Scripted installation of Nextcloud 28 in iocage jail 2018-03-23

[listhor]

I have Nextcloud 18 installed with previous version of script. What’s a correct course of action to get everything updated? Shall I update jail first, followed by pkg inside the jail?
And what about upgrading to Nextcloud 19? If I use built in upgrade tool I will end up with php errors. Can I use new @danb35 script on top of existing instance and get it upgraded (incl. caddy)?

 

[Basil Hendroff]

I have Nextcloud 18 installed with previous version of script. What’s a correct course of action to get everything updated? Shall I update jail first, followed by pkg inside the jail?
And what about upgrading to Nextcloud 19? If I use built in upgrade tool I will end up with php errors. Can I use new @danb35 script on top of existing instance and get it upgraded (incl. caddy)?

Good question! I would also like to get some confirmation on this. The built-in upgrade tool allows you to switch from 18 to 19, but it's the script that takes care of the environmental factors outside of Nextcloud. For instance, the php errors you've seen; themes is also something quite recent for the script, as well as Caddy V2. I'm confident that it is possible to use the new script over an existing installation. I'm just not 100% sure of the steps to take. Just to stimulate some discussion at this stage only, my first guess, if you've used the Nextcloud 18 version of the script, would be to:

1. Create the themes sub-dataset
2. Use the built-in tool to upgrade Nextcloud 18 to 19.
3. Blow away the Nextcloud jail built from the previous version of the script. Before you do that though, if you don't have a copy of the previous nextcloud-config, make a note of important environmental characteristics first e.g. jail IP, mount points, etc that will be needed to reassemble a nextcloud-config used to rebuild the jail.
4. Before you run the new script, make sure nextcloud-config refers to the various sub-datasets as well. It's probably a good idea to keep a copy of the nextcloud-config you use around for reference later as the script is likely to continue to evolve over time.

@danb35 Can you please clarify the correct course of action to take if we have used the Nextcloud 18 version of your script and now wish to take advantage of the latest enhancements the new script offers, without impacting on our existing Nextcloud installation?

 

[IronRobi]

That's your problem; review the README again. Caddy v2 uses API tokens, not the global API key.

You're right, I just skimmed the instructions and missed that change.
Destroyed the jail and re-ran the script with the proper DNS_TOKEN and now my caddy log shows
2020/08/01 10:27:45 [INFO] [MYDOMAIN] acme: Validations succeeded; requesting certificates
2020/08/01 10:27:46 [INFO] [MYDOMAIN] Server responded with a certificate.
2020/08/01 10:27:46 [INFO][MYDOMAIN] Certificate obtained successfully

After clearing the browser cache, when I browse to the domain I'm still getting SSL_ERROR_NO_CYPHER_OVERLAP and if I browse directly to the IP I get a "Unable to connect".

Here is my nextcloud-config

Code:

JAIL_IP="192.168.X.XX/24"
DEFAULT_GW_IP="192.168.X.X"
POOL_PATH="/mnt/CLOUD"
DB_PATH="/mnt/CLOUD/nextcloud/db"
FILES_PATH="/mnt/CLOUD/nextcloud/files"
CONFIG_PATH="/mnt/CLOUD/nextcloud/config"
THEMES_PATH="/mnt/CLOUD/nextcloud/themes"
PORTS_PATH="/mnt/CLOUD/portsnap"
TIME_ZONE="America/Moncton"
HOST_NAME="subdomain.mydomain.com:8443" (NOTE I TRIED THIS WITHOUT THE PORT AS WELL)
STANDALONE_CERT=0
DNS_CERT=1
SELFSIGNED_CERT=0
NO_CERT=0
CERT_EMAIL="myemail@email.com"
DNS_PLUGIN="cloudflare"
DNS_TOKEN="CREATEDAPITOKEN"

 

[danb35]

Is there anything else in caddy.log? Or anything relevant in /var/log/subdomain.mydomain.com.log?

For general points, no, you wouldn't be able to access the installation by IP, and HOST_NAME shouldn't include the port number.

 

[Basil Hendroff]

After clearing the browser cache, when I browse to the domain I'm still getting SSL_ERROR_NO_CYPHER_OVERLAP and if I browse directly to the IP I get a "Unable to connect".

What browser and version are you using? Have you tried a different browser?

EDIT: Also, what does service caddy status show in the jail?

 

[IronRobi]

Is there anything else in caddy.log? Or anything relevant in /var/log/subdomain.mydomain.com.log?

For general points, no, you wouldn't be able to access the installation by IP, and HOST_NAME shouldn't include the port number.

Here's the full caddy.log. There is no /var/log/subdomain.mydomain.com.log
I did try it initially without the port#, but when that didn't work I figured I'd try again by adding the port just in case.

