In Nextcloud, as soon at i created a certificate with certbot i can no longer connect?

[jackdinn]

I have been following https://sysadmin102.com/2021/11/ins...l-certificate-from-lets-encrypt-with-certbot/

Everything was going well, right up to the very last part.

I was able to access my nextcloud via my domain name (www.jackdinn.co.uk) although it had the security warning about no certificate, but i could access it.

So I continued with the instructions linked above, But as soon as i successfully created a certificate i could no longer connect?

My router port forwarding:-

My domain registrar with the "A" records setup:-

My Nextcloud is accessible via LAN

My Cert's look ok to me ?

But i just can not access my domain


Iv tried to undo whatever certbot did but i can not get it to work from my domain again?

 

[danb35]

The first problem with that guide is that it starts with installing the plugin. Plugins are a dead feature walking, a "path to sadness" in the words of iX' CTO:

The Future of SCALE Apps and CORE Plugins

This blog addresses a complex and important issue of how IXsystems plans to support Apps and Plugins over the coming years. https://www.truenas.com/blog/the-future-of-truenas-plugins-is-apps/ As the Community has told us (repeatedly). Jails are very solid, but Plugins have not been as...

www.truenas.com

A much better way to install Nextcloud, in my admittedly-biased opinion, is this:

Scripted installation of Nextcloud 28 in iocage jail

Status: This script will run with TrueNAS CORE 13. It's possible, but untested, that it will work with FreeNAS 12. Earlier versions are not supported. There are a number of guides on the forum to install Nextcloud, but they all rely on a lot of...

www.truenas.com

...and it takes care of the certificate for you by default.

 

[jackdinn]

Yea you already said about your script in another post. It means completely re-installing nextcloud (loosing everything thats been setup on it already, half of which i cant remember now as iv been tinkering with this for nearly a year :( ).

I was so close, i was right there, right at the very last part. I dont want to have to figure out where to even start with your script, which im sure is great and all but...

man this whole thing is so frustrating.

 

[jackdinn]

@danb35
Ok im going to try and use your script to install another nextcloud instance parallel to the first one (iv shut the first one down but not removed it). Working through your script, a few questions.

I have created the datasets as described but im not 100% sure if the "nextcloud" dataset is supposed to be in the iocage dataset?

This is the pool i will be working in.

Code:

jack@truenas ~/git/freenas-iocage-nextcloud $ zfs list -r NAS-main
NAME                                                        USED  AVAIL     REFER  MOUNTPOINT
NAS-main                                                    638G  6.30T      163K  /mnt/NAS-main
NAS-main/.system                                            930M  6.30T      852M  legacy
NAS-main/.system/configs-daeb7be0eae547028f28998beacf9023  12.5M  6.30T     12.5M  legacy
NAS-main/.system/cores                                      140K  1024M      140K  legacy
NAS-main/.system/rrd-daeb7be0eae547028f28998beacf9023      51.8M  6.30T     51.8M  legacy
NAS-main/.system/samba4                                    7.71M  6.30T      703K  legacy
NAS-main/.system/services                                   140K  6.30T      140K  legacy
NAS-main/.system/syslog-daeb7be0eae547028f28998beacf9023   5.43M  6.30T     5.43M  legacy
NAS-main/.system/webui                                      140K  6.30T      140K  legacy
NAS-main/VMs                                               88.5G  6.30T      140K  /mnt/NAS-main/VMs
NAS-main/VMs/win10-lz4iis                                  55.3G  6.34T     16.4G  -
NAS-main/VMs/win7-cabreo                                   33.2G  6.32T     7.28G  -
NAS-main/cavern                                             247G  6.30T      247G  /mnt/NAS-main/cavern
NAS-main/home                                              17.1G  6.30T     16.4G  /mnt/NAS-main/home
NAS-main/iocage                                            15.9G  6.30T     9.34M  /mnt/NAS-main/iocage
NAS-main/iocage/download                                    434M  6.30T      140K  /mnt/NAS-main/iocage/download
NAS-main/iocage/download/13.1-RELEASE                       434M  6.30T      434M  /mnt/NAS-main/iocage/download/13.1-RELEASE
NAS-main/iocage/images                                      140K  6.30T      140K  /mnt/NAS-main/iocage/images
NAS-main/iocage/jails                                      13.7G  6.30T      151K  /mnt/NAS-main/iocage/jails
NAS-main/iocage/jails/adguard                              1.33G  6.30T      471K  /mnt/NAS-main/iocage/jails/adguard
NAS-main/iocage/jails/adguard/root                         1.33G  6.30T     1.26G  /mnt/NAS-main/iocage/jails/adguard/root
NAS-main/iocage/jails/nextcloud-jail                       9.01G  6.30T      727K  /mnt/NAS-main/iocage/jails/nextcloud-jail
NAS-main/iocage/jails/nextcloud-jail/root                  9.00G  6.30T     5.23G  /mnt/NAS-main/iocage/jails/nextcloud-jail/root
NAS-main/iocage/jails/qbittorrent-jail                     1.93G  6.30T      471K  /mnt/NAS-main/iocage/jails/qbittorrent-jail
NAS-main/iocage/jails/qbittorrent-jail/root                1.93G  6.30T     1.53G  /mnt/NAS-main/iocage/jails/qbittorrent-jail/root
NAS-main/iocage/jails/syncthing-jail                       1.46G  6.30T      471K  /mnt/NAS-main/iocage/jails/syncthing-jail
NAS-main/iocage/jails/syncthing-jail/root                  1.45G  6.30T     1.23G  /mnt/NAS-main/iocage/jails/syncthing-jail/root
NAS-main/iocage/log                                         180K  6.30T      180K  /mnt/NAS-main/iocage/log
NAS-main/iocage/releases                                   1.77G  6.30T      140K  /mnt/NAS-main/iocage/releases
NAS-main/iocage/releases/13.1-RELEASE                      1.77G  6.30T      140K  /mnt/NAS-main/iocage/releases/13.1-RELEASE
NAS-main/iocage/releases/13.1-RELEASE/root                 1.77G  6.30T     1.77G  /mnt/NAS-main/iocage/releases/13.1-RELEASE/root
NAS-main/iocage/templates                                   140K  6.30T      140K  /mnt/NAS-main/iocage/templates
NAS-main/mandie-home                                        186M  6.30T     5.65M  /mnt/NAS-main/mandie-home
NAS-main/manjaro-home                                       106G  6.30T     93.5G  /mnt/NAS-main/manjaro-home
NAS-main/media                                              159G  6.30T      153G  /mnt/NAS-main/media
NAS-main/nextcloud                                          721K  6.30T      163K  /mnt/NAS-main/nextcloud
NAS-main/nextcloud/config                                   140K  6.30T      140K  /mnt/NAS-main/nextcloud/config
NAS-main/nextcloud/db                                       140K  6.30T      140K  /mnt/NAS-main/nextcloud/db
NAS-main/nextcloud/files                                    140K  6.30T      140K  /mnt/NAS-main/nextcloud/files
NAS-main/nextcloud/themes                                   140K  6.30T      140K  /mnt/NAS-main/nextcloud/themes
NAS-main/syncthing-data                                    3.15G  6.30T     2.46G  /mnt/NAS-main/syncthing-data

As you see i have iocage dataset where all the jails usually live but i assume its ok to have the new nextcloud dataset completely separate? (i dont really have a clue about jails or what iocage is)

JAIL_IP is the IP address for your jail. You can optionally add the netmask in CIDR notation (e.g., 192.168.1.199/24). If not specified, the netmask defaults to 24 bits. Values of less than 8 bits or more than 30 bits are invalid.

The old nextcloud was at 192.168.2.113:8283 but that was assigned by itself i.e. it just told me what IP and port to use, i did not set it. So how do i know what JAIL_IP is going to be here with this new nextcloud?

Or is this where I set the IP to what i want it to be for this jail? The old nextcloud was on the same IP as truenas but had a port used.

I Dont know.

COUNTRY_CODE

I need UK, but is that UK or GB or something else?

$POOL_PATH/portsnap

I see it mention $POOL_PATH/portsnap but it never said to create a dataset called portsnap?

Also, HOST_NAME needs to resolve to your jail from inside your network. You'll probably need to configure this on your router, or on whatever other device provides DNS for your LAN. If you're unable to do so, you can edit the hosts file on your client computers to achieve this result, but consider installing something like Pi-Hole to give you control over your DNS.

Im starting to get confused here. Its starting to sound like im supposed to have already created a jail and im supposed to know what the IP:port is. I thought this script was going to create a new jail and install nextcloud in it. Im not sure now :(

I need to forward the IP and ports in the router settings but how do i know what the IP is going to be?

 

[danb35]

im not 100% sure if the "nextcloud" dataset is supposed to be in the iocage dataset?

No, it certainly should not. It can be pretty much anywhere else you like, but not within the iocage dataset.

So how do i know what JAIL_IP is going to be here with this new nextcloud?

You set it. Choose an unused IPv4 address on your subnet, that's outside the range your DHCP server assigns.

I need UK, but is that UK or GB or something else?

According to https://www.nationsonline.org/oneworld/country_code_list.htm#U, it looks like it would be GB.

Its starting to sound like im supposed to have already created a jail and im supposed to know what the IP:port is

No, you aren't supposed to have created the jail; the script does it for you. You're supposed to know what the IP is, because you set it. The ports will be 80 and 443, as are normal for the web.

 

[jackdinn]

No, you aren't supposed to have created the jail; the script does it for you. You're supposed to know what the IP is, because you set it. The ports will be 80 and 443, as are normal for the web.

K i think im understanding whats going on here but still a little confused about the ports used. The old NC was set to use the truenas IP with the port 8283 , I certainly can sort out a static IP forwarded to the jail and i understand now that i set that IP up, but why was the old NC using the same IP as truenas UI and on weird port?

Dont suppose its to important ATM, just curious.

 

[jackdinn]

and $POOL_PATH/portsnap ? was i supposed to create that dataset along with the others?

 

[danb35]

why was the old NC using the same IP as truenas UI and on weird port?

Because iX decided for $REASONS to start creating plugins using NAT. I don't know why, and I don't think it makes much sense, though it is kind of like what the apps on SCALE do. My script predates that decision, though I probably wouldn't have followed it anyway.

No, there's no need to create portsnap.

 

[jackdinn]

Also, HOST_NAME needs to resolve to your jail from inside your network. You'll probably need to configure this on your router, or on whatever other device provides DNS for your LAN. If you're unable to do so, you can edit the hosts file on your client computers to achieve this result, but consider installing something like Pi-Hole to give you control over your DNS.

Hmm,
My host_name (************) is pointing to my static public IP. I have forwarded my public IP ports 80 & 443 to the same ports on 192.168.2.150 (I have chosen 192.168.2.150 as the jails IP), I get the feeling that this is not right for the above requirement?

How can i test where a domain resolves to from inside the lan?

On linux whats the best way to deal with this? I could just use /etc/hosts. I do have adguard running if thats of any use.

 

[danb35]

I get the feeling that this is not right for the above requirement?

That's all right as far as it goes. And then, from inside your network, you'd want jackdinn.co.uk to resolve to 192.168.2.150. An easy way to test that is to try to ping that name; your OS will tell you which IP it resolves to.

I do have adguard running if thats of any use.

...and that's your DNS server for your network? If so, you should be able to set it up to resolve jackdinn.co.uk to 192.168.2.150. I haven't used Adguard, but from what I can see, editing its /etc/hosts file should do the trick--unfortunately it doesn't seem to have a GUI for DNS host overrides.

 

[jackdinn]

Ok, that'll do. Quickest just to use the hosts.

