Scripted installation of Nextcloud 28 in iocage jail 2018-03-23

[jasemo]

It's a little difficult to parse, but it seems to be right at the end.

I seem to get through:

Code:

Libraries have been installed in...

and later afterwards:

Code:

[nextcloud] Installing php72-pecl-APCu-5.1.8_1...

etc., etc. but then it seems to start falling apart with:

Code:

[Thu Apr 12 18:05:19 AEST 2018] Using stage ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
[Thu Apr 12 18:05:21 AEST 2018] Standalone mode.
netstat: kvm not available: /dev/mem: No such file or directory
[Thu Apr 12 18:05:21 AEST 2018] Registering account
[Thu Apr 12 18:05:22 AEST 2018] Registered
[Thu Apr 12 18:05:22 AEST 2018] Creating domain key
[Thu Apr 12 18:05:23 AEST 2018] The domain key is here: /root/.acme.sh/nextcloud.myFQDN.com/
nextcloud.myFQDN.com.key
[Thu Apr 12 18:05:23 AEST 2018] Single domain='nextcloud.myFQDN.com'
[Thu Apr 12 18:05:23 AEST 2018] Getting domain auth token for each domain
[Thu Apr 12 18:05:23 AEST 2018] Getting webroot for domain='nextcloud.myFQDN.com'
[Thu Apr 12 18:05:23 AEST 2018] Getting new-authz for domain='nextcloud.myFQDN.com'
[Thu Apr 12 18:05:24 AEST 2018] The new-authz request is ok.
[Thu Apr 12 18:05:24 AEST 2018] Verifying:nextcloud.myFQDN.com
[Thu Apr 12 18:05:24 AEST 2018] Standalone mode server
[Thu Apr 12 18:05:28 AEST 2018] nextcloud.myFQDN.com:Verify error:DNS problem: NXDOMAIN looking up A for nextcloud.myFQDN.com

Does that give enough info?

I'm presuming it's to do with messing up the hostname stuff so it couldn't resolve & fell over. Does that seem likely?

I did get a couple of "warnings" earlier on in the piece but I can't get back to them as they're off the limits of PuTTY's ability to scroll back.

 

[danb35]

Does that give enough info?

I think so. It's looking, specifically, like Let's Encrypt couldn't resolve your FQDN in order to connect to your server to validate domain ownership and issue you a certificate. The jail should still run, but Apache won't start (since it depends on those certificate files being there). That, by itself, would be straightforward enough to straighten out, but the "Nextcloud is not installed" messages suggest that that part of the installation didn't work, which is odd--that's pure PHP command-line stuff, and doesn't depend on Apache at all.

Confirm that you've got DNS set up properly for your FQDN, so that nextcloud.yourdomain.tld resolves to the right place (you can check it at unboundtest.com). Then I'd blow away the jail and the database files and run the script again.

 

[jasemo]

I just gave it another few goes after doing the two reset commands before running the script and double checking the config carefully.

The error now reads slightly differently:
[Thu Apr 12 22:13:14 AEST 2018] Verifying:nextcloud.mydomain.tld
[Thu Apr 12 22:13:14 AEST 2018] Standalone mode server
[Thu Apr 12 22:13:18 AEST 2018] nextcloud.mydomain.tld:Verify error:Fetching http://nextcloud.mydomain.tld/.well-known/acme-challenge/lidcLyHUjMQuFmgfvHaVieqoiy5zuo9-CcimiypnUfE: Error getting validation data
[Thu Apr 12 22:13:18 AEST 2018] Please add '--debug' or '--log' to check more details.
[Thu Apr 12 22:13:18 AEST 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
True

* Stopping nextcloud
+ Running prestop OK
+ Stopping services OK
+ Removing jail process OK
+ Running poststop OK
* Starting nextcloud
+ Started OK
+ Starting services OK

[Thu Apr 12 22:13:57 AEST 2018] Using stage ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
[Thu Apr 12 22:13:57 AEST 2018] Single domain='nextcloud.mydomain.tld'
[Thu Apr 12 22:13:57 AEST 2018] Getting domain auth token for each domain
[Thu Apr 12 22:13:57 AEST 2018] Getting webroot for domain='nextcloud.mydomain.tld'
[Thu Apr 12 22:13:57 AEST 2018] Getting new-authz for domain='nextcloud.mydomain.tld'
[Thu Apr 12 22:13:59 AEST 2018] The new-authz request is ok.
[Thu Apr 12 22:13:59 AEST 2018] Verifying:nextcloud.mydomain.tld
[Thu Apr 12 22:14:02 AEST 2018] nextcloud.mydomain.tld:Verify error:Fetching http://nextcloud.mydomain.tld/.well-known/acme-challenge/COZ3n3mnRggHwfQVmeF81fYd9zlB8nwBCwsvvTpGUFo: Error getting validation data

Nextcloud is not installed - only a limited number of commands are available
Nextcloud was successfully installed


Then there's a whole lot of lines in green just before the script ends. The repeated "Nextcloud is not installed" errors are gone though.

