Scripted installation of Nextcloud 28 in iocage jail 2018-03-23

[mistermanko]

I just want to give a little update on how my install went. After re-installing with STANDALONE_CERT instead of DNS_CERT and redirecting traffic to the DDNS adress of my fritzbox, the nextcloud came to life. I had to add ip and domain to the host-file of my local dns-server (pi-hole). Works really good so far. Thanks to @danb35 for his incredible work and all the others for helping me out.

Are there any post-install steps to take care of? Is the self-signed certificate sufficient for a while? Are there any security flaws I should care for?

 

[danb35]

Is the self-signed certificate sufficient for a while?

As long as you're OK with the certificate errors in your browser, it won't hurt anything.

Are there any security flaws I should care for?

I certainly hope not, but if there are, they wouldn't be specific to the self-signed cert.

 

[NasKar]

These lines look a bit strange to me. This is what I have in my config file.

Thanks Basil I made the adjustments to the config and tried it as well commenting out DB_PATH, FILES_PATH and PORTS_PATH lines without any change. I'm still getting the same fstab errors.

 

[mistermanko]

As long as you're OK with the certificate errors in your browser, it won't hurt anything.

The thing is, I don't get those. I have a valid ssl connection with a let's encrypt cert valid until June 2020.
Am I confusing self-cert and STANDALONE_CERT? Because that's what I choose in my config.

 

[danb35]

Am I confusing self-cert and STANDALONE_CERT?

I think so. STANDALONE_CERT still gets a cert from Let's Encrypt, but it requires that ports 80 and 443 be forwarded to your Nextcloud Jail. DNS_CERT also gets the cert from Let's Encrypt, but uses DNS validation to do so. DNS validation is a little trickier, but it can be accomplished without your jail being accessible from the Internet.

 

[mistermanko]

DNS validation is a little trickier, but it can be accomplished without your jail being accessible from the Internet.

Is it possible to switch to DNS validation without rerunning the script? If so, how?

 

[rio236]

@rio236 Please show us your config file (see post #1201 above for an example).

This is was my nextcloud config

Code:

JAIL_IP="192.168.1.199"
DEFAULT_GW_IP="192.168.1.1"
POOL_PATH="/mnt/tank"
TIME_ZONE="America/New_York"
HOST_NAME="YOUR_FQDN"
STANDALONE_CERT=1
CERT_EMAIL="me@example.com"

Replaced with the following:

Code:

JAIL_IP="192.168.1.50"
DEFAULT_GW_IP="192.168.1.1"
POOL_PATH="/mnt/tank1/apps/nextcloud"
TIME_ZONE="America/New_York"
HOST_NAME="nextcloud.domain.com"
DNS_CERT=1
CERT_EMAIL="******@gmail.com"
DNS_PLUGIN="cloudflare"
DNS_ENV="CLOUDFLARE_EMAIL=******@gmail.com CLOUDFLARE_API_KEY=*****************"
JAIL_NAME="nextcloud"
DB=db
FILES=files
PORTS=portsnap
DATABASE="mariadb"
INTERFACE="vnet0"
VNET="on"
DB_PATH="/mnt/tank1/apps/nextcloud/db"
FILES_PATH="/mnt/tank1/apps/nextcloud/files"
PORTS_PATH="/mnt/tank1/apps/nextcloud/portsnap"

I was able to browse the site with certificate issue.
And have the following additional issue:

[root@fn ~]# chmod 775 root/remove-staging.sh
[root@fn ~]# iocage exec nextcloud /root/remove-staging.sh
Stopping caddy.
Waiting for PIDS: 8797.
Starting caddy.
/usr/local/etc/rc.d/caddy: WARNING: failed to start caddy
Command: /bin/sh -c /root/remove-staging.sh failed!

root@nextcloud:~ # service caddy status
caddy is not running.
root@nextcloud:~ # service caddy start
Starting caddy.
root@nextcloud:~ # service caddy status
caddy is running as pid 29621.

And was able to browse the site again, this time without certificate issue!

Thank for your help.

 

[danb35]

Is it possible to switch to DNS validation without rerunning the script?

Sure. You'd need to download a new copy of Caddy with the appropriate DNS plugin installed, edit the Caddyfile to call for DNS validation using the appropriate plugin (one of the Caddyfiles in the script package will give you the template), and add the appropriate DNS credentials to the rc.conf file (either by editing that file directly or by using the sysrc command).

 

[Basil Hendroff]

When I run https://mydomain.ml/nextcloud on my cell network I get a nextcloud screen with the Access through untrusted domain error and https://myjailip/nextcloud on my computer I get this site can't be reached.

I had a similar issue (see earlier post #1129). Ignoring the fstab error for the moment, if you haven't already done so, you will need an entry in your local DNS resolver to resolve the FQDN to the Nextcloud jail IP.

 

[Basil Hendroff]

Can I modify the network settings, after install the NextCloud by this script?

You should be able to. Edit the jail settings after stopping the Nextcloud jail. I suggest you make a note of the current network settings before attempting to tweak them.

 

[Basil Hendroff]

Sure. You'd need to download a new copy of Caddy with the appropriate DNS plugin installed, edit the Caddyfile to call for DNS validation using the appropriate plugin (one of the Caddyfiles in the script package will give you the template), and add the appropriate DNS credentials to the rc.conf file (either by editing that file directly or by using the sysrc command).

