Nextcloud Encryption Issues

[NAMoulton]

Good day everyone!

I'm running into issues getting my Nextcloud plugin to cooperate. I can get it to work perfectly without encryption, but once I go through the process of getting certbot to publish certs to my domain, it breaks it. I've been following this guy's video tutorial but using my Asus router's DDNS instead of DuckDNS ( https://www.youtube.com/watch?v=Agq8LcnAWPo ). I have port forwarding turned on in the router to forward ports 80, 443 to the Nextcloud IP (192.168.50.117), works flawlessly without encryption set up. Doing basic ping troubleshooting, I was able to reach my router LAN IP (192.168.50.1) but not my WAN IP (173.*.*.*). According to certbot logs it is publishing the cert and handshaking it correctly, but when I type my domain into the browser, it gives me a "Problem Loading Webpage" saying it might be cookie/cache related (it's not, I've cleared that on multiple attempts). I can still access the Nextcloud webpage if I click "Manage" under the plugin dropdown.

This is the error.log from /var/log/nginx/ (changed the domain name for privacy)
2023/05/03 14:07:56 [error] 21328#102070: connect() to 23.205.105.167:80 failed(51: Network is unreachable) while requesting certificate status, responder: r3.o.lencr.org, peer: 23.205.105.167:80, certificate: “/usr/local/etc/letsencrypt/live/my.personal.domain/fullchain.pem”

I've spent over a week (only an hour here or there a day) trying to get this to work, with no luck. Any guidance/advice/a different set of instructions would be super appreciated. I've tried to follow the documentation online, but it doesn't cover the securing method on TrueNAS and Nextcloud doesn't cover TrueNAS installation very well...

 

[victort]

Can you use this handy script?

It installs Nextcloud and it would actually be too much for me to try to explain why it’s better. It just is.

You dont need port forwarding if you use Cloudflare DNS. (Port forward is still an option)
Automatic https with certs using caddy.
Able to reinstall and keep your data.
Encryption is very simple to enable.

Plugins are also deprecated, a path to sadness, and will be discontinued in 2025.

 

[Apollo]

Good day everyone!

I'm running into issues getting my Nextcloud plugin to cooperate. I can get it to work perfectly without encryption, but once I go through the process of getting certbot to publish certs to my domain, it breaks it. I've been following this guy's video tutorial but using my Asus router's DDNS instead of DuckDNS ( https://www.youtube.com/watch?v=Agq8LcnAWPo ). I have port forwarding turned on in the router to forward ports 80, 443 to the Nextcloud IP (192.168.50.117), works flawlessly without encryption set up. Doing basic ping troubleshooting, I was able to reach my router LAN IP (192.168.50.1) but not my WAN IP (173.*.*.*). According to certbot logs it is publishing the cert and handshaking it correctly, but when I type my domain into the browser, it gives me a "Problem Loading Webpage" saying it might be cookie/cache related (it's not, I've cleared that on multiple attempts). I can still access the Nextcloud webpage if I click "Manage" under the plugin dropdown.

This is the error.log from /var/log/nginx/ (changed the domain name for privacy)
2023/05/03 14:07:56 [error] 21328#102070: connect() to 23.205.105.167:80 failed(51: Network is unreachable) while requesting certificate status, responder: r3.o.lencr.org, peer: 23.205.105.167:80, certificate: “/usr/local/etc/letsencrypt/live/my.personal.domain/fullchain.pem”

I've spent over a week (only an hour here or there a day) trying to get this to work, with no luck. Any guidance/advice/a different set of instructions would be super appreciated. I've tried to follow the documentation online, but it doesn't cover the securing method on TrueNAS and Nextcloud doesn't cover TrueNAS installation very well...

Try connecting from outside your home, such as with your cell phone over LTE or remotely connected at work.
I suspect your router may not be doing or isn't setup to perform rerouting internally. (I forgot the right terminology).
Usually, network don't like requesting access to a device when the address at the source and at destination are the same.

 

[NAMoulton]

Can you use this handy script?

It installs Nextcloud and it would actually be too much for me to try to explain why it’s better. It just is.

You dont need port forwarding if you use Cloudflare DNS. (Port forward is still an option)
Automatic https with certs using caddy.
Able to reinstall and keep your data.
Encryption is very simple to enable.

Plugins are also deprecated, a path to sadness, and will be discontinued in 2025.

So this is a dumb question...but through what interface/terminal am I doing these commands? I tried to do the "git clone blahblahblah" in the TrueNAS Shell, but after entering my GitHub credentials I get an error saying password authentication is no longer allowed as of AUG2021...

 

[NAMoulton]

Try connecting from outside your home, such as with your cell phone over LTE or remotely connected at work.
I suspect your router may not be doing or isn't setup to perform rerouting internally. (I forgot the right terminology).
Usually, network don't like requesting access to a device when the address at the source and at destination are the same

It doesn't work that way either.

 

[Apollo]

So this is a dumb question...but through what interface/terminal am I doing these commands? I tried to do the "git clone blahblahblah" in the TrueNAS Shell, but after entering my GitHub credentials I get an error saying password authentication is no longer allowed as of AUG2021...

You need to read through the install page of the script.
Anyway, in short, you need to create an iocage jail via the web interface and from there the best approach is to SSH into TrueNAS and run "console Name_of_Jail" and run the script within the jail.
There is more to it, but it should make your life easier searching for the bit and pieces to get you started.

 

[victort]

You need to read through the install page of the script.
Anyway, in short, you need to create an iocage jail via the web interface and from there the best approach is to SSH into TrueNAS and run "console Name_of_Jail" and run the script within the jail.
There is more to it, but it should make your life easier searching for the bit and pieces to get you started.

Wrong. Sorry.

This script needs to be run from the TrueNAS shell. It creates the jail for you and sets everything up.

There should be no need to enter GitHub credentials. Make sure you copy and paste the command to clone.

 

[Apollo]

Wrong. Sorry.

This script needs to be run from the TrueNAS shell. It creates the jail for you and sets everything up.

There should be no need to enter GitHub credentials. Make sure you copy and paste the command to clone.

My bad then.

 

[NAMoulton]

Wrong. Sorry.

This script needs to be run from the TrueNAS shell. It creates the jail for you and sets everything up.

There should be no need to enter GitHub credentials. Make sure you copy and paste the command to clone.

So, it definitely asks for login creds and I don't know how to not require a login...

 

[victort]

So, it definitely asks for login creds and I don't know how to not require a login...

You are leaving out the b in danb35. Copy and paste this.

git clone https://github.com/danb35/freenas-iocage-nextcloud

 

[NAMoulton]

You are leaving out the b in danb35. Copy and paste this.

git clone https://github.com/danb35/freenas-iocage-nextcloud

...........I hate these tiny mistakes haha.

 

[victort]

Make sure to read the instructions carefully depending on if you want a Self-Signed, Standalone, DNS, or no certificate.

The beauty of this script is that it will mount you data outside the jail, and if you decide to delete the jail and rebuild it, your data stays. So you can just reinstall and pick up where you left off.

 

[NAMoulton]

Make sure to read the instructions carefully depending on if you want a Self-Signed, Standalone, DNS, or no certificate.

I've definitely been reading them very thoroughly...especially this part since it's the part that keeps breaking on me.

I'm pretty sure I'm going to go with the STANDALONE_CERT method since I have my router set up to have the 80, 443 ports open and be forwarded to the Nextcloud local IP. Am I understanding that part correctly? I would rather not pay subscriptions to Cloudflare's DNS if I can avoid it (kinda the purpose when I splurged $1000 for hardware to last the next ten years haha).

 

[victort]

I've definitely been reading them very thoroughly...especially this part since it's the part that keeps breaking on me.

I'm pretty sure I'm going to go with the STANDALONE_CERT method since I have my router set up to have the 80, 443 ports open and be forwarded to the Nextcloud local IP. Am I understanding that part correctly?

Correct. But your domain must resolve to your public IP.

I would rather not pay subscriptions to Cloudflare's DNS if I can avoid it (kinda the purpose when I splurged $1000 for hardware to last the next ten years haha).

It’s actually free. You just need a domain and make sure it’s point at Cloudflare nameservers (which they walk you through doing)

Some domains don’t work with Cloudflare. From Freenom etc…

 

[NAMoulton]

Correct. But your domain must resolve to your public IP.

Yeah, I have an Asus router and it has a DDNS setting I'm using to give my WAN IP a domain name. If this fails to work, I'll try the DNS Cloudflare option I guess haha.

I super appreciate all this help. I've been bashing my head into the keyboard for weeks trying to get this working right haha (also switching off Windows into Ubuntu at the same time, there's a LOT of growing pains...).

 

[NAMoulton]

@victort Appreciate all the help! Spelling the url correctly did the trick. Everything is working perfectly now! Ran into an issue where I didn't know the default admin credentials to log into Nextcloud, but spent a good bit reading log files and found it!