Code:

{"level":"info","ts":1596288451.3030987,"msg":"using provided configuration","config_file":"/usr/local/www/Caddyfile","config_adapter":"caddyfile"}
{"level":"info","ts":1596288451.3058147,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
{"level":"info","ts":1596288451.3061118,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
2020/08/01 10:27:31 [INFO][cache:0xc000695a40] Started certificate maintenance routine
{"level":"info","ts":1596288451.3066945,"logger":"tls","msg":"cleaned up storage units"}
{"level":"info","ts":1596288451.3067675,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["MYDOMAIN.com"]}
{"level":"info","ts":1596288451.3069873,"msg":"autosaved config","file":"/.config/caddy/autosave.json"}
{"level":"info","ts":1596288451.307002,"msg":"serving initial configuration"}
Successfully started Caddy (pid=78231) - Caddy is running in the background
2020/08/01 10:27:31 [INFO][MYDOMAIN.com] Obtain certificate; acquiring lock...
2020/08/01 10:27:31 [INFO][MYDOMAIN.com] Obtain: Lock acquired; proceeding...
2020/08/01 10:27:36 [INFO] acme: Registering account for MYEMAIL@EMAIL.COM
2020/08/01 10:27:37 [INFO][MYDOMAIN.com] Waiting on rate limiter...
2020/08/01 10:27:37 [INFO][MYDOMAIN.com] Done waiting
2020/08/01 10:27:37 [INFO] [MYDOMAIN.com] acme: Obtaining bundled SAN certificate given a CSR
2020/08/01 10:27:37 [INFO] [MYDOMAIN.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/86914597
2020/08/01 10:27:37 [INFO] [MYDOMAIN.com] acme: Could not find solver for: tls-alpn-01
2020/08/01 10:27:37 [INFO] [MYDOMAIN.com] acme: Could not find solver for: http-01
2020/08/01 10:27:37 [INFO] [MYDOMAIN.com] acme: use dns-01 solver
2020/08/01 10:27:37 [INFO] [MYDOMAIN.com] acme: Preparing to solve DNS-01
2020/08/01 10:27:38 [INFO] [MYDOMAIN.com] acme: Trying to solve DNS-01
2020/08/01 10:27:38 [INFO] [MYDOMAIN.com] acme: Checking DNS record propagation using [8.8.8.8:53 142.166.166.166:53]
2020/08/01 10:27:38 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2020/08/01 10:27:38 [INFO] [MYDOMAIN.com] acme: Waiting for DNS record propagation.
2020/08/01 10:27:40 [INFO] [MYDOMAIN.com] acme: Waiting for DNS record propagation.
2020/08/01 10:27:45 [INFO] [MYDOMAIN.com] The server validated our request
2020/08/01 10:27:45 [INFO] [MYDOMAIN.com] acme: Cleaning DNS-01 challenge
2020/08/01 10:27:45 [INFO] [MYDOMAIN.com] acme: Validations succeeded; requesting certificates
2020/08/01 10:27:46 [INFO] [MYDOMAIN.com] Server responded with a certificate.
2020/08/01 10:27:46 [INFO][MYDOMAIN.com] Certificate obtained successfully
2020/08/01 10:27:46 [INFO][MYDOMAIN.com] Obtain: Releasing lock
{"level":"info","ts":1596288562.1280587,"msg":"not implemented","signal":"SIGHUP"}

Attaching my port forwarding rule in the router as well as the a-name configuration in cloudfare. Both edited for privacy.
In cloudfare I tried changing it to DNS only (grey cloud), and when doing that I get a refused to connect error. When I go back to proxied, that's when I get the SSL cypher overlap error.

@Basil Hendroff Using chrome primarily but also tried firefox and edge. service caddy status does show caddy is running

 

[NasKar]

I have Nextcloud 18 installed with previous version of script. What’s a correct course of action to get everything updated? Shall I update jail first, followed by pkg inside the jail?
And what about upgrading to Nextcloud 19? If I use built in upgrade tool I will end up with php errors. Can I use new @danb35 script on top of existing instance and get it upgraded (incl. caddy)?

1) I think you should upgrade through the GUI to Nextcloud 19
2) Create the folder structure if not present already nextcloud dataset from your pool with subdirectories or subdatasets, nextcloud/config, nextcloud/db/mariadb or nextcloud/db/pgsql, nextcloud/files, nextcloud/themes
3) copy over your current directories to the new folder structure if not present already
4) destroy the nextcloud jail and reinstall with the script
It should read the existence of old data and just give you an updated jail.

 

[danb35]

In cloudfare I tried changing it to DNS only (grey cloud), and when doing that I get a refused to connect error.

