Scripted installation of Nextcloud 28 in iocage jail 2018-03-23

[deltavlokkies]

Your IP and gateway are on different subnets. My guess is the gateway should be 192.168.168.1

Correct, that was a typo I made here. The gateway is correct. But I still got nothing when I open it on chrome or Firefox..

 

[deltavlokkies]

Okay so I got it working, without HTTPS, that still refuses a connection. How can i setup letsencrypt?

 

[danb35]

But I still got nothing when I open it on chrome or Firefox..

...which almost certainly means Caddy isn't starting. The log in /var/log/caddy.log should tell you why.

 

[deltavlokkies]

...which almost certainly means Caddy isn't starting. The log in /var/log/caddy.log should tell you why.

Found the log, maybe you can help me further?

Got it working with "NO_CERT =1", https still refuses a connection.

 

[deltavlokkies]

The second caddy.log, is with "STANDALONE_CERT=1"
The log says something about an email failing to parse.

Editted the caddyfile and dit #email, so it would skip that.

Now I have these logs

 

[Basil Hendroff]

@deltavlokkies The logs show that Caddy is doing all the right things. Like I suggested in my earlier post and your response confirms it, you need to meet the Let's Encrypt prerequisites in the README for this resource in order to enable TLS encryption. Running the script is straightforward; meeting those prerequisites is where all the hard work is. I recommend you work your way slowly through those prerequisites and raise questions in this discussion area as you come up against obstacles.

You might like to start by describing the path between the Nextcloud jail and your DNS hosting provider for cloud.vlokkiebox.nl e.g.

1. Who is your hosting provider and have you configured the external DNS?
2. Are you a home user? Does your ISP provide you with a static or dynamic IP address?
3. Is your router capable of handling split-horizon DNS? Have you configured the internal DNS?
4. Is your edge router subject to double-NAT? e.g. if your ISP supplies you with Carrier-Grade NAT, there is a possibility that you will not be able to get TLS encryption working unless you acquire (most likely at an additional, recurring cost) a static IP address from them.
5. At what point in the prerequisites are you currently stuck at? etc

 

[Basil Hendroff]

Hello community,
I have a problem with the renew of my "Let’s Encrypt certificate".
The caddy.log and Caddyfile files are attached to this post.
Any help? Any other information I need to provide ?
Caddy v1.0.4

Although it hasn't been that long ago, my memory dims around Caddy v1. @danb35 Interesting use case here - how to support, or migrate away from, earlier versions of this resource that used Caddy v1?

 

[danb35]

Please don't use attachments unless it's absolutely necessary. The Caddy log is generally pretty small; just paste it into your post in code tags.

But the errors I'm seeing (specifically "no certificate available for '192.168.178.4'") make it sound like you're trying to use this behind a reverse proxy. Is that correct?

 

[danb35]

@danb35 Interesting use case here - how to support, or migrate away from, earlier versions of this resource that used Caddy v1?

I'm not sure it would be possible in this case. There appears to be a problem with DNS validation using DuckDNS, but it isn't logging an error that makes sense if it was able to obtain the cert in the first place.

The DuckDNS module isn't available natively in Caddy2, but it's available through lego-deprecated. But (1) that's the same code used in Caddy1, and (2) it requires environment variables to configure, which we aren't able to set using the Caddy2 rc file.

 

[tebra]

Thanks for your help.
I don't have a reverse proxy. I just forward port 443 form my modem to my nextcloud jail ip.
My original installation of this great script was for nextcloud 18. Sind I change my ISP provider and my Modem/router box.
I dig a bit more about my issue.
If I understand the caddy.log the issue is that acme.dnsChallenge isn't resolved. And so ACME don't creates the TXT record as expected and letsencrypt certs aren't issued appropriately.

Code:

acme: Checking DNS record propagation using [192.168.1.1:53]

Do I have to chose an other DNS? Not pointing to my modem box (192.168.1.1) ? Or maybe forward port 53 ?

But maybe I'm totally wrong.