@mistermanko I can vouch for this. It works very well. For further details, refer to the resource Reverse Proxy using Caddy (with optional automatic TLS)

 

[Basil Hendroff]

@rio236 It's good to hear your issue is resolved. A tip for future postings: When providing code or machine output, place them between code tags to enhance the readability of the post e.g.

This is was my nextcloud config

Code:

JAIL_IP="192.168.1.199"
DEFAULT_GW_IP="192.168.1.1"
POOL_PATH="/mnt/tank"
TIME_ZONE="America/New_York"
HOST_NAME="YOUR_FQDN"
STANDALONE_CERT=1
CERT_EMAIL="me@example.com"

Replaced with the following:

Code:

JAIL_IP="192.168.1.50"
DEFAULT_GW_IP="192.168.1.1"
POOL_PATH="/mnt/tank1/apps/nextcloud"
TIME_ZONE="America/New_York"
HOST_NAME="nextcloud.domain.com"
DNS_CERT=1
CERT_EMAIL="******@gmail.com"
DNS_PLUGIN="cloudflare"
DNS_ENV="CLOUDFLARE_EMAIL=******@gmail.com CLOUDFLARE_API_KEY=*****************"
JAIL_NAME="nextcloud"
DB=db
FILES=files
PORTS=portsnap
DATABASE="mariadb"
INTERFACE="vnet0"
VNET="on"
DB_PATH="/mnt/tank1/apps/nextcloud/db"
FILES_PATH="/mnt/tank1/apps/nextcloud/files"
PORTS_PATH="/mnt/tank1/apps/nextcloud/portsnap"

etc.

 

[NasKar]

Basil thanks for your help. Will give it a try editing the resolver in my pfsense router.

I fixed the fstab error by adding a line to specify CONFIG_PATH in my config file. I believe there is an error in the code on line 125 that prevents the CONFIG_PATH from being correct by default unless it is specified in the config file.
Current

Code:

FILES_PATH="${POOL_PATH}"/nextcloud/config

Should be

Code:

CONFIG_PATH="${POOL_PATH}"/nextcloud/config

 

[NasKar]

I had a similar issue (see earlier post #1129). Ignoring the fstab error for the moment, if you haven't already done so, you will need an entry in your local DNS resolver to resolve the FQDN to the Nextcloud jail IP.

I believe I've done that, see my screen shots below but I still get this site cannot be reached from my local computer and cellular now says site cannot be reached.

 

[Redcoat]

Maybe you want "ml" in pfsense Parent Domain and not "nl"?

 

[NasKar]

Maybe you want "ml" in pfsense Parent Domain and not "nl"?

Thanks I missed the typo. I've tried to ping the domain.ml on my cell phone and it fails. That makes me think the problem is with my Freenom and Cloudflare setup. I've replaced my Freenom DNS servers with the ones that Cloudflare supply. The Freenom site says my domain is active. Any tips on how to check if Cloudflare is working?

 

[Redcoat]

Any tips on how to check if Cloudflare is working?

Not familiar with Cloudflare at all, sorry.

 

[RSVP]

I recently moved my dns name servers from godaddy to cloudflare assuming the godaddy was the reason for my issues with this script. It isnt the reason. Cloudlfare is pretty simple. "A" records youshould have 1 pointing to your external IP address using the FQDN. Then for each subdomain another A record. It is not the full name just the hostname. SO if you have nextcloud.mydomain. com.. That is 2 A records. nextcloud, and mydomain.com. I have tried every variation of this script and the only one that allows me to access the web gui is no cert. And that one only workds for about a min than disconnects. The jail is will still be up, but the gui says lost connection. I personally would love a script that leaves all the extras off and just does an install on an internal IP and leave the TLS alone. I am not sure if the script can be edited to do that. But basically that is where I am at after days of experimenting with this. Having to put the forwarding back to the jail and turning of haproxy each time trying a new variation the ends with the same results. Non accessible installations.

That cloudflare setting that doesnt work on this script, produced a wildcard cert through pfsense acme package. It is in use with HAproxy for tls termination. It works fantastic. Now if I could just get a vanilla nextcloud I would be extactic. I don't think caddy plays nice with my setup.

 

[gdog0]

I recently moved my dns name servers from godaddy to cloudflare assuming the godaddy was the reason for my issues with this script. It isnt the reason. Cloudlfare is pretty simple. "A" records youshould have 1 pointing to your external IP address using the FQDN. Then for each subdomain another A record. It is not the full name just the hostname. SO if you have nextcloud.mydomain. com.. That is 2 A records. nextcloud, and mydomain.com. I have tried every variation of this script and the only one that allows me to access the web gui is no cert. And that one only workds for about a min than disconnects. The jail is will still be up, but the gui says lost connection. I personally would love a script that leaves all the extras off and just does an install on an internal IP and leave the TLS alone. I am not sure if the script can be edited to do that. But basically that is where I am at after days of experimenting with this. Having to put the forwarding back to the jail and turning of haproxy each time trying a new variation the ends with the same results. Non accessible installations.

That cloudflare setting that doesnt work on this script, produced a wildcard cert through pfsense acme package. It is in use with HAproxy for tls termination. It works fantastic. Now if I could just get a vanilla nextcloud I would be extactic. I don't think caddy plays nice with my setup.

I just used this guide, up to the SSL part https://www.samueldowling.com/2018/...n-freenas-iocage-jail-with-hardened-security/. I used Acme and Haproxy on my pfsense to handle wildcard cert and redirects. In cloudflare, I have 1 A record and the sub domains are CNAME.

 

[gdog0]

Proper Cloudflare setup for Dynamic DNS.