Code:

❱ping jackdinn.co.uk
PING jackdinn.co.uk (192.168.2.150) 56(84) bytes of data.

Can i assume that this local resolution is only needed for the installation and setup under your script? Can i remove it from hosts after?

Well i think iv got everything :-/ , I shall have another read through it all, but i think i shall be pulling the rip-cord.

Appreciate the help up to this point ^^

 

[danb35]

Can i assume that this local resolution is only needed for the installation and setup under your script?

No, you'd need it to continue to resolve that way to be able to use Nextcloud from inside your LAN.

 

[jackdinn]

No, you'd need it to continue to resolve that way to be able to use Nextcloud from inside your LAN.

O yea sorry. I always used bookmarks to the jails/apps that were just lan ip's or hostname but yea i should use the domain name if im going to be setting it up, might as well.

 

[jackdinn]

I finally run it after much checking and double checking.

What is it trying to say here? Is it referring to the old NC that is installed? Should i remove it?

Code:

+ ls -A /mnt/NAS-main/nextcloud/config
+ [ .zfs ]
+ echo 'Existing Nextcloud config detected... Checking Database compatibility for reinstall'
Existing Nextcloud config detected... Checking Database compatibility for reinstall
+ ls -A /mnt/NAS-main/nextcloud/db/mariadb
ls: /mnt/NAS-main/nextcloud/db/mariadb: No such file or directory
+ [ '' ]
+ echo 'ERROR: You can not reinstall without the previous database'
ERROR: You can not reinstall without the previous database
+ echo 'Please try again after removing your config files or using the same database used previously'
Please try again after removing your config files or using the same database used previously
+ exit 1

 

[danb35]

What is it trying to say here? Is it referring to the old NC that is installed? Should i remove it?

If you've set any of the paths to a location where your current installation has files, it's likely to confuse my script. I'd make sure the locations they refer to are all empty before running the script.

 

[jackdinn]

Thx for taking a look.
Iv just figured it. The new datasets have inherited a setting that i like to have on that allows the .zfs snapshot folders to be visible to the user.
So when you script did "if [ "$(ls -A "${CONFIG_PATH}")" ]; then" it was picking up on the fact that there was indeed a file in that folder

ls -A /mnt/NAS-main/nextcloud/config
.zfs

Good news i i have installed the whole thing :)

Next problem is firefox wont stop putting 8283 at the end of my domain name no matter what i do. I will figure it with time I'm sure.
I have tested on another browser and although i can access im still getting the certificate security warning. I have not had much time to look into any of this just yet though as its just finished installing.

You put a lot of work into that code. very nice :)

Your connection is not private​

Attackers might be trying to steal your information from jackdinn.co.uk (for example, passwords, messages or credit cards). Learn more


NET::ERR_CERT_AUTHORITY_INVALID

 

[danb35]

im still getting the certificate security warning.

That's to be expected. From the README:

This configuration generated by this script will obtain certs from a non-trusted certificate authority by default. This is to prevent you from exhausting the Let's Encrypt rate limits while you're testing things out. Once you're sure things are working, you'll want to get a trusted cert instead. To do this, you can use a simple script that's included. As long as you haven't changed the default jail name, you can do this by running iocage exec nextcloud /root/remove-staging.sh (if you have changed the jail name, replace "nextcloud" in that command with the jail name).

 

[jackdinn]

These to do with your "staging" setup or do i have to start reading into reverse proxies etc (please no :( )

 

[danb35]

The "strict transport security" thing is also covered in the README. The reverse proxy thing, as best as I can tell, is a bug in Nextcloud.

 

[jackdinn]

Aye, i was just reading, but regarding the reverse proxy warning, i did not have any yellow warnings at all in the previous installation. Well i did but i fixed them all and none were that one. hmm.

Ok well you have been excellent, and your work is impeccable I'v got a lot of work to do tomorrow, unless i can export/import all my setup. Tired now though.

Cheers.