Scripted installation of Nextcloud 28 in iocage jail 2018-03-23

[danb35]

Does that mean DNS and port forwarding is set up correctly?

It should. And the domain you use when you're testing that is the same as the one you used in your nextcloud config file?

Once you iocage console nextcloud, you should be able to run acme.sh. What happens if you try? If it doesn't work, how about .acme.sh/acme.sh?

 

[wille1101]

It should. And the domain you use when you're testing that is the same as the one you used in your nextcloud config file?

Yes, it's exactly the same. I see some people using cloud.domain.xyz but that's only if you use the HOST_NAME = "cloud.domain.xyz" in the config, right?

Once you iocage console nextcloud, you should be able to run acme.sh. What happens if you try? If it doesn't work, how about .acme.sh/acme.sh?

Code:

[root@nextcloud ~]# acme.sh
-bash: acme.sh: command not found
[root@nextcloud ~]# .acme.sh/acme.sh
https://github.com/Neilpang/acme.sh
v2.8.0
Usage: acme.sh  command ...[parameters]....
Commands:
  --help, -h			   Show this help message.
  --version, -v			Show version info.
  --install				Install acme.sh to your system.
  --uninstall			  Uninstall acme.sh, and uninstall the cron job.
  --upgrade				Upgrade acme.sh to the latest code from https://github.com/Neilpang/acme.sh.
  --issue				  Issue a cert.
  --signcsr				Issue a cert from an existing csr.
  --deploy				 Deploy the cert to your server.
  --install-cert		   Install the issued cert to apache/nginx or any otherserver.
  --renew, -r			  Renew a cert.
  --renew-all			  Renew all the certs.
  --revoke				 Revoke a cert.
  --remove				 Remove the cert from list of certs known to acme.sh.
  --list				   List all the certs.
  --showcsr				Show the content of a csr.
  --install-cronjob		Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job.
  --uninstall-cronjob	  Uninstall the cron job. The 'uninstall' command can do this automatically.
  --cron				   Run cron job to renew all the certs.
  --toPkcs				 Export the certificate and key to a pfx file.
  --toPkcs8				Convert to pkcs8 format.
  --update-account		 Update account info.
  --register-account	   Register account key.
  --deactivate-account	 Deactivate the account.
  --create-account-key	 Create an account private key, professional use.
  --create-domain-key	  Create an domain private key, professional use.
  --createCSR, -ccsr	   Create CSR , professional use.
  --deactivate			 Deactivate the domain authz, professional use.

Parameters:
  --domain, -d   domain.tld		 Specifies a domain, used to issue, renew orrevoke etc.
  --challenge-alias domain.tld	  The challenge domain alias for DNS alias mode: https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode
  --domain-alias domain.tld		 The domain alias for DNS alias mode: https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode
  --force, -f					   Used to force to install or force to renew a cert immediately.
  --staging, --test				 Use staging server, just for test.
  --debug						   Output debug info.
  --output-insecure				 Output all the sensitive messages. By default all the credentials/sensitive messages are hidden from the output/debug/log for secure.
  --webroot, -w  /path/to/webroot   Specifies the web root folder for web root mode.
  --standalone					  Use standalone mode.
  --stateless					   Use stateless mode, see: https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode
  --apache						  Use apache mode.
  --dns [dns_cf|dns_dp|dns_cx|/path/to/api/file]   Use dns mode or dns api.
  --dnssleep  [120]				  The time in seconds to wait for all the txt records to take effect in dns api mode. Default 120 seconds.

  --keylength, -k [2048]			Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384.
  --accountkeylength, -ak [2048]	Specifies the account key length.
  --log	[/path/to/logfile]	   Specifies the log file. The default is: "/root/.acme.sh/acme.sh.log" if you don't give a file path here.
  --log-level 1|2				   Specifies the log level, default is 1.
  --syslog [0|3|6|7]				Syslog level, 0: disable syslog, 3: error, 6: info, 7: debug.

