Resource icon

Scripted installation of Nextcloud 28 in iocage jail 2018-03-23

tebra

Dabbler
Joined
Feb 29, 2020
Messages
21
Hi all, I installed nextcloud with this script on my freenas about 2 months ago and everything works fine but now I get a notification from Let's Encrypt tells me that my certificate is for a staging environment and will expire in 10 days.
I already run the remove-staging.sh script but I still get the notification.
Any help please ?
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,462
certificate is for a staging environment and will expire in 10 days.
That's to be expected. If you ran remove-staging, the initial cert (from the staging environment) wouldn't be renewed, so you'd get that notification. But your Nextcloud jail isn't using a staging cert any more, right?
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,462

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,462
That should mean you're using a trusted cert (and therefore not a staging cert). If you want to confirm, look at the cert itself to be sure. Different browsers have different ways of doing that, but mostly start by clicking on the padlock icon in the address bar. You'd be looking at the issuer, which would be "Let's Encrypt Authority X3" for a trusted cert. And if that's the case, you can ignore that expiration notice.
 

tebra

Dabbler
Joined
Feb 29, 2020
Messages
21
That should mean you're using a trusted cert (and therefore not a staging cert). If you want to confirm, look at the cert itself to be sure. Different browsers have different ways of doing that, but mostly start by clicking on the padlock icon in the address bar. You'd be looking at the issuer, which would be "Let's Encrypt Authority X3" for a trusted cert. And if that's the case, you can ignore that expiration notice.
This is the case.
Thank your for your help and information.
 

kiriak

Contributor
Joined
Mar 2, 2020
Messages
122
At first many thanks to danb35 for his work for the script.

Due to my nonexistent knowledge about certs etc. I couldn't make it work with the option of SELFSIGNED_CERT=1.
I think the NC is installed OK and jail is running OK, but I messed up the configuration.

If i use http I get
Code:
404 Site 192.168.11.55 is not served on this interface


If i use https I get
Code:
Secure Connection Failed
An error occurred during a connection to 192.168.11.55. Peer reports it experienced an internal error.
Error code: SSL_ERROR_INTERNAL_ERROR_ALERT



I spent a few hours to find a solution but with no success.

I there an easy workaround on this?
If not, I'll try the NO_CERT option as it is a test machine to see If I can migrate from Synology to FreeNAS.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,462
404 Site 192.168.11.55 is not served on this interface
This is correct--Caddy isn't configured to serve the site over the IP address. You'll need to connect using the hostname, which means that the hostname needs to resolve to the internal IP address of your jail.
 

kiriak

Contributor
Joined
Mar 2, 2020
Messages
122
Thank you for your reply and again thanks for offering the script to the community!
I'll do some reading to see if I can manage to resolve the hostname to the IP (No luck yet).

Thanks again!!!
 

ornias

Wizard
Joined
Mar 6, 2020
Messages
1,458
Thank you for your reply and again thanks for offering the script to the community!
I'll do some reading to see if I can manage to resolve the hostname to the IP (No luck yet).

You can test it using the windows host file:
c:/windows/system32/drivers/etc/hosts

You might (I would need to recheck the script for it though) trick the system by entering your IP as host_name too.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,462
You might (I would need to recheck the script for it though) trick the system by entering your IP as host_name too.
Yes, I'd forgotten about that--that's an option too, though it obviously wouldn't work with anything that would get a Let's Encrypt cert.
I'll do some reading to see if I can manage to resolve the hostname to the IP (No luck yet).
Ideally this will be done in your router, but I don't know how many consumer-grade routers support that feature. If you use (or start using) Pi-Hole, you could set it up there. I know my pfSense box does, though. Otherwise, the hosts file would have to be the way to go.
 

ornias

Wizard
Joined
Mar 6, 2020
Messages
1,458
While I also run *sense (OPNsense in my case), I do really advice the use of the pihole.
It costs next to nothing and the gains are significant.

It does indeed also give the option of custom DNS overrides since version 5, so you would be golden for a few 10's of bucks :)
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,462

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,462
I used to run a lot of stuff on Pis, but most of it has now been moved into VMs--a three-node Proxmox cluster gives me a lot of flexibility that way. Only things still running on a Pi are my 3D printers and my weather station. I haven't messed with the bhyve in FreeNAS, but it certainly should do the job.
 

