In Nextcloud, as soon at i created a certificate with certbot i can no longer connect?

[jackdinn]

@danb35
Im sorry to ask here but i really dont want to start a new post as its been covered so many times. please put me out of my misery, iv been searching all day, iv even fixed this before on the previous instance. I just can not for the life of me remember where and how :( I had to clear all my cache & history from my browser to get rid of that darn :8283 that was stuck, now i cant find where i found the answer to this problem.

The PHP OPcache module is not properly configured. See the documentation » for more information.
The OPcache.interned_strings_buffer is nearly full. To assure that repeating strings can be effectively cached, it is recommended to apply opcache.interned strings buffer to your PHP configuration with a value
higher than 8.

I think OPcache.interned_strings_buffer is in /usr/local/etc/php.ini but when i go back to check what i set it to in my old instance of nextcloud it does not even have a php.ini. I kida think it was not even in php.ini that i changed something, was it opcache.ini or .conf or something or was it no a file edit at all, was it a occ command. Im sorry, im so lost.

I wont go into just how much of a headache iv got today with this but

Please can you help with where, what & how.

 

[danb35]

OPcache.interned_strings_buffer is in /usr/local/etc/php.ini

Since my script runs php-fpm, I'd expect those settings to be in its configuration. The relevant file would be /usr/local/etc/php-fpm.d/www.conf. But I don't see that warning when I log in to a test jail I just created using the script.

 

[victort]

Yes, the relevant file is at /usr/local/etc/php.ini inside the jail. I also had to edit mine and change it to 16 instead of 8.

Don’t forget to service php-fpm restart after changing it.

 

[jackdinn]

Since my script runs php-fpm, I'd expect those settings to be in its configuration. The relevant file would be /usr/local/etc/php-fpm.d/www.conf

O right, i was just about to say `root@nextcloud:/usr/local/etc/php-fpm.d # grep -i opcache www.conf` shows nothing.

The relevant file is actually at /usr/local/etc/php.ini inside the jail. I also had to edit mine and change it to 16 instead of 8

Okey doky, you reckon 16 will be enough. Iv seen post with numbers like in the thousands & not because its in MB either ^^ (surly cant be, but can find all sorts if you search enough).

So just edit it and then ? does it need a restart of Apache or the jail or even the nas?

 

[danb35]

does it need a restart of Apache or the jail or even the nas?

My script uses Caddy, not Apache. Restarting the jail should be plenty.

 

[jackdinn]

But I don't see that warning when I log in to a test jail I just created using the script.

Aye i didnt either but i have added photo & talk since then. Maybe its them.

 

[jackdinn]

Got it

Thx guys.

 

[danb35]

I also had to edit mine and change it to 16 instead of 8.

I've updated the script with this change now, for future reference.

 

[jackdinn]

Hi,

So i just had an email from the lets-encrypt

Your certificate (or certificates) for the names listed below will expire in 19 days (on 2023-08-19). Please make sure to renew your certificate before then

Which reminded me that i still have not actually set the HTTP Strict Transport Security yet. Im pretty sure that the cert is/has been renewed (about 10 days ago) but i just want to remove that tiny niggling feeling that i might have miss-read or miss-understood something because if the cert has been updated why is it emailing me saying i need to update the cert.


Anyhow, assuming that it is all ok i can set Strict-Transport-Security now?

P.S. O yea, i changed my router the other day and so nextcloud and truenas, in fact everything ended up getting a changed IP. In your setup script the user has to set out the default gateway and the nextcloud jail IP so i was wondering if the fact that i have altered the local IP's would have affected anything. I mean its all still working and accessible so it seems ok. Not sure though.

 

[jackdinn]

@danb35 , so i did set HTTP Strict Transport Security and nextcloud is all fine.

However, now i cant access my plex jail from the WAN. I was able to access it via https://*******.co.uk:32400/ but now i can not get past the certificate security warning that i normally had been able to set an exception for.

Can i just change back the setting Strict-Transport-Security in /usr/local/www/Caddyfile to being "rem'ed" out ? will this work or not?

I would just try it, but this line has made me very cautious. "HSTS is a useful security measure, but it can also lock you out of your site" I don't see how you can be locked out of your site if you can just turn off this feature.

If not how do i sort this out?

Thank you.

 

[danb35]

Can i just change back the setting Strict-Transport-Security in /usr/local/www/Caddyfile to being "rem'ed" out ? will this work or not?

No, it won't. The way HSTS works is that it tells your browser to not allow insecure connections to the domain in question for a specified period of time--I think the current recommendation is two years. So if you're using the same hostname for Nextcloud and for Plex, the behavior you're describing is exactly as expected, and part of why I don't enable it by default, even though Nextcloud complains.

There are ways of overriding the HSTS cache in your browser; I'd expect a web search to find them.