How to install Nextcloud 13 in FreeNAS with all checks passed updated to use iocage

[dureal99d]

This is a how to install Nextcloud 13 with all checks passed on FreeNAS 11.

New in this guide is how to create and iocage jail and it also works with version 11 & 12 of nextcloud

This is a rewrite of the original post https://forums.freenas.org/index.php?threads/how-to-nextcloud-10-w-apache-php-and-mariadb.46111/ with a few added adjustments where needed to make this fully functional.
I know this works as I have re-emulated this 4 times today to insure its accuracy
Somethings may need to be edited based upon volume name but for the most part plug and play
a great thanks to nathank1989 and all of those that have contributed.

Creating the Dataset & Jail
Create Dataset
Within FreeNAS Userspace:

Storage > Create ZFS Dataset

Code:

Dataset Name = files
Compression level = lz4
Enable atime = Off
All other options default

SQL Data

Code:

Dataset Name = db
Compression level = zle
Enable atime = Off
Record Size = 16K (Under Advanced Mode)
All other options default

Add New user in FreeNAS space:

Code:

Username: mysql
Shell: nologin
Full Name: SQL User
Password: anything

From the Storage Tab
Change Permissions On your Storage volume that houses your jail -> should look similar to this>>> /mnt/your drive name/db

Code:

Owner: mysql
Owner: mysql
Set permission recursively

Create a Jail using iocage

Code:

iocage create -n "your_jail_name" -r 11.1-RELEASE ip4_addr="vnet0|your_jail_ip/24" defaultrouter="your_router_ip" vnet="on" allow_raw_sockets="1" boot="on"

Start The Jail

Code:

Iocage Start "yourjailname"

Add Storage to the iocage jail you just created (do not try to add storage before starting the jail or it wont start)

Jail: nextcloud

Code:

iocage fstab -a yourjail "/mnt/YOURDRIVENAME/files  /mnt/files  nullfs  rw  0  0"

Jail: nextcloud

Code:

iocage fstab -a yourjail "/mnt/YOURDRIVENAME/db  /var/db/mysql  nullfs  rw  0  0"

Setting primary cache In FreeNAS UserSpace Shell
$ zfs set primarycache=metadata YOURDRIVENAME/db

F.A.M.P Installation
In this section we are going to install F.A.M.P, an iteration of LAMP (Linux, Apache, MySQL, PHP). I chose this because I, personally, haven't had much luck with nginx or lighttp. Another guide suggested lighttp and sqlite, but those might not hold up to a good amount of users storing a bit of data.
The setup is:
FreeBSD 11.0
Apache 2.4
MariaDB 10.1
PHP 7.0 or 7.1 OR PHP 7.2
This provides the basis for our webserving jail.

via putty ssh into the jail

From FreeNAS user space run command:
JLS
you will then see your jails, the run commander jexec "And the number of you jail" (example) "jexec 2"

Before we get started, let's add a few necessary packages as they aren't currently installed.
$ portsnap fetch extract
$ pkg install nano wget sudo

We will install each part of FAMP one-by-one. FreeBSD is the Operating system so good to go on that!

Install Apache 2.4
$ pkg install apache24

Setup in rc.conf
$ sysrc apache24_enable=yes

Start Apache
$ service apache24 start

Okay lets Check to see that it works!!!!
open a web browser on a local machine (preferably the machine your on) on your network

Navigate to http://your_jails_ip and you should see the text "It Works!"

Install MariaDB 10.1
$ pkg install mariadb102-server

Setup in rc.conf
$ sysrc mysql_enable=yes

Start MySQL Service
$ service mysql-server start

Run Wizard Script
$ mysql_secure_installation

You may encounter and Error.

Code:

ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)

But dont Panic its OK!!!! Simply do this!!
Hold down

Code:

Cntl+C

to stop the script

Then enter the following Command
/usr/local/etc/rc.d/mysql-server stop
Then Enter this Command
mysqld_safe --skip-grant-tables &
/usr/local/etc/rc.d/mysql-server start
Once Again Hold down

Code:

Cntl+C

to stop the script
Run Wizard Script
$ mysql_secure_installation

And you should be good to go!!!!!!!!

For this step read and follow prompts.
By default there is no root password, ( you must create a new one when promted just hit enter, and answer Y to all the following questions.