OK, then the cypher overlap is a red herring. Leave the Cloudflare proxy disabled for now, because it can mask other problems (as it's been doing). I suspect the issue has to do with firewall/forwarding/NAT configuration.

To test, edit the hosts file on your computer to point sub.yourdomain.com to the IP address of your jail, and see what happens when you try to browse to the installation that way. And then bug Unifi about not having local DNS setup on the USG/UDM.

 

[danb35]

4) destroy the nextcloud jail and reinstall with the script

I think I'd agree with both your steps and Basil's, with the exception of this one. I'd rather stop the old jail, turn off auto-start, and then install the new one with a new name. Once you're sure it's working fine, then you can destroy the old jail.

 

[IronRobi]

OK, then the cypher overlap is a red herring. Leave the Cloudflare proxy disabled for now, because it can mask other problems (as it's been doing). I suspect the issue has to do with firewall/forwarding/NAT configuration.

To test, edit the hosts file on your computer to point sub.yourdomain.com to the IP address of your jail, and see what happens when you try to browse to the installation that way. And then bug Unifi about not having local DNS setup on the USG/UDM.

Edited the hosts file on my laptop and it pulls up the nextcloud login page. I'm still getting an error saying the connection to the site is not secure though. (NET::ERR_CERT_AUTHORITY_INVALID )

I'm confused why this is needed for nextcloud but not for any others. I literally have 8 other subdomains pointing to different jails and I can access every one of them on the same laptop using subdomain.domain.com:port without having to edit the host file?

EDIT: Tried connecting on my phone outside my home network and get ERR_CONNECTION_REFUSED

 

[danb35]

I'm still getting an error saying the connection to the site is not secure though.

That's normal (and explained in the README)--by default, this is set up to get certs from the Let's Encrypt test server, to avoid exceeding their rate limits. The README also describes how to switch to using the production server.

I'm confused why this is needed for nextcloud but not for any others.

It shouldn't be needed for Nextcloud either--it's a troubleshooting step. Unifi have inexplicably left a pretty basic feature out of what's otherwise a pretty nice router, otherwise I'd have had you configure it there. The idea is to make sure you're actually connecting to your jail, not through your router (and depending on how well it does hairpin NAT).

Are you able to access Nextcloud from outside your network? Perhaps turn off WiFi on your phone, and try to reach it from there?

 

[IronRobi]

Are you able to access Nextcloud from outside your network? Perhaps turn off WiFi on your phone, and try to reach it from there?

I'm not. I get ERR_CONNECTION_REFUSED

 

[danb35]

And that's going to https://sub.your.domain:8443?

Edit: wait a minute, Unifi uses 8443 for its own controller. Will it work if you forward a different port?

 

[listhor]

Thanks for all replies and help.

1) I think you should upgrade through the GUI to Nextcloud 19
2) Create the folder structure if not present already nextcloud dataset from your pool with subdirectories or subdatasets, nextcloud/config, nextcloud/db/mariadb or nextcloud/db/pgsql, nextcloud/files, nextcloud/themes
3) copy over your current directories to the new folder structure if not present already
4) destroy the nextcloud jail and reinstall with the script
It should read the existence of old data and just give you an updated jail.

A few notes / questions:
1/ After upgrading through the GUI I get php errors and external storages (Nextcloud plugin) are not accessible. Is this error going to vanish after reinstalling Nextcloud over with script?
2/ I think I don't need to change anything in existing Nextcloud datasets (files and db). I do have nextcloud-config file, can I reuse it with new script?
3/ As above, no need to copy anything as I don't want to change datasets' structure - do I need to create themes dataset as per @Basil Hendroff suggestion?

After looking at my current Nextcloud 18 mount points I'm surprised by following:

Code:

$POOL_PATH/portsnap/db  $POOL_PATH/iocage/jails/nextcloud/root/var/db/portsnap

I don't have such dataset as $POOL_PATH/portsnap/db in my pool
Ver. 18 nextcloud-config:

Code:

JAIL_IP="172.16.0.10"
DEFAULT_GW_IP="172.16.0.1"
POOL_PATH="/mnt/all"
TIME_ZONE="Europe/Warsaw"
SELFSIGNED_CERT=1
#HOST_NAME="next.xxxx.xx"
#DNS_CERT=1
#DNS_PLUGIN="ovh"
#DNS_ENV="OVH_ENDPOINT=ovh-eu OVH_CONSUMER_KEY=xxxxxxxxx OVH_APPLICATION_KEY=xxxxxx OVH_APPLICATION_SECRET=xxxxxxx"
CERT_EMAIL="admin@xxxx.xx"
DB_PATH="/mnt/all/DB"
FILES_PATH="/mnt/all/Pliki"

Is there something wrong?