  These parameters are to install the cert to nginx/apache or anyother server after issue/renew a cert:

  --cert-file					   After issue/renew, the cert will be copied to this path.
  --key-file						After issue/renew, the key will be copied to this path.
  --ca-file						 After issue/renew, the intermediate cert will be copied to this path.
  --fullchain-file				  After issue/renew, the fullchain cert will be copied to this path.

  --reloadcmd "service nginx reload" After issue/renew, it's used to reload theserver.

  --server SERVER				   ACME Directory Resource URI. (default: https://acme-v01.api.letsencrypt.org/directory)
  --accountconf					 Specifies a customized account config file.
  --home							Specifies the home dir for acme.sh .
  --cert-home					   Specifies the home dir to save all the certs, only valid for '--install' command.
  --config-home					 Specifies the home dir to save all the configurations.
  --useragent					   Specifies the user agent string. it will besaved for future use too.
  --accountemail					Specifies the account email, only valid forthe '--install' and '--update-account' command.
  --accountkey					  Specifies the account key path, only valid for the '--install' command.
  --days							Specifies the days to renew the cert when using '--issue' command. The max value is 60 days.
  --httpport						Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer.
  --local-address				   Specifies the standalone/tls server listening address, in case you have multiple ip addresses.
  --listraw						 Only used for '--list' command, list the certs in raw format.
  --stopRenewOnError, -se		   Only valid for '--renew-all' command. Stop if one cert has error in renewal.
  --insecure						Do not check the server certificate, in some devices, the api server's certificate may not be trusted.
  --ca-bundle					   Specifies the path to the CA certificate bundle to verify api server's certificate.
  --ca-path						 Specifies directory containing CA certificates in PEM format, used by wget or curl.
  --nocron						  Only valid for '--install' command, which means: do not install the default cron job. In this case, the certs will not be renewed automatically.
  --no-color						Do not output color text.
  --force-color					 Force output of color text. Useful for non-interactive use with the aha tool for HTML E-Mails.
  --ecc							 Specifies to use the ECC cert. Valid for '--install-cert', '--renew', '--revoke', '--toPkcs' and '--createCSR'
  --csr							 Specifies the input csr.
  --pre-hook						Command to be run before obtaining any certificates.
  --post-hook					   Command to be run after attempting to obtain/renew certificates. No matter the obtain/renew is success or failed.
  --renew-hook					  Command to be run once for each successfully renewed certificate.
  --deploy-hook					 The hook file to deploy cert
  --ocsp-must-staple, --ocsp		Generate ocsp must Staple extension.
  --always-force-new-domain-key	 Generate new domain key when renewal. Otherwise, the domain key is not changed by default.
  --auto-upgrade   [0|1]			Valid for '--upgrade' command, indicating whether to upgrade automatically in future.
  --listen-v4					   Force standalone/tls server to listen at ipv4.
  --listen-v6					   Force standalone/tls server to listen at ipv6.
  --openssl-bin					 Specifies a custom openssl bin location.
  --use-wget						Force to use wget, if you have both curl and wget installed.
  --yes-I-know-dns-manual-mode-enough-go-ahead-please  Force to use dns manual mode: https://github.com/Neilpang/acme.sh/wiki/dns-manual-mode
  --branch, -b					  Only valid for '--upgrade' command, specifies the branch name to upgrade to.

 

[danb35]

Hmmm. So it's there, but it doesn't look like it's properly updated your $PATH. Try .acme.sh/acme.sh --install, then exit the console and re-run iocage console nextcloud. See if acme.sh will work then.

If it does, you should be able to get your cert with this:

Code:

acme.sh --issue -d your_fqdn -w /usr/local/www/apache24/data/ -k 4096 --fullchain-file /usr/local/etc/pki/tls/certs/fullchain.pem --key-file /usr/local/etc/pki/tls/private/privkey.pem --reloadcmd "service apache24 reload"

 

[wille1101]

Hmmm. So it's there, but it doesn't look like it's properly updated your $PATH. Try .acme.sh/acme.sh --install

I get this:

Code:

[root@nextcloud ~]# .acme.sh/acme.sh --install
[Sat Oct 27 16:44:28 CEST 2018] Installing to /root/.acme.sh
cp: acme.sh: No such file or directory
[Sat Oct 27 16:44:28 CEST 2018] Install failed, can not copy acme.sh
[root@nextcloud ~]#

 

[danb35]

That's getting odd--obviously it's there, as it's running. In any event, though, the cron job will run with its full path. Can you try the issue command I gave above with the full path to acme.sh?