Login to MySQL, create Nextcloud DB and User
$ mysql -u root -p

Enter the password you made for root during MariaDB 10.1 setup.

Enter each of these commands one-by-one, and make sure to include the semi-colon ;

Code:

CREATE DATABASE nextcloud;

CREATE USER 'nextcloud_admin'@'localhost' IDENTIFIED BY 'MAKEUP-YOUR-OWN-PASSWORD';

GRANT ALL ON nextcloud.* TO 'nextcloud_admin'@'localhost';

FLUSH PRIVILEGES;

exit

Replace MAKEUP-YOUR-OWN-PASSWORD with a password of your choosing. You need this for the NextCloud setup.

PHP 7.0
Install PHP and associated modules

Code:

pkg install redis php70 php70-bz2 php70-ctype php70-curl php70-dom php70-exif php70-fileinfo php70-filter php70-gd php70-hash php70-iconv php70-intl php70-json php70-mbstring php70-mcrypt php70-pdo_mysql php70-openssl php70-posix php70-session php70-simplexml php70-xml php70-xmlreader php70-xmlwriter php70-xsl php70-wddx php70-zip php70-zlib php70-opcache mod_php70

or perhaps you prefer

php 7.1
Install PHP and associated modules

Code:

pkg install redis php71-ctype php71-dom php71-gd php71-iconv php71-json php71-mbstring php71-posix php71-simplexml  php71-xmlreader php71-xmlwriter php71-zip php71-zlib php71-pdo_mysql php71-hash php71-xml php71-session php71-mysqli php71-wddx php71-xsl php71-filter php71-curl php71-fileinfo php71-bz2 php71-intl php71-mcrypt php71-openssl php71-ldap php71-ftp php71-imap php71-exif php71-gmp php71-memcache php71-opcache php71-pcntl php71 mod_php71

or maybe

php 7.2
Install PHP and associated modules

Code:

pkg install redis php72-ctype php72-dom php72-gd php72-iconv php72-json php72-mbstring php72-posix php72-simplexml  php72-xmlreader php72-xmlwriter php72-zip php72-zlib php72-pdo_mysql php72-hash php72-xml php72-session php72-mysqli php72-wddx php72-xsl php72-filter php72-curl php72-fileinfo php72-bz2 php72-intl php72-openssl php72-ldap php72-ftp php72-imap php72-exif php72-gmp php72-memcache php72-opcache php72-pcntl php72 mod_php72

$ sysrc 'mysql_enable=YES' 'redis_enable=YES'
Configuring Apache for PHP7
Ensure that the rewrite and ssl modules are enabled (uncommented) in /usr/local/etc/apache24/httpd.conf.
$ nano /usr/local/etc/apache24/httpd.conf

in the httpd.conf file search for "ssl_module" by using the bellow command

To search the document

Code:

ctrl+w

Then enter the name of the file you want to search within the document

Code:

ssl_module

To execute the command simply press enter it will find the filename

while still in the same document "httpd.conf"
Uncomment these 2 lines (delete the # at the start of the line) so it looks like this:

Code:

LoadModule ssl_module libexec/apache24/mod_ssl.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so

Remove php5 (if it exist)

Code:

Find & Remove this >> LoadModule php5_module libexec/apache24/libphp5.so
Replace with >> LoadModule php7_module libexec/apache24/libphp7.so

Add php7:

Code:

If you can't find libphp5.so, just add
LoadModule php7_module  libexec/apache24/libphp7.so
to the last of the LoadModule section; right above where it says
# Third party modules IncludeOptional ...

while working in the same file after this line

Code:

LoadModule php7_module libexec/apache24/libphp7.so

Add this

Code:

<IfModule php7_module>
<FilesMatch "\.(php|phps|php7|phtml)$">
     SetHandler php7-script
</FilesMatch>
DirectoryIndex index.php
</IfModule>

While still in the same file search for:

Code:

<IFModule mime_module>

Then Insert this code directly under:

Code:

AddType application/x-httpd-php-source .phps
AddType application/x-httpd-php        .php

Save & quit

Code:

ctl+x
y
enter

Double check that you see libphp7.so in /usr/local/libexec/apache24
to do this simply search by executing the following commander
$ find /usr -name libphp7.so

it should give you this feedback

Code:

/usr/local/libexec/apache24/libphp7.so

if it does this lets move on!!!!!!!