 

[IronRobi]

And that's going to https://sub.your.domain:8443?

Correct

Edit: wait a minute, Unifi uses 8443 for its own controller. Will it work if you forward a different port?

I've actually tried all the cloudfare supported ports. They have 6 of them for https. I started having doubts that my forwarding rule wasn't working, so I also took my port forwarding rule in unifi and pointed it towards a different jail and going to https://sub.mydomain.com:8443 brought that jail right up.

 

[IronRobi]

SUCCESS!
I blew up the jail again and cleared all the db files, etc... and started completely from scratch.
Removed the port :8443 from the nextcloud-config file and ran the script again.

went to sub.mydomain.com:8443 and it complained of a cert error which is a good sign. When I accepted the error and proceeded I kept getting a 404 not found. What I noticed is that the address was sub.mydomain.com/login, it was stripping out the port.

So I edited /usr/local/www/nextcloud/config/config.php
I changed these 2 lines to add the port to them.
'overwrite.cli.url' => 'https://sub.mydomain.com:8443/',
'overwritehost' => 'sub.mydomain.com:8443',

Now when I accept the cert error it brings up the login screen!
Not sure how this time was different from the first time I ran the script with no port, but I'm not going to complain because it worked.

 

[NasKar]

After upgrading through the GUI I get php errors and external storages (Nextcloud plugin) are not accessible

Are you using the plugin or iocage jail?

I do have nextcloud-config file, can I reuse it with new script?

You need to point to the locations of your data. If at the default locations pool/nextcloud/files etc then comment out those lines

do I need to create themes dataset

Yes

From the Readme
Although not required, it's recommended to create 1 Dataset with 4 sub-datasets on your main storage pool

• 1 Dataset named nextcloud Under which you create 4 other datasets
• one named files, which will store the Nextcloud user data.
• one named config, which will store the Nextcloud configuration.
• one named themes, which will store the Nextcloud themes.
• one called db, which will store the SQL database. For optimal performance, set the record size of the db dataset to 16 KB (under Advanced Settings in the FreeNAS web GUI). It's also recommended to cache only metadata on the db dataset; you can do this by running zfs set primarycache=metadata poolname/db.

 

[danb35]

Now when I accept the cert error it brings up the login screen!

Excellent. But really, it sounds like you're in bad need of a reverse proxy. I have a resource for that, too--though I'd recommend you wait a bit for the Caddy v2 version to be published.

 

[listhor]

Are you using the plugin or iocage jail?

I use jail with Nextcloud 18 installed by script...

• 1 Dataset named nextcloud Under which you create 4 other datasets
• one named files, which will store the Nextcloud user data.
• one named config, which will store the Nextcloud configuration.
• one named themes, which will store the Nextcloud themes.
• one called db, which will store the SQL database. For optimal performance, set the record size of the db dataset to 16 KB (under Advanced Settings in the FreeNAS web GUI). It's also recommended to cache only metadata on the db dataset; you can do this by running zfs set primarycache=metadata poolname/db.

I think the best is to make fresh installation but I need to figure out how to move data between old and new users' profiles. I guess, create / install new nextcloud instance under new IP and copy over data. Did anybody test following procedure: https://docs.nextcloud.com/server/stable/admin_manual/maintenance/migrating.html

 

[listhor]

So, I've created these 4 recommended datasets inside nextcloud dataset. I used zfs send | zfs recv to copy content of "old" nextcloud (somehow successfully upgraded to ver. 19) files and db datasets.
nextcloud-config:

Code:

JAIL_IP="172.16.1.3"
DEFAULT_GW_IP="172.16.1.1"
POOL_PATH="/mnt/wszystko"
TIME_ZONE="Europe/Warsaw"
SELFSIGNED_CERT=1
HOST_NAME="next.dom.net"
JAIL_NAME="nextcloud2"
JAIL_INTERFACES="vnet0:bridge11"

And installation failed at:

OPSUCufBtqA%3D%3D": dial tcp 0.0.0.0:443: connect: connection refused
2020/08/04 15:17:14 [INFO] Cleaning up temporary folder: /tmp/buildenv_2020-08-04-1517.847311262
2020/08/04 15:17:14 [FATAL] exit status 1
Command: xcaddy build --output /usr/local/bin/caddy failed!
Failed to build Caddy without plugin, terminating.

Is something wrong with vnet setup? In my case jails use following setup (of course with different IPs and interfaces set to vnet0:bridge11):

Could this configuration may affect caddy's build (0.0.0.0:443: connect: connection refused)?
If I manually create and configure nextcloud2 jail script throws an error:

Jail: nextcloud2 already exists!
Failed to create jail

Can I overwrite it / force to use existing jail? Or else what kind of plugin is missing?