Scripted installation of Nextcloud 28 in iocage jail 2018-03-23

[danb35]

This sounds like another instance of the clusterf*ck that Let's Encrypt has caused (or at least highlighted) with their recent change in the certificate chain--which isn't helped by the fact that you're using an EOL OS. See:

DST Root CA X3 Expiration (September 2021)

Update Feb 05, 2024 It’s been two years, and the Android compatibility cross-sign mentioned below is close to expiring. See our recent blog post for a detailed explanation of the changes coming over the course of 2024. Update September 30, 2021 As planned, the DST Root CA X3 cross-sign has...

letsencrypt.org

Best answer is probably to download the "Root X1" certificate and install it on the client system(s) as a trusted root CA:

Chains of Trust

This page describes all of the current and relevant historical Certification Authorities operated by Let’s Encrypt. Note that a CA is most correctly thought of as a key and a name: any given CA may be represented by multiple certificates which all contain the same Subject and Public Key...

letsencrypt.org

Or try getting the cert from ZeroSSL instead. Make this change in the Caddyfile to do that:

Code:

{
    # debug
    acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
    email youremailhere

Change acme_ca to https://acme.zerossl.com/v2/DV90, then restart Caddy.

 

[danb35]

It's also been suggested that simply browsing to https://valid-isrgrootx1.letsencrypt.org/ on an affected client system may result in it loading the required root cert, which should resolve the issues you're seeing.

 

[T_T]

I have been running and configured everything to my liking and it seem to work great. What would be a best practice to backup all my files from nextcloud? Any pointers would be much appreciated!

 

[InGenetic]

This sounds like another instance of the clusterf*ck that Let's Encrypt has caused (or at least highlighted) with their recent change in the certificate chain--which isn't helped by the fact that you're using an EOL OS. See:

DST Root CA X3 Expiration (September 2021)

Update Feb 05, 2024 It’s been two years, and the Android compatibility cross-sign mentioned below is close to expiring. See our recent blog post for a detailed explanation of the changes coming over the course of 2024. Update September 30, 2021 As planned, the DST Root CA X3 cross-sign has...

letsencrypt.org

Best answer is probably to download the "Root X1" certificate and install it on the client system(s) as a trusted root CA:

Chains of Trust

This page describes all of the current and relevant historical Certification Authorities operated by Let’s Encrypt. Note that a CA is most correctly thought of as a key and a name: any given CA may be represented by multiple certificates which all contain the same Subject and Public Key...

letsencrypt.org

Or try getting the cert from ZeroSSL instead. Make this change in the Caddyfile to do that:

Code:

{
    # debug
    acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
    email youremailhere

Change acme_ca to https://acme.zerossl.com/v2/DV90, then restart Caddy.

Hi Mr. Danb35,
thanks for replying,
if i want to try the second way :

Or try getting the cert from ZeroSSL instead. Make this change in the Caddyfile to do that:

Code:

{
    # debug
    acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
    email youremailhere

Change acme_ca to https://acme.zerossl.com/v2/DV90, then restart Caddy.
[/QUOTE]
then i only have to change the caddy file? ? , please let me know , where's the located that caddy's file ?

fyi , thanks for your info about this :

Best answer is probably to download the "Root X1" certificate and install it on the client system(s) as a trusted root CA:

it's work now ,

please more advice , did i have to change the caddy file or not for this situation ? because for some user which using windows 7 , i install Root X1 on their OS , and for user using windows 10 , there's no issue .

Please advice .


Thanks n regards,

 

[danb35]

because for some user which using windows 7 , i install Root X1 on their OS , and for user using windows 10 , there's no issue .

Windows 10 has this cert already, so there's no need to add it. Windows 7 should be able to load this cert if you visit https://valid-isrgrootx1.letsencrypt.org/, but I don't have a Windows 7 machine to test this on. But no, if you're putting the root cert onto the affected machines, there's no need to change the Caddyfile at all.

If you're using the second method--getting the cert from ZeroSSL rather than Let's Encrypt--then yes, you only need to change the Caddyfile. It's located in the jail, at /usr/local/www/Caddyfile.

 

[danb35]

What would be a best practice to backup all my files from nextcloud?

To be complete, you'd want to back up everything in $POOL_PATH/nextcloud.

 

[ThatGuyAZ]

I just received a message from LetsEncrypt that my certificate is still in staging and is about to expire. I had already done the command

Code:

iocage exec nextcloud /root/remove-staging.sh 

nearly 2 months ago when I installed NextCloud.

I went in today and did it again and I get the following:

Code:

2021/10/12 18:55:56.601 INFO    using provided configuration    {"config_file": "/usr/local/www/Caddyfile", "config_adapter": "caddyfile"}

How to I verify that this is now working?

I

 

[danb35]

I just received a message from LetsEncrypt that my certificate is still in staging and is about to expire.

No, the message said that the certificate issued by the staging server is about to expire. And since you've issued a new cert from the production server, that's to be expected. You can safely ignore this message.

If you want to be sure, well, do you get a certificate error when you browse to your site? If not, you're 99% certain to be OK. If you want to check for sure, use one of the many SSL checker websites (I like ssllabs.com, as it's a pretty comprehensive check), which will show you (among other things) where your certificates come from.

 

[Basil Hendroff]

NC 22.2.0 became available for me overnight in the stable update channel. The update from 21.0.5 to 22.2.0 completed without issue.

 

[dr4k4th]

I tried installing with your script today but had an error with the SSL.
I followed the following steps for my main freenas system to remove they key that a bug in OpenSSL keeps favoring:
https://www.truenas.com/community/t...the-openssl-1-0-2-vs-letsencrypt-issue.95874/
I tried using the script again and it failed again.
I looked into the same location into the jail and it has the same entry.
Seems like all FreeNAS 11 and older will suffer from this bug.