now lets add a PHP handler

Code:

# cd /usr/local/etc/apache24/modules.d
# touch /usr/local/etc/apache24/modules.d/001_mod_php.conf
# nano /usr/local/etc/apache24/modules.d/001_mod_php.conf

Paste this test in the 001_mod_php.conf file:

Code:

<FilesMatch "\.php$">
        SetHandler application/x-httpd-php
    </FilesMatch>
    <FilesMatch "\.phps$">
        SetHandler application/x-httpd-php-source
    </FilesMatch>

Save & Exit
Once you're done save and close

Code:

CTRL+x, Y, ENTER

Restart apache
service apache24 restart

Configure PHP.INI

Code:

$ cd /usr/local/etc
$ cp php.ini-production php.ini
$ nano /usr/local/etc/php.ini

Code:

find cgi.fix_pathinfo=0 change from =0 to =1

find date.timezone = Change to your timezone (America/New_York) [ SEE: http://php.net/manual/en/timezones.php ]

find post_max_size= change it to 1999M

find upload_max_size= change to 1999M

then uncomment and update the below values to match: (uncomment means to remove the # symbol before any line

Code:

opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1

CTRL+X, Y, ENTER

Restart Apache
$ service apache24 restart
Testing with PHPINFO()
Navigate to /usr/local/www/apache24/data/

Code:

$ cd /usr/local/www/apache24/data
$ touch info.php
$ nano info.php

Paste the below code into the info.php file

Code:

<?php
// Show all information, defaults to INFO_ALL
phpinfo();
?>

Save & Exit

Navigate to http://your jails ip/info.php

You should see a full page with all the information regarding your PHP installation.

Now lets Configure REDIS
The purpose is to update redis.conf to run on local socket

Execute command:

Code:

nano /usr/local/etc/redis.conf

In the redis.conf file find the value

Code:

"port" and change it from its default value to 0

uncomment by removing the ; symbol from in front of the below values and edit to match

Code:

unixsocket /tmp/redis.sock
unixsocketperm 777

Add REDIS to rc.conf
$

Code:

sysrc redis_enable=yes

Start REDIS
$

Code:

service redis start

To run redis on a local socket,
Run
ls -al /tmp
you should see redis.sock and mysql.sock in the feedback list.

If you see those two, you're ALMOST DONE!!

Now lets Install NextCloud 13.0.1

before downloading NextCloud 13.0.1 navigate to the default apache data directory
$

Code:

cd /usr/local/www/apache24/data

Download Nextcloud:
wget https://download.nextcloud.com/server/releases/nextcloud-13.0.1.zip
Unzip Nextcloud:
$ unzip nextcloud-13.0.1.zip
Give correct owner/ or rather modify the folder permissions:

Code:

chown -R www:www /usr/local/www/apache24/data/nextcloud /mnt/files

Add virtual Host info :
Navigate to: /usr/local/etc/apache24/Includes

Code:

cd /usr/local/etc/apache24/Includes

Touch file: (I used a cloud.* subdomain, if you're not using a sub, remove the 'cloud.')

$ touch YOURDOMAIN.com or org or gov.conf

$ nano YOURDOMAIN*

make your secure file in this format (simply copy and paste):
Be sure to edit the YOURSITE.COM part of the below file with your domain info
(Example) if your domain is "tocool.no-ip.org" enter that and the domain name matches your touch file name.

Code:

<VirtualHost *:80>
DocumentRoot "/usr/local/www/apache24/data/nextcloud"
ServerName YOURSITE.com
RewriteEngine on
RewriteCond %{SERVER_NAME} =YOURSITE.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
#ErrorLog ${APACHE_LOG_DIR}/error.log
#CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /usr/local/www/apache24/data/nextcloud/>
Options +FollowSymlinks
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /usr/local/www/apache24/data/nextcloud
SetEnv HTTP_HOME /usr/local/www/apache24/data/nextcloud
Satisfy Any
</Directory>
</VirtualHost>

Restart Apache:
$ service apache24 restart
Navigate to the website
http://your jails ip/nextcloud

You should now see the setup screen for NextCloud!!

If you do, give yourself a pat on the back. Now for the last steps...

NextCloud WebUI
Set up your admin account with a username and password you choose.

Storage & database (this is important be sure to change your data storage directory aka data folder)

Code:

Data folder = /mnt/files

If you dont change it you will get the following error!!!!!