InGenetic

Contributor
Joined
Dec 18, 2013
Messages
183
hi danb35,

thanks for your tutorial , my nextcloud has been running good ,so far almost 1 month, and i have a little questions here :
1. after three months, did i have to renew the letsencrypt ssl manually ? if yes, how to do that ?
this question related to the email that i\ve got a couple days ago, but not letsencrypt for my nextcloud, this related to my friends site,

Hi,

According to our records, the software client you're using to get Let's
Encrypt TLS/SSL certificates issued or renewed at least one HTTPS certificate
in the past two weeks using the ACMEv1 protocol. Here are the details of one
recent ACMEv1 request from each of your account(s):

Client IP address: xxx.xxx.xxx.xxx

User agent: ACMEdotNET/0.9.1.0 (ACME 1.0)

Hostname(s): "app.mydomain.com","app.mydomain.com"

Request time: 2020-05-26 01:29:30 UTC

Beginning June 1, 2020, we will stop allowing new domains to validate using
the ACMEv1 protocol. You should upgrade to an ACMEv2 compatible client before
then, or certificate issuance will fail. For most people, simply upgrading to
the latest version of your existing client will suffice. You can view the
client list at: https://letsencrypt.org/docs/client-options/

If you're unsure how your certificate is managed, get in touch with the
person who installed the certificate for you. If you don't know who to
contact, please view the help section in our community forum at
https://community.letsencrypt.org/c/help and use the search bar to check if
there's an existing solution for your question. If there isn't, please create
a new topic and fill out the help template.

ACMEv1 API deprecation details can be found in our community forum:
https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1

As a reminder: In the future, Let's Encrypt will be performing multiple
domain validation requests for each domain name when you issue a certificate.
While you're working on migrating to ACMEv2, please check that your system
configuration will not block validation requests made by new Let's Encrypt IP
addresses, or block multiple matching requests. Per our FAQ
(https://letsencrypt.org/docs/faq/), we don't publish a list of IP addresses
we use to validate, and this list may change at any time.

To receive more frequent updates, subscribe to our API Announcements:
https://community.letsencrypt.org/t/about-the-api-announcements-category

Thank you for joining us on our mission to create a more secure and privacy-
respecting Web!

All the best,

Let's Encrypt

2. Why i cannot upload the bigfile about 4GB to my nextcloud folder ?

the allert is like below :
Sabre\DAV\Exception\BadRequest: Expected filesize of 10485760 bytes but read (from Nextcloud client) and wrote (to Nextcloud storage) 4390912 bytes. Could either be a network problem on the sending side or a problem writing to the storage on the server side.
  1. /usr/local/www/nextcloud/apps/dav/lib/Connector/Sabre/Directory.php - line 156:
    OCA\DAV\Connector\Sabre\File->put(null)
  2. /usr/local/www/nextcloud/apps/dav/lib/Upload/UploadFolder.php - line 47:
    OCA\DAV\Connector\Sabre\Directory->createFile("0", null)
  3. /usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 1096:
    OCA\DAV\Upload\UploadFolder->createFile("0", null)
  4. /usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php - line 525:
    Sabre\DAV\Server->createFile("uploads/ern ... 0", null, null)
  5. <<closure>>
    Sabre\DAV\CorePlugin->httpPut(Sabre\HTTP\R ... "}, Sabre\HTTP\Response {})
  6. /usr/local/www/nextcloud/3rdparty/sabre/event/lib/EventEmitterTrait.php - line 105:
    call_user_func_array([ Sabre\DAV\ ... "], [ Sabre\HTTP ... }])
  7. /usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 479:
    Sabre\Event\EventEmitter->emit("method:PUT", [ Sabre\HTTP ... }])
  8. /usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 254:
    Sabre\DAV\Server->invokeMethod(Sabre\HTTP\R ... "}, Sabre\HTTP\Response {})
  9. /usr/local/www/nextcloud/apps/dav/lib/Server.php - line 319:
    Sabre\DAV\Server->exec()
  10. /usr/local/www/nextcloud/apps/dav/appinfo/v2/remote.php - line 35:
    OCA\DAV\Server->exec()
  11. /usr/local/www/nextcloud/remote.php - line 165:
    require_once("/usr/local/ ... p")

i try to upload iso file for 4GB, and yesterday i have the same experience when try to upload MKV files about 400MB.


Please advice.

Thank You Very Much.


Regards,
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,462
did i have to renew the letsencrypt ssl manually ?
You shouldn't need to do anything at all for this; Caddy (the web server) will renew it automatically.
Why i cannot upload the bigfile about 4GB to my nextcloud folder ?
Haven't had this problem for quite a while (since the timeouts in the Caddyfile were updated). Best guess I could say would be to check the things mentioned in the error message: "Could either be a network problem on the sending side or a problem writing to the storage on the server side."
 

kiriak

Contributor
Joined
Mar 2, 2020
Messages
122
You can test it using the windows host file:
c:/windows/system32/drivers/etc/hosts

You might (I would need to recheck the script for it though) trick the system by entering your IP as host_name too.

thank you!

unfortunately by the time I saw this, I had deleted the jail and had installed the plugin, and was fighting ( :rolleyes: ) with vi trying to setup the Selfsigned CERT (again without success).
On the other hand I'm not sure what you mean by " entering your IP as host_name". I suppose you don't mean to enter nextcloud's IP on my browser, as this doesn't work.

Anyway, I don't know if https is necessary in my case, as for the minimal access from the WAN, I use the VPN server running on the router.
 
Top