Scripted installation of Nextcloud 28 in iocage jail 2018-03-23

[InGenetic]

Hi, Mr. Danb35 and friends..

i need your help, i never succeed to upload file with size starting 8-9 mb, in level 3 folder , for example : this folder structure :
1. /Home
2. /Home/Office
3. /Home/Office/Softwares

the situation is :

1. i can upload file A ( 9 MB ) in /Home
2. i can the same file (A) 9MB in folder Office ( /home/office )
3. but i can not upload the same file A ( 9 MB ) in folder Softwares ( /home/office/softwares )
the error like below :

the error log is :

{"reqId":"eFy4udKAMHudIVNGUzpo","level":3,"time":"2020-07-12T13:30:41+07:00","remoteAddr":"115.85.xxx.xxx","user":"aaaaa","app":"PHP","method":"GET","url":"/settings/admin/serverinfo","message":"A non-numeric value encountered at /usr/local/www/nextcloud/apps/serverinfo/lib/OperatingSystems/DefaultOs.php#52","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36","version":"18.0.4.2","id":"5f0aaf92d6096"}

please advice..


Thanks n regards,

 

[danb35]

How would one know if they have the latest updated certs ?

If you're not seeing a certificate error when you browse to your installation, you should be good to go.

 

[Dellyjoe]

If you're not seeing a certificate error when you browse to your installation, you should be good to go.

Ya looks like everything is good to go again I cant thank you enough you were the reason I got this working.


Dellyjoe

 

[diedrichg]

Could someone hand-hold me through the DNS/Cloudflare/FQDN/Caddy registration and setup process, please? I find this part of the process extremely confusing (and I like to think I'm slightly smarter than a rock). I'd like to go the 'free' route with the domain name and DNS forwarding. I've been using No-IP for years but would be happy to switch to DuckDNS since that seems to be the popular way to go. In a nutshell - I simply get these services confused and what they do and their purpose. Step-by-step instructions to go to XYZ website, click THAT button and plug THIS info into ABC is what I need help with, please.

 

[IronRobi]

@danb35 I'm having what appears to be a certificate issue while trying to get this setup.

I'm using a subdomain setup on cloudflare with dnsomatic updating the IP. I've already got port 443 opened to another system in my router so I'm trying to set this up using forwarding from an external port of 8443 to port 443 of my nextcloud jail.

When trying to access nextcloud through the web address I get the following error:

cloud.mydomain.com uses an unsupported protocol.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

And when I try browsing to the IP address of the jail I get:

192.168.X.XX sent an invalid response.

• Try running Windows Network Diagnostics.

ERR_SSL_PROTOCOL_ERROR

I'm noticing browsing back through the setup script I'm getting this message

gpg: Good signature from "Nextcloud Security <security@nextcloud.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.

I'm not sure if it's related, but everything else looks like it completes fine.

Here's what my nextcloud-config file looks like

JAIL_IP="192.168.X.XX"
DEFAULT_GW_IP="192.168.X.X"
POOL_PATH="/mnt/CLOUD"
TIME_ZONE="America/ZONE"
HOST_NAME="cloud.mydomain.com:8443" (I HAVE TRIED THIS WITHOUT THE PORT AS WELL, SAME ERROR)
STANDALONE_CERT=0
DNS_CERT=1
SELFSIGNED_CERT=0
NO_CERT=0
CERT_EMAIL="email@email.com"
DNS_PLUGIN="cloudflare"
DNS_ENV="CLOUDFLARE_EMAIL=email@email.com CLOUDFLARE_API_KEY=myAPIkeyhere"

EDIT: Here's the output from caddy.log

2020/07/20 16:53:50 [INFO] [cloud.mydomain.com] Server responded with a certificate.
done.