Code:

Your data directory and your files are probably accessible from the Internet. The .htaccess file is not working. It is strongly recommended that you configure your web server in a way that the data directory is no longer accessible or you move the data directory outside the web server document root.

Next enter the DB details applicable

Code:

Database user = nextcloud_admin
Database password = MADEUP_PASSWORD_FROM_BEFORE
Database name = nextcloud
Database host = localhost:/tmp/mysql.sock

Now lets prepare the secure part of your domain file:
Navigate to: /usr/local/etc/apache24/Includes

Code:

cd /usr/local/etc/apache24/Includes
nano YOURDOMAIN*

Copy and paste under the previously entered info

Code:

<VirtualHost *:443>
  ServerAdmin YOUREMAIL
  ServerName YOURSITE.COM
  DirectoryIndex index.php
  DocumentRoot /usr/local/www/apache24/data/nextcloud
  SSLCertificateFile /usr/local/etc/letsencrypt/live/YOURSITE.COM/fullchain.pem
  SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/YOURSITE.COM/privkey.pem
  SSLEngine on
  # Intermediate configuration, tweak to your needs
  SSLProtocol  all -SSLv2 -SSLv3
  SSLCipherSuite  ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
  SSLHonorCipherOrder  on
  SSLCompression  off
  SSLOptions +StrictRequire
  <Directory /usr/local/www/apache24/data/nextcloud>
  AllowOverride all
  </Directory>
  <IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
  </IfModule>
  </VirtualHost>

Lets Cache!!!
to setup a complete cache with redis and apcu:

Code:

cd
pkg install p5-Locale-gettext help2man texinfo m4 autoconf
make config-recursive install -C /usr/ports/databases/pecl-redis
make config-recursive install -C /usr/ports/devel/pecl-APCu

then execute the following commands:
for php 7.0 and php 7.1

Code:

$ su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ config:system:set memcache.local --value="\OC\Memcache\APCu"'
$ su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ config:system:set memcache.locking --value="\OC\Memcache\Redis"'
$ su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ config:system:set redis host --value="/tmp/redis.sock"'
$ su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ config:system:set redis port --value=0 --type=integer'

Additional steps for php 7.1
Navigate to:
nano /usr/local/www/apache24/data/nextcloud/config/config.php
Then change:
'memcache.local' => '\\OC\\Memcache\\APCu',
to
'memcache.local' => '\\OC\\Memcache\\Redis',

service apache24 restart

Lets fix some annoying apache errors!
to get rid of the below error message when restarting apache do the following:

Code:

AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
Syntax OK
Stopping apache24.
Waiting for PIDS: 80591.
Performing sanity check on apache24 configuration:
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
Syntax OK
Starting apache24.
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message when stating apache do the following:

Run command:
nano /usr/local/etc/apache24/httpd.conf
Search for "servername" it will look like the below, enter your jails ipaddress xxx.xxx.x.xxx:80

Code:

# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
 ServerName your jails ip:80 <<<<<<<put your serving machines ip address

uncomment the ServerName line (uncomment simply means to remove the # or ; symbol from the front of any line) and wala message will be fixed.

restart apache
service apache24 restart

Should Produce a Clean

Code:

Performing sanity check on apache24 configuration:
Syntax OK
Stopping apache24.
Waiting for PIDS: 12933.
Performing sanity check on apache24 configuration:
Syntax OK
Starting apache24.

To add Domains that can connect from outside the lan:
navigate to: /usr/local/www/apache24/data/nextcloud/config/config.php

Code:

nano /usr/local/www/apache24/data/nextcloud/config/config.php

The file will look like the below:

Code:

<?php
$CONFIG = array (
'instanceid' => 'ocwo6kfuc3ve',
'passwordsalt' => '9s6vbvue6FZ3g2AklNJS4Y3S4Y3FG1',
'secret' => 'gzWPI+QgwkIKkYQwmgfGk7oGW87N/jaytyODIEgVfBjCek0y',
'trusted_domains' =>
array (
    0 => '192.168.1.30',
    1 => 'coolp.to.org',<<<add just like this
),
'datadirectory' => '/usr/local/www/apache24/data/nextcloud/data',
'overwrite.cli.url' => 'http://192.168.1.30',
'dbtype' => 'mysql',
'version' => '12.0.3.3',
'dbname' => 'nextcloud',
'dbhost' => 'localhost:/tmp/mysql.sock',
'dbport' => '',
'dbtableprefix' => 'oc_',
'dbuser' => 'nextcloud_admin',
'dbpassword' => 'maria10 database password',
'installed' => true,
'memcache.local' => '\\OC\\Memcache\\APCu',
'memcache.locking' => '\\OC\\Memcache\\Redis',
'redis' =>
array (
    'host' => '/tmp/redis.sock',

restart apache using the following command:
service apache24 restart
I cant use VI, its too cryptic so I choose to use nano to set cron jobs, to do so execute the following:

Code:

setenv VISUAL /usr/local/bin/nano
setenv EDITOR /usr/local/bin/nano

Setup NC's cron jobs:
crontab -u www -e

Code:

*/15 * * * * /usr/local/bin/php -f /usr/local/www/apache24/data/nextcloud/cron.php

Now lets secure this server
SSL using Certbot:
Download/Install Certbot
pkg install py27-certbot
certbot certonly --webroot -w /usr/local/www/apache24/data/nextcloud -d YOURSITE.COM
Navigate to /usr/local/etc/apache24/httpd.conf

Code:

cd /usr/local/etc/apache24/httpd.conf

in the httpd.conf file
Find Listen 80 and add underneath Listen 443
I don't know what the below command does but it works:
nano /etc/make.conf
Then add to the 2nd line of the file

Code:

DEFAULT_VERSIONS+=php7.0

Restart Apache:
service apache24 restart
Add Cron Job:
crontab -e

Code:

* 1 * * 1 ./usr/local/bin/certbot renew --quiet

Okay once you finally logon to Nextcloud 12.3 using http and you enter the admin area you will see these errors!!!!

Code:

You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead as described in our security tips.

Have no fear if this error bothers you their is a fix

Force to https redirect:

Now lets introduce a redirect as in a redirect of http to https this mainly for on the lan as when accessed from the world wide web it automatically redirects to https and is not accessible via http.

be advised the https will say the connection is not secure when accessing from the lan using the direct ip.

Edit the .htaccess file by entering the following command:
$ nano /usr/local/www/apache24/data/nextcloud/.htaccess

While in the .htaccess file directly below this text:

Code:

#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####

Add:

Code:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Restart apache:
service apache24 restart

And VOILA! YOU ARE DONE!!!!!

so you can share with whomever you choose!!!!!!!!!!!!!

How to use NextCloud on a separate NIC

Code:

Shut down the jail
Click Edit
Uncheck VIMAGE and select the NIC from the NIC drop down. Make sure your IP info didn't change.
Start jail and try to access your cloud. If all went well you'd basically see nothing changed as it will work as expected.

Code:

#PLACEHOLDER# for iocage network instructions as relates to nic options

helpful commands and notes from install
to find a file:
enter command:

Code:

find /usr -name "filename"

 

[gt2416]

Hi, Thank you so much for your post !, I was able to get EVERYTHING working perfectly! Honestly impossible to do without a guide like this. Thanks !

 

[molotov_kazic]

Hey dureal99d,
Thanks for the awesome write up. I was able to follow the instructions in my FreeNAS-9.10.2-U2 (e1497f2) and got everything working. I do have a few comments on things to bring better clarity.

In your section:

Now lets Install NextCloud 12.3

before downloading NextCloud 12.3 navigate to the default apache data directory

cd /usr/local/www/apache24/data

Download Nextcloud:
wget https://download.nextcloud.com/server/releases/nextcloud-12.0.3.zip
Unzip Nextcloud:
$ unzip nextcloud-12.0.3.zip

I suggest adding the section for Nextcloud 13 along with the URL to give the user the choice where they can straight up copy/paste:

Now lets Install NextCloud 13.0

before downloading NextCloud 13.0 navigate to the default apache data directory

cd /usr/local/www/apache24/data

Download Nextcloud:
wget https://download.nextcloud.com/server/releases/nextcloud-13.0.0.zip
Unzip Nextcloud:
$ unzip nextcloud-13.0.0.zip

Another issues that I ran into and found in these other forums and would think that it'll be helpful for other users going through your setup guide to have this included:

FreeNAS 11 Nextcloud / Owncloud Letsencrypt SSL/TLS

Setup your router's port forwarding
You will need to forward ports 80 and 443 to the IP address of your jail for nextcloud / owncloud instructions vary depending on what router you have. Also setup your domain I'll be using example.com and www.example.com as a domain for the rest of the guide.