I'm not sure what all of what unboundtest is showing me but nextcloud.mydomain.tld. does show my public IP in its "Answer section".

I've tried it with the router's firewall on and off as well as the jail in my routers DMZ. I've got my freenas box's MAC Address associated with the hostname "nextcloud" and the jail's 192.168.1... IP. I also have ports 80 & 443 forwarded there too.

Should I be able to see anything at the jail IP at this stage? When I type it into Chrome I get a "Site cannot be reached message".

 

[danb35]

Should I be able to see anything at the jail IP at this stage?

No; since the cert hasn't been created, Apache won't start. It looks like there's some trouble connecting to your jail from outside, though. Try this:

Code:

iocage console nextcloud
cd /usr/local/etc/apache24/Includes/
mv $FQDN.conf $FQDN.conf_old
service apache24 start

If it starts successfully, first, try to browse to your jail's IP from another machine on your LAN. If that works, try connecting from outside your network (the easiest way to do this is probably to turn off wifi on your smartphone and try to go to your FQDN using the browser there).

 

[TimvH]

I made the switch to nginx by installing it next to apache and making the existing Nextcloud installation work. After everything worked at least as well as Apache I deleted Apache and added the same changes I've made to the script.
Since Nginx is up to date in the repo's my nginx version of @danb35 's script will install faster. And on my system it actually works faster.
I haven't tested the script though, I checked everything so it should in theory work but there could be a mistake somewhere.
If someone wants to test it, use the following command to clone the repo:
git clone --recursive -b nginx https://github.com/TimvHerpen/freenas-iocage-nextcloud

 

[danb35]

Someone else here was also working on an nginx version of this--here it is: https://forums.freenas.org/index.ph...llation-script-using-nginx.63038/#post-450739

 

[jasemo]

Yep. I got "It works!" from the local IP and nextcloud.mydomain.tld when connecting from my main desktop. But it fails to connect from outside using my phone with wireless off.

I've tried firewalls/DMZ down & up.

I'll check if I've got some rogue setting in either my dd-wrt or freenas network configs, look at the port forwards and check if I've misunderstood something with hostnames.

Any other places I need to start troubleshooting?

 

[danb35]

But it fails to connect from outside using my phone with wireless off.

Well, there's your problem. Did you enable vnet when you created the jail?

 

[pakka]

Isn´t it possible to clone a iocage jail and transfer it to another system, like a image? So everybody could download that image-jail, transfer on his own system, edit ip-adress etc and it works ?

 

[jasemo]

Is there any way to change the inbound port from 80?

I think the problem might be that my ISP is blocking port 80. Their forums indicate they're not willing to unblock - as being a residential service they "don't support the hosting of servers within their network".

This might explain why "nextcloud.mydomain.tld:443" gives me "It works!" from my phone but "nextcloud.mydomain.tld" doesn't.

 

[danb35]

Is there any way to change the inbound port from 80?

Not for purposes of Let's Encrypt--if it's doing HTTP validation, it must connect on port 80 (it can then follow a redirect to 443, but it must first connect on 80). However, depending who hosts your DNS, you may be able to use DNS validation to get a cert instead. acme.sh supports a number of DNS providers' APIs, so if you're using (or have the ability to use) one of those providers, you can take care of your cert that way. If that's not the case either, PM me--there's something else you can try, but I don't want to discuss publicly.

Edit: Here's the list of DNS providers that acme.sh supports, along with how to use them.

 

[danb35]

Isn´t it possible to clone a iocage jail and transfer it to another system, like a image?

It wouldn't surprise me if it were, but I'm not familiar enough with iocage to say. But in any event, that wouldn't get you the most current versions (well, most current that are in the FreeBSD repos) of all the relevant packages.