 

[wille1101]

Can you try the issue command I gave above with the full path to acme.sh?

Like this?

.acme.sh/acme.sh --issue -d domain.xyz -w /usr/local/www/apache24/data/ -k 4096 --fullchain-file /usr/local/etc/pki/tls/certs/fullchain.pem --key-file /usr/local/etc/pki/tls/private/privkey.pem --reloadcmd "service apache24 reload"

Code:

[Sat Oct 27 17:11:49 CEST 2018] Registering account
[Sat Oct 27 17:11:50 CEST 2018] Registered
[Sat Oct 27 17:11:50 CEST 2018] ACCOUNT_THUMBPRINT='wv9cRPECVBMIkmmDejSesfxTaLUQrUO_X_y6WKNWmzg'
[Sat Oct 27 17:11:50 CEST 2018] Single domain='domain.xyz'
[Sat Oct 27 17:11:50 CEST 2018] Getting domain auth token for each domain
[Sat Oct 27 17:11:50 CEST 2018] Getting webroot for domain='domain.xyz'
[Sat Oct 27 17:11:50 CEST 2018] Getting new-authz for domain='domain.xyz'
[Sat Oct 27 17:11:51 CEST 2018] The new-authz request is ok.
[Sat Oct 27 17:11:51 CEST 2018] Verifying:domain.xyz
[Sat Oct 27 17:11:55 CEST 2018] domain.xyz:Verify error:Fetching http://www.domain.xyz/.well-known/acme-challenge/qKeNviwcy-ixLR5qYdbpKLT9N6tBYiX7N2uf8QhpPeM: Error getting validation data
[Sat Oct 27 17:11:55 CEST 2018] Please add '--debug' or '--log' to check more details.
[Sat Oct 27 17:11:55 CEST 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[root@nextcloud ~]#

 

[danb35]

Like this?

Exactly.

But for some reason, it still isn't successfully retrieving the validation token. I note that most places in your output, you're saying "domain.xyz", but in one place, it's "www.domain.xyz". Is this just because you aren't masking them in the same way, or is there an actual difference there? If there isn't, try the command with --debug added.

 

[wille1101]

I note that most places in your output, you're saying "domain.xyz", but in one place, it's "www.domain.xyz". Is this just because you aren't masking them in the same way, or is there an actual difference there?

Yes, there's a difference. I re-ran your script with the HOST_NAME changed to "www.domain.xyz" but I still get the same error.

Code:

[Sat Oct 27 17:57:15 CEST 2018] Registering account
[Sat Oct 27 17:57:16 CEST 2018] Registered
[Sat Oct 27 17:57:16 CEST 2018] ACCOUNT_THUMBPRINT='ZpCQBOgoMLWlpEgS92RJc5XbszpDDMcESLu_AP9nksc'
[Sat Oct 27 17:57:16 CEST 2018] Single domain='www.domain.xyz'
[Sat Oct 27 17:57:16 CEST 2018] Getting domain auth token for each domain
[Sat Oct 27 17:57:16 CEST 2018] Getting webroot for domain='www.domain.xyz'
[Sat Oct 27 17:57:16 CEST 2018] Getting new-authz for domain='www.domain.xyz'
[Sat Oct 27 17:57:17 CEST 2018] The new-authz request is ok.
[Sat Oct 27 17:57:17 CEST 2018] Verifying:www.domain.xyz
[Sat Oct 27 17:57:20 CEST 2018] www.domain.xyz:Verify error:Fetching http://www.domain.xyz/.well-known/acme-challenge/_Ig3k2k2dzIvnSqbVYsS6XBZ4AD2GJM1VNWPoAyRLHw: Error getting validation data
[Sat Oct 27 17:57:20 CEST 2018] Please add '--debug' or '--log' to check more details.
[Sat Oct 27 17:57:20 CEST 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[root@nextcloud ~]#

 

[danb35]

Can you share your domain name by PM?