Serving HTTPS on port 443

https://192.168.X.XX

2020/07/20 16:53:50 [INFO] Serving https://192.168.X.XX

Serving HTTP on port 80

http://cloud.mydomain.com

2020/07/20 16:53:50 [INFO] Serving http://cloud.mydomain.com

Serving HTTPS on port 8443

https://cloud.mydomain.com:8443

2020/07/20 16:53:50 [INFO] Serving https://cloud.mydomain.com:8443
2020/07/20 16:55:06 [INFO] 192.168.2.188 - No such site at :80 (Remote: 192.168.X.130, Referer: )
2020/07/20 16:55:15 http: TLS handshake error from 192.168.X.XXX:49745: no certificate available for ''
2020/07/20 16:55:15 http: TLS handshake error from 192.168.X.XXX:49746: no certificate available for ''
2020/07/20 16:55:15 http: TLS handshake error from 192.168.X.XXX:49747: no certificate available for ''
2020/07/20 16:55:15 http: TLS handshake error from 192.168.X.XXX:49748: no certificate available for ''
2020/07/20 16:59:44 http: TLS handshake error from 192.168.X.XXX:49772: no certificate available for ''
2020/07/20 16:59:44 http: TLS handshake error from 192.168.X.XXX:49771: no certificate available for ''
2020/07/20 16:59:44 http: TLS handshake error from 192.168.X.XXX:49773: no certificate available for ''
2020/07/20 16:59:44 http: TLS handshake error from 192.168.X.XXX:49774: no certificate available for ''
2020/07/20 16:59:48 http: TLS handshake error from 192.168.X.XXX:49776: no certificate available for ''
2020/07/20 16:59:48 http: TLS handshake error from 192.168.X.XXX:49777: no certificate available for ''
2020/07/20 16:59:48 http: TLS handshake error from 192.168.X.XXX:49778: no certificate available for ''
2020/07/20 16:59:48 http: TLS handshake error from 192.168.X.XXX:49779: no certificate available for ''

When I do a test through ssllabs.com all tests return "Failed to communicate with the secure server"

Any thoughts?

 

[diedrichg]

FYI. I'm going through the process of setting up a domain name through Freenom, DNS-O-Matic, and Cloudflare. I'm getting an error through DNS-O-Matic that there is an issue with Cloudflare. It turns out that the top-level domains ending in .TK / .ML / .GA / .CF / .GQ coming from Freenom are no longer supported in Cloudflare's Global API (that which is used in DNS-O-Matic as the connection. Here is the post where I found the information: https://community.cloudflare.com/t/cloudflare-and-dns-o-matic-error/182530/2 - it's the post by sdayman

sdaymanMVP '18, '19, '20
Jun 15
The API no longer accepts DNS changes for certain TLDs, .cf included.

I have been using the API to update DDNS, and today I found that I cannot update my DDNS using the API. Check the log file and find the error message: “error”: "You cannot use this API for domains (top-level domains) with .cf, .ga, .gq, .ml or .tk TLDs. DNS settings for this domain, please Use the Cloudflare dashboard. Display cf, .ga, .gq, .ml or .tk, these TLDs can only update DDNS through the dashboard. (My domain name happens to be tk and ga) I do n’t know why cloudflare made this modific…

My current solution is to pay for a TLD. I've found one through https://www.hostinger.com/domain-checker using one of their $0.99/yr domains. I'll post results as I find them.

 

[IronRobi]

So I blew up my jail and attempted to run it again. Now it doesn't complete the installation. I get this error:

/tmp/getcaddy.com 7647 B 57 MBps 00s
This installer only supports v1, which is obsoleted now that Caddy 2 is released. This script may change or go away soon. Please upgrade: https://caddyserver.com/docs/v2-upgrade
Downloading Caddy for freebsd/amd64 (personal license)...
curl: (22) The requested URL returned error: 404
Aborted, error 22 in command: curl -fsSL "$caddy_url" -u "$CADDY_ACCOUNT_ID:$CADDY_API_KEY" -o "$dl"
Command: bash -s personal tls.dns.cloudflare failed!
Failed to download/install Caddy

 

[ornias]

So I blew up my jail and attempted to run it again. Now it doesn't complete the installation. I get this error:

It would be awesome if you report bugs to the github:

Issues · danb35/freenas-iocage-nextcloud

Script to create an iocage jail on FreeNAS for the latest Nextcloud 28 release, including Caddy, MariaDB or PostgreSQL, and Let's Encrypt - Issues · danb35/freenas-iocage-nextcloud

github.com

 

[ornias]

So I blew up my jail and attempted to run it again. Now it doesn't complete the installation. I get this error:

Okey i've looked into your issue:
It indeed looks like Caddy does not host it's V1 version on the website anymore (as they kinda announced a few months back).... Because I can also not manually get the download url te work anymore.