 

[danb35]

I don't have a reverse proxy.

Sorry, that question wasn't for you but for @deltavlokkies.

If I understand the caddy.log the issue is that acme.dnsChallenge isn't resolved. And so ACME don't creates the TXT record as expected and letsencrypt certs aren't issued appropriately.

Yes, that seems to be what's happening.

Do I have to chose an other DNS?

You shouldn't, but it might not hurt. You'd edit /etc/resolv.conf in the jail to specify the IP of a different DNS host, like 1.1.1.1 or 8.8.8.8.

 

[tebra]

OK, Caddy works now and my cert are renewed.
Just added 1.1.1.1 as secondary DNS.
Thanks for your advises.

 

[listhor]

It seems like Nextcloud doesn't like me or likes to drive me crazy...
Tonight I'd toggled on/off security option: to force using 2FA and since than all turned up side down.
Nextcloud webgui has become inaccessible, throwing errors on login page like:

/core/js/dist/main.js?v=4e183f84-5 net::ERR_HTTP2_PROTOCOL_ERROR 200
Uncaught ReferenceError: OC is not defined
at merged-template-prepend.js?v=4e183f84-5:26
previewplugin.js?v=4e183f84-5:144 Uncaught ReferenceError: OCA is not defined
at previewplugin.js?v=4e183f84-5:144

That's what I did (read on Nextcloud forum to remove apps cache, but there's none):

Code:

root@nextcloud:/usr/local/www/nextcloud # rm -r /usr/local/www/nextcloud/data/appdata_*/css/* /usr/local/www/nextcloud/data/appdata_*/js/*
rm: No match.
root@nextcloud:/usr/local/www/nextcloud # su -m www -c 'php /usr/local/www/nextcloud/occ files:scan-app-data'
Scanning AppData for files

+---------+-------+--------------+
| Folders | Files | Elapsed time |
+---------+-------+--------------+
| 3674    | 1353  | 00:00:09     |
+---------+-------+--------------+
root@nextcloud:/usr/local/www/nextcloud # su -m www -c 'php /usr/local/www/nextcloud/occ app:list'
Enabled:
  - accessibility: 1.5.0
  - activity: 2.12.0
  - admin_audit: 1.9.0
  - announcementcenter: 3.8.1
  - bruteforcesettings: 2.0.1
  - cloud_federation_api: 1.2.0
  - comments: 1.9.0
  - contactsinteraction: 1.0.0
  - dav: 1.15.0
  - deck: 1.0.5
  - external: 3.6.0
  - federatedfilesharing: 1.9.0
  - federation: 1.9.0
  - files: 1.14.0
  - files_accesscontrol: 1.9.1
  - files_automatedtagging: 1.9.0
  - files_external: 1.10.0
  - files_pdfviewer: 1.8.0
  - files_rightclick: 0.16.0
  - files_sharing: 1.11.0
  - files_trashbin: 1.9.0
  - files_versions: 1.12.0
  - files_videoplayer: 1.8.0
  - firstrunwizard: 2.8.0
  - groupfolders: 7.0.0
  - logreader: 2.4.0
  - lookup_server_connector: 1.7.0
  - mail: 1.4.1
  - maps: 0.1.6
  - music: 0.16.0
  - nextcloud_announcements: 1.8.0
  - notifications: 2.7.0
  - oauth2: 1.7.0
  - onlyoffice: 5.0.0
  - password_policy: 1.9.1
  - photos: 1.1.0
  - privacy: 1.3.0
  - provisioning_api: 1.9.0
  - recommendations: 0.7.0
  - serverinfo: 1.9.0
  - settings: 1.1.0
  - sharebymail: 1.9.0
  - spreed: 9.0.3
  - support: 1.2.1
  - survey_client: 1.7.0
  - systemtags: 1.9.0
  - text: 3.0.1
  - theming: 1.10.0
  - twofactor_backupcodes: 1.8.0
  - twofactor_totp: 5.0.0
  - updatenotification: 1.9.0
  - viewer: 1.3.0
  - workflowengine: 2.1.0
Disabled:
  - audioplayer
  - encryption
  - user_ldap
root@nextcloud:/usr/local/www/nextcloud # su -m www -c 'php /usr/local/www/nextcloud/occ app:disable twofactor_totp'
twofactor_totp disabled
root@nextcloud:/usr/local/www/nextcloud # su -m www -c 'php /usr/local/www/nextcloud/occ files:scan-app-data'
Scanning AppData for files

