Scripted installation of Nextcloud 28 in iocage jail 2018-03-23

[vincentemmanuel]

That's strange; the $PATH variable should have been updated to address that. What happens if you instead run .acme.sh/acme.sh?

Code:

[root@nextcloud ~]# .acme.sh/acme.sh
https://github.com/Neilpang/acme.sh
v2.8.1
Usage: acme.sh  command ...[parameters]....
Commands:
  --help, -h               Show this help message.
  --version, -v            Show version info.
  --install                Install acme.sh to your system.
  --uninstall              Uninstall acme.sh, and uninstall the cron job.
  --upgrade                Upgrade acme.sh to the latest code from https://github.com/Neilpang/acme.sh.
  --issue                  Issue a cert.
  --signcsr                Issue a cert from an existing csr.
  --deploy                 Deploy the cert to your server.
  --install-cert           Install the issued cert to apache/nginx or any other server.
  --renew, -r              Renew a cert.
  --renew-all              Renew all the certs.
  --revoke                 Revoke a cert.
  --remove                 Remove the cert from list of certs known to acme.sh.
  --list                   List all the certs.
  --showcsr                Show the content of a csr.
  --install-cronjob        Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job.
  --uninstall-cronjob      Uninstall the cron job. The 'uninstall' command can do this automatically.
  --cron                   Run cron job to renew all the certs.
  --toPkcs                 Export the certificate and key to a pfx file.
  --toPkcs8                Convert to pkcs8 format.
  --update-account         Update account info.
  --register-account       Register account key.
  --deactivate-account     Deactivate the account.
  --create-account-key     Create an account private key, professional use.
  --create-domain-key      Create an domain private key, professional use.
  --createCSR, -ccsr       Create CSR , professional use.
  --deactivate             Deactivate the domain authz, professional use.

Parameters:
  --domain, -d   domain.tld         Specifies a domain, used to issue, renew or revoke etc.
  --challenge-alias domain.tld      The challenge domain alias for DNS alias mode: https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode
  --domain-alias domain.tld         The domain alias for DNS alias mode: https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode
  --force, -f                       Used to force to install or force to renew a cert immediately.
  --staging, --test                 Use staging server, just for test.
  --debug                           Output debug info.
  --output-insecure                 Output all the sensitive messages. By default all the credentials/sensitive messages are hidden from the output/debug/log for secure.
  --webroot, -w  /path/to/webroot   Specifies the web root folder for web root mode.
  --standalone                      Use standalone mode.
  --alpn                            Use standalone alpn mode.
  --stateless                       Use stateless mode, see: https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode
  --apache                          Use apache mode.
  --dns [dns_cf|dns_dp|dns_cx|/path/to/api/file]   Use dns mode or dns api.
  --dnssleep  [120]                  The time in seconds to wait for all the txt records to take effect in dns api mode. Default 120 seconds.

  --keylength, -k [2048]            Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384.
  --accountkeylength, -ak [2048]    Specifies the account key length.
  --log    [/path/to/logfile]       Specifies the log file. The default is: "/root/.acme.sh/acme.sh.log" if you don't give a file path here.
  --log-level 1|2                   Specifies the log level, default is 1.
  --syslog [0|3|6|7]                Syslog level, 0: disable syslog, 3: error, 6: info, 7: debug.

  These parameters are to install the cert to nginx/apache or any other server after issue/renew a cert:

  --cert-file                       After issue/renew, the cert will be copied to this path.
  --key-file                        After issue/renew, the key will be copied to this path.
  --ca-file                         After issue/renew, the intermediate cert will be copied to this path.
  --fullchain-file                  After issue/renew, the fullchain cert will be copied to this path.

  --reloadcmd "service nginx reload" After issue/renew, it's used to reload the server.