Which kinda bothers me because we also relied on it for the nextcloud install in Jailman (based a lot of our current version on Dan's code). While I was already removing caddy (because I found it buggy at times), it would just be two more months before I can push the patch to jailman and now it looks like the folks from Caddy screwed us over.
With this behavior i'm glad moving away from Caddy

@danb35 either needs to upgrade or drop caddy (if this is not just a server downtime/error).
It really isn't his fault or the fault of his script, either Caddy is down or we all got screwed over.

 

[listhor]

I had installed Nextcloud 18 using previous version of script (without LE). After upgrading to Nexcloud 19 with use of built in upgrader I ended up with following error:

OCA\DAV\Connector\Sabre\Exception\Forbidden: No read permissions

related to attached external storages which can't be accessed anymore. Luckily snapshots came with rescue and I did undo the damage .
So, my question is whether I can use @danb35 script for upgrading of my Nextcloud instance?

EDIT:
One more thing, after upgrading jail (pkg upgrade) I got all sorts of different mysql errors. Is there any upgrading procedure related to jail itself?

 

[danb35]

Yeah, the Caddy maintainer has killed off the Caddy1 build server as he threatened to do. I'm torn between "update everything to work with Caddy2" and "F that guy, I'll go back to Apache and acme.sh."

There is a Caddy2 build server (https://caddyserver.com/download), and there are a few DNS plugins available (including Cloudflare), but I'm not yet seeing a way to grab something from there by script.

 

[IronRobi]

Yeah, the Caddy maintainer has killed off the Caddy1 build server as he threatened to do. I'm torn between "update everything to work with Caddy2" and "F that guy, I'll go back to Apache and acme.sh."

There is a Caddy2 build server (https://caddyserver.com/download), and there are a few DNS plugins available (including Cloudflare), but I'm not yet seeing a way to grab something from there by script.

If you moved away from Apache initially it must have been for a reason. Although if it turns out there is no way to grab something by script from the Caddy2 server, at least you know Apache worked in the past.

I'm not in any rush to get this setup so I'll hang tight and can test out whichever route you decide to take.

 

[ornias]

Yeah, the Caddy maintainer has killed off the Caddy1 build server as he threatened to do. I'm torn between "update everything to work with Caddy2" and "F that guy, I'll go back to Apache and acme.sh."

There is a Caddy2 build server (https://caddyserver.com/download), and there are a few DNS plugins available (including Cloudflare), but I'm not yet seeing a way to grab something from there by script.

NGINX works great for me to be honest, for NGINX and PHP (without ssl) you can leech my work if you like.
I think that also works with acme.sh, but no guarantees....

That being said:
A total rework of the config files AND preventing people to use the old version within 6 months is a REALLY shitty move...

 

[NasKar]

That's very annoying. I was planning on changing my pool setup and reinstalling nextcloud. Could I do iocage export nextcloud and then iocage import nextcloud on the new server with the nextcloud data dir in place and have my install continue to work?

Can you configure the script to allow you to manually download the Caddy 2 file and place it in the includes dir for the script to use?

 

[ornias]

That's very annoying. I was planning on changing my pool setup and reinstalling nextcloud. Could I do iocage export nextcloud and then iocage import nextcloud on the new server with the nextcloud data dir in place and have my install continue to work?

I think that should work in theory, yes.

Can you configure the script to allow you to manually download the Caddy 2 file and place it in the includes dir for the script to use?