 

[blue_ice]

That's weird, have you configured SMB right?
The only folders the script touches in your storage pool are /tank/portsnap and /tank/db.
You can however make a new user named smb or something and configure smb to use that user as anonymous account if you want everyone to have access without a password, and then change the ownership of the folders linked to a share to the user you've just made. That's the way I've got it setup. If you want some shares to be private you can change the ownership to another user and/or group.

This is really weird, I created a webdav share, it doesn't work either

"You don't have permission to access /testwebdav/ on this server."

any ideas other than burning down freenas box?

EDIT:
I don't know how but the script changed the ownership of Volumen and datasets (www:www and in some cases 88:88), changing them to root:wheel solved the problem...

Thanks

 

[jasemo]

I've worked out I can set up a "URL redirect record" for nextcloud.mydomain.tld which can funnel requests to a different port on another hostname: "redirect.mydomain.tld" which is set up to be updated through DDNS. If I have my router forward this new port to port 80 on my nextcloud internal IP, I can now get "It works!" when go to "nextcloud.mydomain.tld" on my phone.

However, the install still fails at the same point with the error now reading:


[Fri Apr 13 13:26:47 AEST 2018] Verifying:nextcloud.mydomain.tld
[Fri Apr 13 13:26:50 AEST 2018] nextcloud.mydomain.tld:Verify error:Invalid response from http://nextcloud.mydomain.tld/.well-known/acme-challenge/kubRDrR7EtXVtDpKfMtPy4C1uN47dluLdysy44YSE5E:

I'm not sure if this means my new method is too complex for the validation to be successful, or if it could be the vnet issue you mentioned earlier. If that's possible, could you give me a pointer? - I haven't come across vnet yet. Does it somehow solve the problem that my jail doesn't have a separate MAC address?

 

[pakka]

I´m tried to run your script on my U4 system, without success.
@danb35 is it possible, that you can have a look on it with eg teamviewer through my desktop PC??

 

[danb35]

I've worked out I can set up a "URL redirect record" for nextcloud.mydomain.tld which can funnel requests to a different port on another hostname: "redirect.mydomain.tld" which is set up to be updated through DDNS.

Usually services like this are doing behind-the-scenes stuff by way of JavaScript and other such things that would interfere with the Let's Encrypt challenge. If you have access to a *nix-y machine outside of your home LAN, you can try curl http://yourdomain and see what happens. Better yet, put a small text file in /usr/local/apache24/www/html/nextcloud/.well-known/acme-challenge, and try curl http://yourdomain/.well-known/acme-challenge/test.txt and make sure it returns plain text.

If you'd like, send me a private message (use the "start a conversation" link, not the "profile page" link; those aren't private) with your FQDN and I can test it.

 

[danb35]

I´m tried to run your script on my U4 system, without success.

What, exactly, happens?

 

[danb35]

I don't know how but the script changed the ownership of Volumen and datasets (www:www and in some cases 88:88)

The only way that would happen is if you misconfigured FILES_PATH, DB_PATH, PORTS_PATH, and/or POOL_PATH. In most cases, you wouldn't need to set FILES_PATH, DB_PATH, or PORTS_PATH separately; they're only needed if there's a particular reason you want one (or more) of those things off your main pool (for example, you want to put the database files on an SSD instead). Create three datasets on your pool, called files, db, and ports, respectively. Set POOL_PATH to (in your case, if I remember your pool name correctly) "/mnt/Volumen". That's all you need to do. You don't need FILES_PATH, DB_PATH, or PORTS_PATH in nextcloud-config at all.

Edit: Added some sanity checking to the script that should avoid this problem in the future. Also prevented installation if DB_PATH isn't empty.

 

[jasemo]

Can anyone in this thread help with the networking component of all this?

I'm trying to set up a static internal IP for my nextcloud jail. However, to set up a static IP I need to enter a MAC address in my router. The MAC of my FreeNAS box is already being used to give it a IP address (which is the one I access the GUI on).

How do I find out/give nextcloud a unique MAC address so I can then enter this into my router?

 

[TimvH]

Can anyone in this thread help with the networking component of all this?

I'm trying to set up a static internal IP for my nextcloud jail. However, to set up a static IP I need to enter a MAC address in my router. The MAC of my FreeNAS box is already being used to give it a IP address (which is the one I access the GUI on).

How do I find out/give nextcloud a unique MAC address so I can then enter this into my router?

If you don't specifically set DHCP to on, your jail already has it's own static IP, you don't need to configure it in your router.