HOW-TO: NextCloud 10 w/ Apache, PHP, and MariaDB

If SSL Labs rates you an F:
You probably have the OpenSSL CVE-2016-2107 Vulnerability. For whatever reason, pkg update/upgrade will not solve this and we need to rebcompile both openssl and apache24 from ports.

nano /etc/make.conf
Add line:
DEFAULT_VERSIONS+=ssl=openssl

Save & Quit

portsnap fetch
portsnap extract
portsnap update

cd /usr/ports/security/openssl
make deinstall
make install clean

cd /usr/ports/www/apache24/
make deinstall
make install clean

service apache24 restart

pkg lock apache24
pkg lock openssl

Until FreeBSDs repos have versions of apache and OpenSSL that fix the vulnerability, this is the only way I have found to get back to an A+ rating.

Test SSL Labs again, you should now see an A+!

The URL to the Qualys SSL Labs SSL Server Test as you want to ensure that you're getting that A+!

Again, thanks for the guide and I hope my comments are received well to help others throughout this process as you've helped me immensely.

Cheers,

molotov_kazic


P.S.
It'd be super helpful if you could add some tagging to your post like this:

freenas 11, freenas 9, letsencrypt, nextcloud, owncloud, apache24, mariadb, php7

 

[glint.bladesong]

First up let me say THANK YOU. with out this guide I would have had NO hope in hell in getting Nextcloud up and running in a iocage jail.

But I did find some things in the guide that didnt seem correct or complete to me, or that I simply had difficulty with:

1. creating the /mnt/db/mysql mount via the iocage fstab command simply would not work until I started the jail, logged in and manually created the /mnt/db/mysql directories. I played with 'iocage fstab -e', removing then with -r etc, but the jail would not start until I created the dir structure manually first. The paths were correct, they just would mount until I created them manually. I may have been doing it wrong? I really dont know.
2. "via putty ssh into the jail" this will not work without running 'iocage start <YOURJAILNAME>', obvious to some people perhaps but maybe not others
3. "run commander jexec "And the number of you jail" (example) "jexec 2" I would recommend using the iocage commands for this, if for no other reason then everything up until that point has been via iocage. 'iocage console <YOURJAILNAME>' works well.
4. the 'php install ...' list for PHP 7.2 is broken and will not work as it is typed. The php72-mcrypt package simple does not exist. Easy enough to fix, but still incorrect.
5. "You should now see the setup screen for NextCloud!!" for this to work, the http://your jails IP/ needs to be "http://your jails IP/nextcloud" (again, probably obvious to some, but not everyone).
6. running "make config-recursive install" for the caches involves a lot of options coming up, i assume the default selections are the best choice, and hitting enter repeatedly until they all go away is the answer, but that might be worth mentioning
7. might be worth suggesting "iocage set boot=on <Jail name>" so the jail starts on boot with freenas.

All in all these are really minor things, the guide was insanely helpful

Thank you.

 

[dureal99d]

Hey dureal99d,
Thanks for the awesome write up. I was able to follow the instructions in my FreeNAS-9.10.2-U2 (e1497f2) and got everything working. I do have a few comments on things to bring better clarity.

In your section:

I suggest adding the section for Nextcloud 13 along with the URL to give the user the choice where they can straight up copy/paste:

Another issues that I ran into and found in these other forums and would think that it'll be helpful for other users going through your setup guide to have this included:

FreeNAS 11 Nextcloud / Owncloud Letsencrypt SSL/TLS

HOW-TO: NextCloud 10 w/ Apache, PHP, and MariaDB

The URL to the Qualys SSL Labs SSL Server Test as you want to ensure that you're getting that A+!

Again, thanks for the guide and I hope my comments are received well to help others throughout this process as you've helped me immensely.

Cheers,

molotov_kazic


P.S.
It'd be super helpful if you could add some tagging to your post like this:

freenas 11, freenas 9, letsencrypt, nextcloud, owncloud, apache24, mariadb, php7

I have made some of the advised adjustments in hope to provide a better guide.