Yes and No, it can all be done... that isn't really the problem.
The problem is the amount of work it takes to migrate everything to Caddy 2 and to test it. It's not a "just replace this" problem, otherwise we (both @danb35 and myself) would've done so for our scripts months ago.
(actually: it was easier to migrate to nginx than it would've been to caddy 2 imho)

 

[danb35]

If you moved away from Apache initially it must have been for a reason.

There were a few, but the biggest were:

• Simpler configuration file (the Apache config file for Nextcloud is at least 10x longer than the Caddy one)
• Automatic TLS setup, including getting (and renewing) certs from Let's Encrypt
  • Including a much more sensible OCSP implementation

I didn't realize at the time that I'd be dealing with "dev who's aggressively pushing users to migrate from a stable release to beta code" or "dev who would completely abandon backward compatibility in v2."

for NGINX and PHP (without ssl) you can leech my work if you like.

Thanks, though I'd probably be more inclined to go back to Apache if I switch away from Caddy (nice thing about git: I can pull those config files out of the history and reuse them).

think that also works with acme.sh

I'm sure it would; acme.sh is pretty much universal. Obviously the config file would need to be set up for SSL, but given that acme.sh ought to work fine.

A total rework of the config files AND preventing people to use the old version within 6 months is a REALLY ****ty move.

Tend to agree here. Counterpoints:

• Though I've said otherwise in frustration, the rework of the config files is not gratuitous. He's discussed at some length reasons why he felt he needed to make the change. I'm inclined to believe him--why put in the work to completely change the configuration format (and thereby hack off your users) if there isn't some big gain out of it?
• Nothing prevents people from using Caddy1, you just can't use his build server to build you a binary with the plugins you want. This means you need to either use someone else's binary (e.g., the FreeBSD package), or build your own from source.
  • This is, at least partially, an artifact of Caddy's having been written in Go. As I understand it, Go doesn't support plugins or modules in the way that, say, Apache does--if you want to use it, it needs to be compiled in. So I can't install Caddy and separately install the Cloudflare plugin; the Cloudflare plugin needs to be compiled into Caddy (which IMO makes "plugin" a bit of a misnomer)
  • The obvious way to deal with this, IMO, would be for the FreeBSD port to be set up in such a way that it can be built with whatever plugin(s) is(are) desired. But it isn't there yet, and it's unclear if it's going to happen at all.

Can you configure the script to allow you to manually download the Caddy 2 file and place it in the includes dir for the script to use?

Sure, that could be done, and would be relatively straightforward as far as it goes. The rc file needs to be different, but I can pull that out of the proposed FreeBSD port. The big problem is the Caddyfile, as the format is completely different. I don't doubt a reference copy will be developed fairly quickly--Nextcloud is a pretty popular package, and for all I know there may be one out there already. But that's probably the biggest piece that would be needed, aside from getting Caddy2 in the first place.

 

[ornias]

I agree @danb35 there certainly are gains to it...
I'm not against caddyv2. I'm not even against closing the build server at a certain moment (for example a year or so after last update).
The problem is he himself took (I guess) 2 years building V2 and pushing it out and expect devops to migrate in less than 6 months.

Good point about going back to apache though, if you already have the config you better use it. You yourself always know your own code best :)

 

[NasKar]

@danb35 If you are opening ports 80 and 443 and not using DNS validation can you use pkg install caddy? Freshports.org shows caddy as 1.04 for now.

 

[ornias]

@danb35 If you are opening ports 80 and 443 and not using DNS validation can you use pkg install caddy? Freshports.org shows caddy as 1.04 for now.

Well, yes and no (again...)
You can (now) but it is considered bad practice to use "caddy" port when you actually want "caddy1", you will (in the future) basically get the same issue we have now, when the port updates....

If fixed it is better done right.
If you want to get it working now however, feel free to just modify the script

 

[danb35]

If you are opening ports 80 and 443 and not using DNS validation can you use pkg install caddy?

Yes, and I've made that change as a temporary fix. The script also now errors out if you have DNS validation set. But it should work with HTTP validation, with a self-signed cert, or with no cert at all.