  --server SERVER                   ACME Directory Resource URI. (default: https://acme-v01.api.letsencrypt.org/directory)
  --accountconf                     Specifies a customized account config file.
  --home                            Specifies the home dir for acme.sh.
  --cert-home                       Specifies the home dir to save all the certs, only valid for '--install' command.
  --config-home                     Specifies the home dir to save all the configurations.
  --useragent                       Specifies the user agent string. it will be saved for future use too.
  --accountemail                    Specifies the account email, only valid for the '--install' and '--update-account' command.
  --accountkey                      Specifies the account key path, only valid for the '--install' command.
  --days                            Specifies the days to renew the cert when using '--issue' command. The default value is 60 days.
  --httpport                        Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer.
  --tlsport                         Specifies the standalone tls listening port. Only valid if the server is behind a reverse proxy or load balancer.
  --local-address                   Specifies the standalone/tls server listening address, in case you have multiple ip addresses.
  --listraw                         Only used for '--list' command, list the certs in raw format.
  --stopRenewOnError, -se           Only valid for '--renew-all' command. Stop if one cert has error in renewal.
  --insecure                        Do not check the server certificate, in some devices, the api server's certificate may not be trusted.
  --ca-bundle                       Specifies the path to the CA certificate bundle to verify api server's certificate.
  --ca-path                         Specifies directory containing CA certificates in PEM format, used by wget or curl.
  --nocron                          Only valid for '--install' command, which means: do not install the default cron job. In this case, the certs will not be renewed automatically.
  --no-color                        Do not output color text.
  --force-color                     Force output of color text. Useful for non-interactive use with the aha tool for HTML E-Mails.
  --ecc                             Specifies to use the ECC cert. Valid for '--install-cert', '--renew', '--revoke', '--toPkcs' and '--createCSR'
  --csr                             Specifies the input csr.
  --pre-hook                        Command to be run before obtaining any certificates.
  --post-hook                       Command to be run after attempting to obtain/renew certificates. No matter the obtain/renew is success or failed.
  --renew-hook                      Command to be run once for each successfully renewed certificate.
  --deploy-hook                     The hook file to deploy cert
  --ocsp-must-staple, --ocsp        Generate ocsp must Staple extension.
  --always-force-new-domain-key     Generate new domain key when renewal. Otherwise, the domain key is not changed by default.
  --auto-upgrade   [0|1]            Valid for '--upgrade' command, indicating whether to upgrade automatically in future.
  --listen-v4                       Force standalone/tls server to listen at ipv4.
  --listen-v6                       Force standalone/tls server to listen at ipv6.
  --openssl-bin                     Specifies a custom openssl bin location.
  --use-wget                        Force to use wget, if you have both curl and wget installed.
  --yes-I-know-dns-manual-mode-enough-go-ahead-please  Force to use dns manual mode: https://github.com/Neilpang/acme.sh/wiki/dns-manual-mode
  --branch, -b                      Only valid for '--upgrade' command, specifies the branch name to upgrade to.

I got it resolved by adding .acme.sh/ infront of the command. Thanks for all the help!

 

[snorp]

Hi folks,

I was able to execute the script without an error message. I use the DNS service of cloudflare and have changed the settings as it says in the tutorial. After the installation I got the passwords for the database and nextcloud.

Unfortunately I could not reach the server via the browser. Since I had a similar problem before, I searched this thread for my old post.

The apache server cannot be started I always get the following error message:

Code:

service apache24 start                                     
Performing sanity check on apache24 configuration:
AH00526: Syntax error on line 27 of /usr/local/etc/apache24/Includes/cloud.thunderfire.net.conf:
SSLCertificateFile: file '/usr/local/etc/pki/tls/certs/fullchain.pem' does not exist or is empty
Starting apache24.
AH00526: Syntax error on line 27 of /usr/local/etc/apache24/Includes/cloud.thunderfire.net.conf:
SSLCertificateFile: file '/usr/local/etc/pki/tls/certs/fullchain.pem' does not exist or is empty
/usr/local/etc/rc.d/apache24: WARNING: failed to start apache24

At the end of the installation I got the following message:

Code:

You have obtained your Let´s Encrypt certificate using the staging server.
This certificate will not be trusted by your browser and will cause SSL errors when you connect.
Once you've verified that everything else is working correctly, you should issue a trusted certificate.
To do this, run:
iocage console nextcloud
The reissue your certificate using DNS validation.

The problem is, how can I test that everything works correctly without opening the browser to connect to the server?

What would be the next steps I have to take.

Thank you very much in advance!

 

[danb35]

SSLCertificateFile: file '/usr/local/etc/pki/tls/certs/fullchain.pem' does not exist or is empty

Here's your problem: the cert was not actually issued, or it at least wasn't placed in the appropriate place. In the jail itself, do you have a directory of /root/.acme.sh/cloud.thunderfire.net? If so, what are its contents?

 

[snorp]

Okay, here is the probleme. YOURHOSTNAME Folder and no cloud.thunderfire.net Folder. But I don't understand that, because I set the settings in the configuration.

EDIT:

Code:

JAIL_IP="192.168.1.11"
DEFAULT_GW_IP="192.168.1.1"
INTERFACE="lagg0"
VNET="off"
POOL_PATH="/mnt/thunderfire"
JAIL_NAME="nextcloud"
TIME_ZONE="Europe/Berlin"
HOST_NAME="cloud.thunderfire.net"
DATABASE="mariadb"
STANDALONE_CERT=0
DNS_CERT=1
SELFSIGNED_CERT=0
NO_CERT=0
TEST_CERT="--test"

 

[danb35]

It looks like you haven't made the necessary edits to configs/acme_dns_issue.sh. You need to edit the acme.sh command to specify your FQDN. At this point, though, you should be able to issue the cert using the acme.sh command in that file (though, again, noting your FQDN rather than YOURHOSTNAME).

 

[snorp]

Yes, I have removed the comments and somehow not changed the domain -.- stupid

How can I do this again without running the whole installation?

export CF_Key="1234567890"
export CF_Email="name@mail.com"
/root/.acme.sh/acme.sh --issue --home "/root/.acme.sh" --dns dns_cf -d cloud.thunderfire.net --fullchain-file /usr/local/etc/pki/tls/certs/fullchain.pem --key

?

 

[danb35]

Close. The last line should be:

Code:

/root/.acme.sh/acme.sh --issue --home "/root/.acme.sh" --dns dns_cf -d cloud.thunderfire.net --fullchain-file /usr/local/etc/pki/tls/certs/fullchain.pem --key-file /usr/local/etc/pki/tls/private/privkey.pem --reloadcmd "service apache24 reload"

 

[snorp]

First of all thank you for your support!

Code:

[Sun Feb 17 21:24:00 CET 2019] invalid domain
[Sun Feb 17 21:24:00 CET 2019] Error add txt for domain:_acme-challenge.cloud.thunderfire.net
[Sun Feb 17 21:24:00 CET 2019] Please add '--debug' or '--log' to check more details.
[Sun Feb 17 21:24:00 CET 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Sun Feb 17 21:24:01 CET 2019] Removing DNS records.
[Sun Feb 17 21:24:02 CET 2019] invalid domain
[Sun Feb 17 21:24:02 CET 2019] Error removing txt for domain:_acme-challenge.cloud.thunderfire.net

 

[danb35]

...and you replaced the contents of CF_Key and CF_Email with your Cloudflare global API key and the associated email address? And those are for the Cloudflare account that manages thunderfire.net?

 

[snorp]

root@local:
I have customized the file acme_dns_issue.sh with the API code, the email address and the domain.

root@nextcloud
export CF_Key="********"
export CF_Email="****@gmail.com"
/root/.acme.sh/acme.sh --issue --home "/root/.acme.sh" --dns dns_cf -d cloud.thunderfire.net --fullchain-file /usr/local/etc/pki/tls/certs/fullchain.pem --key-file /usr/local/etc/pki/tls/private/privkey.pem --reloadcmd "service apache24 reload"


Edit:

And those are for the Cloudflare account that manages thunderfire.net?

Yeps

 

[danb35]

Very, very strange. Other than making sure there isn't a typo in your FQDN, the only thing I can think of is to add --debug to the acme.sh command and see what it tells you.

 

[snorp]

Hi,

maybe a problem with link aggregation?
Because if I enter my IP locally (for the jail) I get the web interface of FreeNAS.

PS I sent you the debug text by PN.

 

[jsherm101]

Hi,

maybe a problem with link aggregation?
Because if I enter my IP locally (for the jail) I get the web interface of FreeNAS.

PS I sent you the debug text by PN.

Possibly DNS related? what happens if you try to ping google.com from your jail? Can you resolve domain names?

 

[snorp]

Thanks for your reply,

host google.com

Code:

google.com has address 172.217.16.206
google.com has IPv6 address 2a00:1450:4001:81c::200e
google.com mail is handled by 40 alt3.aspmx.l.google.com.
google.com mail is handled by 50 alt4.aspmx.l.google.com.
google.com mail is handled by 20 alt1.aspmx.l.google.com.
google.com mail is handled by 10 aspmx.l.google.com.
google.com mail is handled by 30 alt2.aspmx.l.google.com.

That seems to be working.

/root/.acme.sh/account.conf
The data is all correct, too.

EDIT:

Code:

[Tue Feb 19 19:23:51 CET 2019] invalid domain
[Tue Feb 19 19:23:51 CET 2019] Error removing txt for domain:_acme-challenge.cloud.thunderfire.net

EDIT2:
Since I had no idea what it could be, I had new data sent to me by Cloudflare, respectively a new API key. I set up the system anew.
Now the creation of the certificate worked.

 

[vincentemmanuel]

I encountered something very strange. Upon installation of the script and when I typed in the IP address, it goes to the freenas login page instead of the nextcloud login.

I checked in shell iocage get ip4_addr nextcloud is pointing to the correct IP address

Reinstalled script 2 times, restarted Jail many times, restarted freenas a few times.

in /var/run directory , there is no httpd.pid if that helps.


Any suggestions?

 

[danb35]

Any suggestions?

Use vnet.

 

[Benc]

After today's freenas update something went wrong in nextcloud jail, I only get blank page. I already checked apache and mysql, both are started, but I can't login to mysql (tried -u nextcloud and -u root with different passwords without success). I am not sure what to try next.

 

[Benc]

I tried with occ and got:

An unhandled exception has been thrown:
Doctrine\DBAL\DBALException: Failed to connect to the database: An exception occured in driver: SQLSTATE[HY000] [1045] Access denied for user 'nextcloud'@'localhost' (using password: YES) in /usr/local/www/apache24/data/nextcloud/lib/private/DB/Connection.php:64

How to handle this?

 

[jsherm101]

I tried with occ and got:

An unhandled exception has been thrown:
Doctrine\DBAL\DBALException: Failed to connect to the database: An exception occured in driver: SQLSTATE[HY000] [1045] Access denied for user 'nextcloud'@'localhost' (using password: YES) in /usr/local/www/apache24/data/nextcloud/lib/private/DB/Connection.php:64

How to handle this?

What kind of error do you get when you try directly logging into mysql, rather than via nextcloud, with the password?

 

[danb35]

Specifically, from the shell in the jail, what happens if you run mysql? And what's the output of cat ~/.my.cnf?