 

[molotov_kazic]

@dureal99d and all,

Wanted to cross post this here as well if you're running into issues with enabling End-to-End Encryption(E2EE) for NC13 as there's been some issues reported in their Git here: Invalid private key for encryption app. Please update your private key password in your personal settings to recover access to your encrypted files #8546

Cheers,

molotov_kazic

 

[fubezz]

Awesome Guide Thanks!

Let me just add two things I had problems with:

1. When you set the rights for the "db" and the "files" directories on your host system, you need to make sure that the user ids of the "mysql" user of host system and inside the jail are matching. Otherwise the mysql user in the jail won't be allowed to access the directories.
2. Before I was able to start the mysql server I had to copy the "my.cnf" file into my mysql database folder. For example: cp /usr/local/share/mysql/my-small.cnf /var/db/mysql/my.cnf.

Greetz,
Fubezz

 

[papaja]

1. When you set the rights for the "db" and the "files" directories on your host system, you need to make sure that the user ids of the "mysql" user of host system and inside the jail are matching. Otherwise the mysql user in the jail won't be allowed to access the directories.

How did you achieve that? Is it really necessary for files too?

 

[gt2416]

I personally did not have to do what fubezz said and I've had no issues.

 

[fubezz]

How did you achieve that?

1. One possibility is to go into your jail an then type: cat /etc/passwd | grep mysql. The output should be something like:
   Code:

   mysql:*:88:88:MySQL Daemon:/var/db/mysql:/usr/sbin/nologin

   This means that the user-id as well as the group-id of the mysql user is 88.
2. You need set these ids for the "mysql" user and group on the host. One easy way to do this is by setting the ids when you create the user with the freenas ui.

Is it really necessary for files too?

Sorry my fault. Its only necessary for the db folder

 

[spetke]

I'm still having problems with enabling the memcache solutions. Any pointers on how to diagnose problems? I only get the internal server error page. And apache or redis logs tell me nothing interesting.

I installed the system using this guide and php 7.0

 

[papaja]

I have finished everything successfully or at least I thought so. It appears that I am unable to mount host dataset:

Code:

* Starting nextcloud
  + Start FAILED
mount: /mnt/files: No such file or directory

Manually creating directory files in /mnt, does not help either.

 

[gt2416]

papaja, can you recheck you mount paths ? The destination path must exist before mounting, the mount command will not create a directory for you. Creating that path should work :/

I'm still having problems with enabling the memcache solutions. Any pointers on how to diagnose problems? I only get the internal server error page. And apache or redis logs tell me nothing interesting.

I installed the system using this guide and php 7.0

Memcache has nothing to do with apache not working. You should be able to use nextcloud GUI without REDIS. It will say no mem cache warning but it will still work. I would suggest start by looking into your apache/Includes domain.conf file.



Now that 13.01 is out, how do we update ? just delete the nextcloud 13 zip and paste the new one under apache24/data ?

 

[danb35]

Now that 13.01 is out, how do we update?

I'd use the built-in updater myself.

 

[Jailer]

Now that 13.01 is out, how do we update ?

Install phar and nano and use the CLI updater.

From the jail shell
pkg install php70-phar nano

Once they are installed run the following commands to start the update process.
cd /usr/local/www/owncloud/updater/
sudo -u www php updater.phar

Follow the on screen instructions. When done browse to your nextcloud installation and click update.

 

[alexten9]

Thank You so much for doing this!
I would say i'm 99.99% ruining but the part where you say Now lets secure this server.

when I run this command
certbot certonly --webroot -w /usr/local/www/apache24/data/nextcloud -d (XXXXXXXX.com)
I get this

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory

Is there anything I need to to related to this message?

When I do

Navigate to /usr/local/etc/apache24/httpd.conf

Code:
cd /usr/local/etc/apache24/httpd.conf

I get
/usr/local/etc/apache24/httpd.conf: Not a directory.

I think i have to do

nano /usr/local/etc/apache24/httpd.conf

Also in

I don't know what the below command does but it works:
nano /etc/make.conf
Then add to the 2nd line of the file
Code:
DEFAULT_VERSIONS+=php7.0 (correct me if im wrong but i did +php7.2) or should I keep 7.0?

For this part
Force to https redirect:
I did everything it sad and it dose not redirect me. As well when I try to manually got to https:// i get
This site can’t provide a secure connection
XXXXXX.com sent an invalid response.

• Try running Windows Network Diagnostics.

ERR_SSL_PROTOCOL_ERROR

What am i doing wrong?

 

[alexten9]

Also if any one can help me install wordpress in the main dir of this jail's apache that would be great.
The nextcloud is currently in xx.xx.xx.xx/nextcloud If some one point me to a good how to to set up wordpress is same jail but in xx.xx.xx.xx main dir as when i navigate to xx.xx.xx.xx it just says It Works! I already added a database in SQL for wordpress.

Thank You!

 

[dureal99d]

Thank You so much for doing this!
I would say i'm 99.99% ruining but the part where you say Now lets secure this server.

when I run this command
certbot certonly --webroot -w /usr/local/www/apache24/data/nextcloud -d (XXXXXXXX.com)
I get this

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory

Is there anything I need to to related to this message?

When I do

Navigate to /usr/local/etc/apache24/httpd.conf

Code:
cd /usr/local/etc/apache24/httpd.conf

I get
/usr/local/etc/apache24/httpd.conf: Not a directory.

I think i have to do

nano /usr/local/etc/apache24/httpd.conf

Also in

I don't know what the below command does but it works:
nano /etc/make.conf
Then add to the 2nd line of the file
Code:
DEFAULT_VERSIONS+=php7.0 (correct me if im wrong but i did +php7.2) or should I keep 7.0?

For this part
Force to https redirect:
I did everything it sad and it dose not redirect me. As well when I try to manually got to https:// i get
This site can’t provide a secure connection
XXXXXX.com sent an invalid response.

• Try running Windows Network Diagnostics.

ERR_SSL_PROTOCOL_ERROR

What am i doing wrong?

ok seems a lot has been missed and or misconfigured.

lets break this down by the section

 

[dureal99d]

Thank You so much for doing this!
I would say i'm 99.99% ruining but the part where you say Now lets secure this server.

when I run this command
certbot certonly --webroot -w /usr/local/www/apache24/data/nextcloud -d (XXXXXXXX.com)
I get this

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory

Is there anything I need to to related to this message?

When I do

Navigate to /usr/local/etc/apache24/httpd.conf

Code:
cd /usr/local/etc/apache24/httpd.conf

I get
/usr/local/etc/apache24/httpd.conf: Not a directory.

I think i have to do

nano /usr/local/etc/apache24/httpd.conf

Also in

I don't know what the below command does but it works:
nano /etc/make.conf
Then add to the 2nd line of the file
Code:
DEFAULT_VERSIONS+=php7.0 (correct me if im wrong but i did +php7.2) or should I keep 7.0?

For this part
Force to https redirect:
I did everything it sad and it dose not redirect me. As well when I try to manually got to https:// i get
This site can’t provide a secure connection
XXXXXX.com sent an invalid response.

• Try running Windows Network Diagnostics.

ERR_SSL_PROTOCOL_ERROR

What am i doing wrong?

cd /usr/local/etc/apache24/httpd.conf

should be
ee /usr/local/etc/apache24/httpd.conf
or
nano /usr/local/etc/apache24/httpd.conf

 

[papaja]

when I run this command
certbot certonly --webroot -w /usr/local/www/apache24/data/nextcloud -d (XXXXXXXX.com)
I get this

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory

Is there anything I need to to related to this message?

There shoul be option 1 or 2 to confirm that you agree. If succesfull you should see message saying that.

When I do

Navigate to /usr/local/etc/apache24/httpd.conf

Code:
cd /usr/local/etc/apache24/httpd.conf

I get
/usr/local/etc/apache24/httpd.conf: Not a directory.

I think i have to do

nano /usr/local/etc/apache24/httpd.conf

Yes.

Also in

I don't know what the below command does but it works:
nano /etc/make.conf
Then add to the 2nd line of the file
Code:
DEFAULT_VERSIONS+=php7.0 (correct me if im wrong but i did +php7.2) or should I keep 7.0?

I changed to 7.2, and it works.

For this part
Force to https redirect:
I did everything it sad and it dose not redirect me. As well when I try to manually got to https:// i get
This site can’t provide a secure connection
XXXXXX.com sent an invalid response.

• Try running Windows Network Diagnostics.

ERR_SSL_PROTOCOL_ERROR

What am i doing wrong?

You did not finish letsencrypt part, bu also check does your virtual host config file has .conf extension?