a Boot Environments screen that seems to have a previous boot version (from before I upgraded) available. If I activated it, would that put me back in that environment version and thus have the working/compatible php-fpm? Or is that more ill-advised that moving to an unstable beta?

Overall I am looking for a way to revert my upgrade to 11.2-U6 back to 11.2-U3.

 

[danb35]

My experience has generally been that beta has more bugs that a "stable" release.

Yes, that is generally the case. I'm not recommending that course of action, just mentioning it as a possibility.

If I activated it, would that put me back in that environment version and thus have the working/compatible php-fpm?

No, the boot environments don't affect the jails.

 

[notspam]

Yes, that is generally the case. I'm not recommending that course of action, just mentioning it as a possibility.

No, the boot environments don't affect the jails.

What about installing a previous version of the Nextcloud script on a fresh jail in Freenas 11.2-U6? Would that work?

 

[danb35]

It isn't a matter of the script version, it's the package repositories. When FreeBSD 11.2 went EOL a few weeks back, the package repos changed to 11.3-compatible binaries. It would often be the case that one would run on an earlier system, but php-fpm won't, and without that, Nextcloud can't run. However, it's looking like rebuilding PHP from the port is letting it work. More to follow.

Edit: Yes, it seems to work that way under 11.2-U6, at least. Update the script with git pull and give it a try.

 

[notspam]

Edit: Yes, it seems to work that way under 11.2-U6, at least. Update the script with git pull and give it a try.

I tried a fresh install and while there is no php-fpm issues there are no message indicating any issues really, but still unable to connect. There is still no caddy.log either.

 

[danb35]

Is Caddy running in the jail? service caddy status