+---------+-------+--------------+
| Folders | Files | Elapsed time |
+---------+-------+--------------+
| 3674    | 1353  | 00:00:04     |
+---------+-------+--------------+
root@nextcloud:/usr/local/www/nextcloud # su -m www -c 'php /usr/local/www/nextcloud/occ app:disable oauth2'
oauth2 can't be disabled.
root@nextcloud:/usr/local/www/nextcloud # su -m www -c 'php /usr/local/www/nextcloud/occ app:disable password_policy'
password_policy disabled
root@nextcloud:/usr/local/www/nextcloud # su -m www -c 'php /usr/local/www/nextcloud/occ files:scan-app-data'
Scanning AppData for files

+---------+-------+--------------+
| Folders | Files | Elapsed time |
+---------+-------+--------------+
| 3674    | 1353  | 00:00:04     |
+---------+-------+--------------+
root@nextcloud:/usr/local/www/nextcloud # 

And of course nothing helps. It's a fresh install of Nextcloud, any ideas?

EDIT:
Can I delete nextcloud jail and reinstall it over existing datasets? Will it help?
EDIT 2:
The most simple solution worked - restarting nextcloud's jail... But still I can't find real root cause of it; maybe it was a messed up cache

 

[listhor]

General question - I would like to make sure myself about the correct way of carrying on updates. I know I've been asking about that here but there was no straight answer or I'd missed it. But simply I don't want to do clean reinstall Nextcloud and migrate data once again
Long story short: the best way to update Nextcloud is to delete its jail and reinstall it over existing data in datasets (files, db, config & themes)? Script would download latest Nextcloud and dependancies in contrary to built-in Nextcloud upgrade tool, which would have updated only itself?
Am I right, more or less?

 

[danb35]

In general, between the Nextcloud updater and the occasional pkg upgrade, you should be fine. Where that won't help you is when there's a major transition, like from Apache to Caddy a couple of years back, or from Caddy1 to Caddy2 recently. It also won't upgrade Caddy, since that's built from source.

"Destroy jail, update script, reinstall jail over existing data" will give the most comprehensive update, but it's probably a bit extreme for regular use.

 

[listhor]

"Destroy jail, update script, reinstall jail over existing data" will give the most comprehensive update, but it's probably a bit extreme for regular use.

Thanks for all @danb35
Thus, in regular circumstances I can use nextcloud updater and pkg untill v. 20 is released unless there are major changes in your script - then destroy jail and so on. Now it's all clear!

 

[danb35]

I can use nextcloud updater and pkg untill v. 20 is released

...or even after--you can upgrade to the next major version with the updater as well. Though it usually won't be available until after the .0.1 release.

 

[tebra]

I want to rebuild a jail with this script to upgrade my NC 18 to NC 19.
If I understand well, it is not possible to use DNS_CERT=1 because caddy v2 don't has a plugin for duckdns .
The alternative is to use STANDALONE_CERT=1 but in that case I have to open port 80 and 443.
Is it correct ?

 

[danb35]

If I understand well, it is not possible to use DNS_CERT=1 because caddy v2 don't has a plugin for duckdns .

Pretty much. You could use the lego_deprecated plugin to pull in the caddy v1 version of that plugin, but that requires the use of environment variables to configure, and I'm not aware of a way to make that work with the caddy v2 installation.

The alternative is to use STANDALONE_CERT=1 but in that case I have to open port 80 and 443.

...or the other alternative would be to just use a self-signed cert.

 

[tebra]

Do I have to build caddy v2 with lego-deprecated plug-in or is it already included ?