 

[wille1101]

Can you share your domain name by PM?

Yes, done that now.

 

[danb35]

OK, yourdomain.xyz is redirecting to www.yourdomain.xyz, which is what's causing the discrepancy in your earlier output. When I go to www.yourdomain.xyz with my browser, I get a parking page at namecheap, and in fact www.yourdomain.xyz is an alias for parkingpage.namecheap.com. I suspect this is your problem.

To confirm, can you create a text file at /usr/local/www/apache24/data/.well-known/acme-challenge/test? Put a line or so of text in there, and let's see if it comes up properly.

Edit: Alternatively, you should be able to issue using DNS validation with Namecheap's DNS. See https://github.com/Neilpang/acme.sh/tree/master/dnsapi#53-use-namecheaphttps://github.com/Neilpang/acme.sh/tree/master/dnsapi#53-use-namecheap

...or maybe not. yourdomain.xyz uses Cloudflare for DNS. Easy enough; you can use DNS validation with them too. But there's still the question of why it's redirecting to www.yourdomain, which is parked somewhere else.

 

[wille1101]

To confirm, can you create a text file at /usr/local/www/apache24/data/.well-known/acme-challenge/test? Put a line or so of text in there, and let's see if it comes up properly.

I can't seem to find the .well-known directory.

Code:

[root@freenas-Wilmer /usr/local/www/apache24/data]# ll
total 8
drwxr-xr-x  2 root  wheel  uarch  3 Oct 20 17:07 ./
drwxr-xr-x  6 root  wheel  uarch  6 Oct 20 17:07 ../
-rw-r--r--  1 root  wheel  uarch 45 Oct 20 17:07 index.html
[root@freenas-Wilmer /usr/local/www/apache24/data]# ls -a
.			   ..			  index.html
[root@freenas-Wilmer /usr/local/www/apache24/data]#

 

[danb35]

I can't seem to find the .well-known directory.

You'll need to create it.

 

[wille1101]

You'll need to create it.

Okay, I've now created a text file in /usr/local/www/apache24/data/.well-known/acme-challenge/test


Or was I supposed to create a text file named test in /usr/local/www/apache24/data/.well-known/acme-challenge?

 

[Apollo]

Wille1101,
Are you using Haproxy to resolve your domain name to point to your Nextcloud server? If so, you may want to try disabling it and just use NAT port forwarding instead for both port 80 and 443.

 

[wille1101]

Wille1101,
Are you using Haproxy to resolve your domain name to point to your Nextcloud server?

I don't know :( How do I check that? I just port forward port 80 and 443 to the IP I specify in the script config.

 

[danb35]

Or was I supposed to create a text file named test in /usr/local/www/apache24/data/.well-known/acme-challenge?

That's actually what I meant.

 

[wille1101]

That's actually what I meant.

Right, sorry, I've fixed that now. What am I supposed to check now?

 

[danb35]

I've checked it, and it isn't working:

Code:

 dan@dan-MacBookPro  ~  curl http://www.yourdomain.xyz/.well-known/acme-challenge/test
curl: (52) Empty reply from server
 ✘ dan@dan-MacBookPro  ~  curl http://yourdomain.xyz/.well-known/acme-challenge/test
<a href='http://www.yourdomain.xyz/.well-known/acme-challenge/test'>Found</a>.

So yourdomain.xyz is redirecting everything to www.yourdomain.xyz, and www.yourdomain.xyz isn't responding on anything other than the base URL (which returns the aforementioned Namecheap parking page). I suspect this means that your DNS records aren't actually pointing yourdomain.xyz to your server.

 

[Apollo]

Right, sorry, I've fixed that now. What am I supposed to check now?

I was wondering if you were using a firewall such as pfsense with Haproxy to redirect your domain to a specific IP address on your server.
According to what you are saying this is not the case.