Code:

2021/10/14 19:26:05 [INFO] Build complete: /usr/local/bin/caddy
2021/10/14 19:26:05 [INFO] Cleaning up temporary folder: /tmp/buildenv_2021-10-14-1922.344068315
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
34374374552:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
fetch: https://download.nextcloud.com/server/releases/latest-21.tar.bz2: Authentication error
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
34374374552:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
fetch: https://download.nextcloud.com/server/releases/latest-21.tar.bz2.asc: Authentication error
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
34374374552:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
fetch: https://nextcloud.com/nextcloud.asc: Authentication error
Command: fetch -o /tmp https://download.nextcloud.com/server/releases/latest-21.tar.bz2 https://download.nextcloud.com/server/releases/latest-21.tar>
Failed to download Nextcloud

 

[Aephir]

Code:

Internal Server Error

The server encountered an internal error and was unable to complete your request.
Please contact the server administrator if this error reappears multiple times, please include the technical details below in your report.
More details can be found in the webserver log.

For the sake of closure (and anyone else running into the same error message looking for answers), I think I found the issue. Or two, actually, that will both give this error message. I can at least replicate this on a fresh install by setting:

Code:

'overwriteprotocol' => 'https',

in config.php. I'm not sure why though, since I have used this for months (maybe an update in nginx that I'm using to serve externally?).

However, I also found someone having the same error if they had a corrupted database.

 

[Dave-g08]

I tried using the script again yesterday, but (I think) due to the changes in Go 1.16 it expects to find a go.mod so I get the error:

Code:

go get: installing executables with 'go get' in module mode is deprecated.
    Use 'go install pkg@version' instead.
    For more information, see https://golang.org/doc/go-get-install-deprecation
    or run 'go help get' or 'go help install'.
no required module provides package github.com/caddyserver/xcaddy/cmd/xcaddy: go.mod file not found in current directory or any parent directory; see 'go help modules'
Command: go build -o /usr/local/bin/xcaddy github.com/caddyserver/xcaddy/cmd/xcaddy failed!

Anyone know how to solve this while using the script?

 

[Dave-g08]

I tried using the script again yesterday, but (I think) due to the changes in Go 1.16 it expects to find a go.mod so I get the error:

Code:

go get: installing executables with 'go get' in module mode is deprecated.
    Use 'go install pkg@version' instead.
    For more information, see https://golang.org/doc/go-get-install-deprecation
    or run 'go help get' or 'go help install'.
no required module provides package github.com/caddyserver/xcaddy/cmd/xcaddy: go.mod file not found in current directory or any parent directory; see 'go help modules'
Command: go build -o /usr/local/bin/xcaddy github.com/caddyserver/xcaddy/cmd/xcaddy failed!

Anyone know how to solve this while using the script?

Ignore my stupidity, I hadn't delete the old script so was running the wrong one. All up and running using my old database

 

[Aephir]

I see this pop up whenever I run occ commands (and at the install):

Code:

The current PHP memory limit is below the recommended value of 512MB.

I saw a fix in this thread, but after editing the /usr/local/etc/php.ini instde the jail to 1G (and a full system reboot), I still see

Code:

# sudo -u www php -i | grep memory_limit
memmory_limit => 128M => 128M

And the error/warning still appears. It actually said 512M before editing the /usr/local/etc/php.ini, hinting that this was not the file to edit?

I found a thread on the Nextcloud forum saying that there are two different php.ini I need to edit. But I don't know where they are in the jail. Any idea where to look?

 

[Patrick M. Hausen]

This command will likely tell you which configuration file is loaded:
php -i | fgrep php.ini

 

[Aephir]

php -i | fgrep php.ini

Odd, that outputs

Code:

root@nextcloud:~ # php -i | fgrep php.ini
Configuration File (php.ini) Path => /usr/local/etc
Loaded Config /usr/local/etc/php.ini

Which is the file where I already put

Code:

memory_limit = 1G

But I still see:

Code:

root@nextcloud:~ # sudo -u www php -i | grep memory_limit
memory_limit => 128M => 128M

 

[Patrick M. Hausen]

All the files in /usr/local/etc/php are applied after php.ini if they exist ... look there.

 

[Aephir]

/usr/local/etc/php

Thanks, but there's nothing in that folder about memory_limit. In fact,

Code:

grep -R "memory_limit" /

from within the jail returns only one thing that says either memory_limit in combination with 128, which is in in the file /usr/local/lib/php/build/run-tests.php. But when changing that to memory_limit=1G in that file and restarting the jail, the sudo -u www php -i | grep memory_limit it still shows memory_limit => 128M => 128M.

 

[Patrick M. Hausen]

If the installation is using php-fpm, then any configuration file in /usr/local/etc/php-fpm.d might also set that.

 

[Aephir]

Sorry, nothing that mentions memory_limit inn that directory.

I fact,

Code:

grep -R memory_limit /

only shows five instances of 128M, one in the file /usr/local/lib/php/build/run-tests.php. I tried changing that to 1G and restarting the jail, but nothing changed.

The others were in super long lists within

Code:

/mnt/files/updater-oc3z0uht4lmj/backups/nextcloud-21.0.5.1-1634651018/core/doc/admin/searchindex.js

and

Code:

/usr/local/www/nextcloud/core/doc/admin/searchindex.js

where one entry in a dictionary in something that looks like json is ... ,"128m":4,"128mb":83, ...... But I'm a bit hesitant to manually change those?

EDIT:
So the CLI still gives warnings about 128M memory limits for PHP, and the output of sudo -u www php -i | grep memory_limit still shows 128M, but in the nextcloud web UI under "system", I see: