Scripted installation of Nextcloud 28 in iocage jail 2018-03-23

[tung1112]

Let's have a look at redacted screenshots of your DNS-O-Matic Cloudflare service and your Cloudflare DNS records.

 

[Basil Hendroff]

The error status tells me your DDNS client is not updating DNS-O-Matic. You need to fix this first. Your STATUS should be showing the dynamic IP address of your network.

Not sure what instructions you're following to set up your Cloudflare DNS records. I suggest you look at earlier posts in this discussion thread for hints on setting up your Cloudflare DNS records for DDNS.

 

[tung1112]

The error status tells me your DDNS client is not updating DNS-O-Matic. You need to fix this first. Your STATUS should be showing the dynamic IP address of your network.

Not sure what instructions you're following to set up your Cloudflare DNS records. I suggest you look at earlier posts in this discussion thread for hints on setting up your Cloudflare DNS records for DDNS.

I now can access from internet by turning on the DMZ setting of my jail lan IP in my router. Does it mean that it is the problem of port forwarding? Is it safe to do this?

 

[Basil Hendroff]

Is your DDNS client updating DNS-O-Matic? Your attention seems to have been diverted. The DMZ and port forwarding do not play a part in this. Placing any server in the DMZ means it will not be able to connect to your network as there is a firewall between it and your network. This is different from opening firewall ports to allow external users access to a server on your network. I suggest you reverse the changes you've made and focus on getting DNS-O-Matic correctly updated.

 

[Basil Hendroff]

@tung1112 Can you confirm that your ISP is supplying you with a dynamic IP address and not a static IP address. If the latter, setup is easier as you don't need to worry about DNS-O-Matic. DNS-O-Matic only applies to dynamic IP addresses.

 

[tung1112]

I got a dynamic IP address.

 

[tung1112]

Is your DDNS client updating DNS-O-Matic? Your attention seems to have been diverted. The DMZ and port forwarding do not play a part in this. Placing any server in the DMZ means it will not be able to connect to your network as there is a firewall between it and your network. This is different from opening firewall ports to allow external users access to a server on your network. I suggest you reverse the changes you've made and focus on getting DNS-O-Matic correctly updated.

I can't update DNS-O-Matic using FreeNAS's service with the issue stated here: https://www.ixsystems.com/community/threads/setting-up-dynamicdns-for-dns-o-matic-dnsomatic.78071/
I tried use the Cloudflare API to update the record but it said "You cannot use this API for domains (top-level domains) with .cf, .ga, .gq, .ml or .tk TLDs. DNS settings for this domain, please Use the Cloudflare dashboard" which I am using .tk.
I still cannot config the DNS-O-Matic. It stated "err Unable to find record".
Maybe I should change my domain to use another TLD instead.

 

[tung1112]

I got a dynamic IP address.

DHCP status is enabled in my ipconfig

 

[Basil Hendroff]

@tung1112 If you're having difficulty with the FreeNAS DDNS client, try one of the other options in post #1418. Are you sure your router doesn't have a built-in DDNS client that can update DNS-O-Matic?

 

[markymark832]

thanks for all the hard work with this, 72 pages of replies so this might have been asked before, what method do you use to pull and install the certs from lets encrypt?
Mine is up for renewal, ( i have no forward facing ports anymore to the outside world for this jail, and can't see a renewal line in crontab so not sure if it's an atuomated process that is just not happening due to me preventing it), so just wondered what i need to do to force a renewal?
Many Thanks
Mark

 

[danb35]

what method do you use to pull and install the certs from lets encrypt?

If you've installed Nextcloud from this script since May of last year, you're using Caddy as your web server, and it handles the certificates on its own. If you don't have ports open to the jail, and you don't intend to, your best bet is really to use DNS validation, assuming you use (or can change to) a compatible DNS provider (I like Cloudflare for this, they work well, they have a robust API, and they're free for simple DNS hosting).

Otherwise, opening ports 80 and 443 to the jail and restarting caddy in the jail should do the job in a few minutes.

 

[claib]

Hello there
i finally managed to get nextcloud up an running under 11.3 u2.1
the only problem is, that i can't get the Lan internal interface.
There i get SSL_ERROR_INTERNAL_ERROR_ALERT
What solution do you suggest ?
best regards from isolated Switzerland

 

[markymark832]

If you've installed Nextcloud from this script since May of last year, you're using Caddy as your web server, and it handles the certificates on its own. If you don't have ports open to the jail, and you don't intend to, your best bet is really to use DNS validation, assuming you use (or can change to) a compatible DNS provider (I like Cloudflare for this, they work well, they have a robust API, and they're free for simple DNS hosting).

Otherwise, opening ports 80 and 443 to the jail and restarting caddy in the jail should do the job in a few minutes.

thanks, jogged my memory, i was using cloudflare with caddy, i just hadn't removed staging...
all fixed now

 

[claib]

thanks, jogged my memory, i was using cloudflare with caddy, i just hadn't removed staging...
all fixed now

thx !
how where do i find the ports to open on a jail ?

 

[danb35]

how where do i find the ports to open on a jail ?

Does my post (quoted in the post you quoted) not answer this question?

 

[claib]

Does my post (quoted in the post you quoted) not answer this question?

probably i didnt express my self properly :
everything works fine, i can get the nextcloud interface from the internet, but not from my LAN.
If i point my browser to the internal IP adress i get :
404 Site 192.168.178.102 is not served on this interface
So probably, as you said a DNS problem. I did nothing about DNS config...

best regards
Christoph

 

[Basil Hendroff]

Your internal DNS resolver needs to resolve the Nextcloud FQDN to the jail IP address.

 

[Erwin1e]

Yep, that's probably your problem. But that rate limit should clear itself pretty quickly.

Sorry for my late reply. But i had to wait around 200 hours before the ban was lifted. Just restarted the jail and everything worked. Just came back to say thanks and who knows i'm not the only one with this issue.

The lesson is:
Open up the firewall if you want cert renewal. And if it expired because you closed it reopen it and wait.

 

[Pctravel]

If you've installed Nextcloud from this script since May of last year, you're using Caddy as your web server, and it handles the certificates on its own. If you don't have ports open to the jail, and you don't intend to, your best bet is really to use DNS validation, assuming you use (or can change to) a compatible DNS provider (I like Cloudflare for this, they work well, they have a robust API, and they're free for simple DNS hosting).

Otherwise, opening ports 80 and 443 to the jail and restarting caddy in the jail should do the job in a few minutes.

I have a cross topic question with your Caddy reverse proxy discussion and Nextcloud. I used your script for the lets encrypt renewal for my nextcloud server, I'm looking to add a reverse proxy to support an emby server. I don't want to crash my nextcloud setup, do I need to reinstall nextcloud and select 'no cert' to install the reverse proxy or what file would I need to edit to use the reverse proxy for both (and if I have caddy that supports Nextcloud in this script does that shortcut for me? Your script was great but I'm not very good with the ssl setups (which is why it was great :)

 

[Basil Hendroff]

I have a cross topic question with your Caddy reverse proxy discussion and Nextcloud. I used your script for the lets encrypt renewal for my nextcloud server, I'm looking to add a reverse proxy to support an emby server. I don't want to crash my nextcloud setup, do I need to reinstall nextcloud and select 'no cert' to install the reverse proxy or what file would I need to edit to use the reverse proxy for both (and if I have caddy that supports Nextcloud in this script does that shortcut for me? Your script was great but I'm not very good with the ssl setups (which is why it was great :)

This post may be helpful https://www.ixsystems.com/community...with-optional-automatic-tls.75978/post-565271