Making Nexcloud accessible over HTTPS with certificate

[Artichoke]

I have been following this guide on how to make Nextcloud accessible securely over the internet through HTTPS with a Lets Encrypt certificate. The last step in this guide is after installing certbot, reququest a certificate from Let's Encrypt. This is the command I issued:

certbot --nginx -d artichokenetwork.com

After exectung this command and entering all the things like email, etc. I get this error message:

Why does this occur? I am sure that the domain works because I tested it with just HTTP through port 8282.

 

[Heracles]

Hi,

There can be many different reasons for this...

Lets Encrypt must validate that the name you are requesting does indeed belongs to you. They will not give you a certificate blindly under any name you can ask.

To prove ownership of that server, there are different ways. The one you are using here is the HTTP challenge. For that, the acme agent asks Lets Encrypt for the certificate. Lets Encrypt replies : Ok, but before I do, put this cryptographic on the website you pretend to control. Once done, Lets Encrypts calls back that website over HTTP and check to see if that token has been indeed put in place there. If it is present, it is a proof that indeed, you control the website and so you can receive the certificate. Lets Encrypts gives it to you then.

If Lets Encrypt does not find the required token, it still has no evidence that the website you asking a certificate for is indeed under your control. Without such an evidence, it refuses to give you one.

Here, that HTTP verification failed. It failed because when Lets Encrypt tried to connect to the HTTP website under your name, it did not received any answer. Now, you must found out why : was it blocked ahead of you by your ISP ? Are you indeed the one in control of the DNS name and are you pointing it to your server ? Is it your own router / firewall that blocked it ? There are tons of reasons why that request may have failed.

If your ISP blocks port 80, you can look for a different challenge. Here, I use DNS challenge instead of HTTP.

 

[Artichoke]

If your ISP blocks port 80, you can look for a different challenge. Here, I use DNS challenge instead of HTTP.

Is it possible that Let's Encrypt is not accessing the server because it is on port 8282, not the default port 80 that is trying to access? Also, I'm pretty sure my ISP (Internode) doesn't block port 80.

 

[Heracles]

Is it possible that Let's Encrypt is not accessing the server because it is on port 8282

More than possible : I confirm you that this is the case. It is part of the security protocol. The HTTP verification will work ONLY on port 80. Either you reconfigure yourself to use port 80 or you use another challenge.

 

[Artichoke]

Hi, Iwhen i run the jail on port 80, it claims that another jail is already using that port:

But I do not have any other running jails that use that port. Is it possible that the TrueNAS GUI is using that port?

 

[Heracles]

Hi, Iwhen i run the jail on port 80, it claims that another jail is already using that port:
View attachment 49102
But I do not have any other running jails that use that port. Is it possible that the TrueNAS GUI is using that port?

Indeed, TrueNAS listens on port 80 and can bounce back the clients to HTTPS or presents the admin dashboard on that port (unsafe).

The most important is for your router to listen on port 80 and the forward to your Nextcloud. It can forwards to another port but Lets Encrypt must receive its answer when calling HTTP over port 80.

 

[Artichoke]

The most important is for your router to listen on port 80 and the forward to your Nextcloud. It can forwards to another port but Lets Encrypt must receive its answer when calling HTTP over port 80.

I don't understand. What do you mean when the router "listens" on port 80? And how is it possible that the router can listen on, and Nexcloud can use port 80 at the same time?

 

[Artichoke]

Small update - I found that there is a setting in my router to change the 'port requested externally'.

I changed that to port 80 and i can now access Nextcloud through port 80. However, certbot still can't connect and returns the same error message as before. Have I done this right?

 

[Heracles]

TrueNAS is a first thing.
Your Internet router should be a second and completely different thing.
Your Nextcloud Jail, despite being installed in TrueNAS, is a jail with a fully independent network stack. As such, it is a third a completely thing.

Each one of them has an IP stack, so each one of them as a port 80.
Your Internet router has one, your TrueNAS has one, your Nextcloud has one. The thing is, when you do port forwarding, you are not required to forward a port to the same port on the next step :
You have your Internet router listening for incoming packets to its own port 80.
You configure it to forward these packets to your Nextcloud instance.
While doing that forwarding, you can easily asks your router to forward packets to a different port, like port 8282.

 

[Artichoke]

Ok, so what do I need to do in order to get lets encrypt to access my nextcloud?

 

[Heracles]

you ensure your router is listening port 80 and that it will forward it to Nextcloud on whatever port you will use for hosting HTTP on it.

Be sure that your port 80 is indeed reachable from Internet. From a computer plugged behind your router, go on grc.com and use their Shields Up service to see if port 80 is opened or not.

 

[Artichoke]

Ok, I tried that, but Nextcloud doesn't seem to want to connect over port 80. just accessing it in a browser gives the standard 'unable to connect'.

 

[Heracles]

You need to give us more to keep helping you. There are so many things that can go wrong :
Were you inside or outside your network when you tried and failed ? If outside, does it works from inside ? Did you completed the GRC.com test I recommended you ? Does it confirm that port 80 is reachable from Internet ? How your router is configured as of now ? And your Nextcloud jail ? Can you do a different test like DNS instead ? ...

 

[Artichoke]

I can access the Nextcoud instance in the network through http://mydomain.com.
I cannot access it outside of the network. (using phone on cellular network and wifi turned off)
Shields Up tells me that port 80 is not opened:

 

[Heracles]

Hi,

So something is dropping port 80. It is almost certainly your ISP... This is not uncommon.... Your best shot is probably to turn to DNS challenge instead of HTTP challenge...

 

[Artichoke]

So I found out that Internode was blocking port 80. There was a setting in the internode account that allowed you to toggle their 'network firewall' that blocked port 80 amongst other comon ports like port 22 for ssh and 21 for ftp etc. This made my nextcloud accessible from the internet and I finally got my certificate! However, it seems that Nextcloud is unable to install the certificate and returns this:

I saw the suggested steps but I do not know the name of my certificate. Is there a way to find the name of my certifiacte making me able to run that command?

 

[Heracles]

The certificate name you asked for is in the command : artichokenetwork.com
To view the content of a certificate, you can do with :

openssl x509 -in /path/to/cert.pem -text -noout

You made good progress. Now that you got the certificate, the most difficult part is over.

 

[Artichoke]

Ok, I did that but how do I get nextcloud to find a matching server block. I did some reading and poked around in some of the directories but I still don't quite understand what I need to do.

 

[Artichoke]

Could somebody please give me assistance?

 

[Heracles]

According to the error message, you do not have a server defined in Nginx that has the same name as your certificate. As such, the script does not know how to re-configure Nginx to use that certificate.

I never used Nginx here, so can not do more than reading the error message and repeating it...