nextcloud + lets encrypt missing

[Patrick M. Hausen]

Another of the things it says is that your hostname needs to resolve to the local IP of your jail from inside your network.

To elaborate on that - that's precisely what I meant with "some experience" above. It is assumed that you know what that means and can configure your DNS so this condition is met.

Nobody here knows up front what your DNS setup looks like and what your home network looks like and what domain you are using etc. And support for all these questions is outside of the scope of the TrueNAS forum.

Yet, we are still trying our best to help, here.

One question for @danb35: in recent years I have come to avoid split DNS and very much prefer reflection/hairpin NAT. So would your script work if port forwarding from an external IP to the jail was active and working from inside and outside the home LAN? I figure that's the most common use case and that's what I do here at my home.

 

[phier]

i also tried that option that domain resolve to the local IP
but it says could not connect to the server
nsurlerrordomain....

 

[phier]

To elaborate on that - that's precisely what I meant with "some experience" above. It is assumed that you know what that means and can configure your DNS so this condition is met.

i cant see it written in any documentation / howto.

so its new information to me.

 

[Patrick M. Hausen]

Yes. Because DNS is another topic that junior network engineers go to dedicated trainings for. I could recommend a book on just that single issue. Then a book on IP routing. Then one on firewalls. Then one on TLS.

One has to draw the line somewhere. How do you expect Dan to write documentation that covers all these topics assumed the audience does not know anything? That's just impossible. Setting up an Internet facing application is not like installing something on Windows or a Mac.

Seriously TrueNAS topics are essentially finished once you have a running jail with its own IP address. That's what TrueNAS provides. Whatever application you want to run in there hopefully comes with its own stack of docs. Like Nextcloud. And then Nextcloud needs a database. For example MySQL - some piece of software that people go to multiple day paid trainings for.

What I want to drive home: it really is that complex. That's why there is no single documentation that works in all cirumstances.

Dan is surely going to help and much more knowledgeable than I am - it's his script after all - I am still curious about the DNS issue. That's why I sort of hijacked this thread for my question. But then that can lead to a possible solution for you, so let's see ...

 

[phier]

understood,
i managed to set on my router that all my local computers now can see that public domain - i set for nextcloud - is translated to local IP of the jail... but still issue...

<Secure connection failed>

 

[Patrick M. Hausen]

Without much knowledge of Dan's script, if you configured your uplink router to forward both ports 80 and 443 to the Nextcloud jail, and if my guess how the script works is correct, then using the same external/internal domain name and starting all over should work. So throw away jail, re-run script with proper FQDN (that's "fully qualified domain name", e.g. cloud.myfamily.com).

 

[phier]

issue fixed; thanks....

The issue was that local DNS router was resolving initially my public domain name that i used for nextcloud to public IP...
so i changed that on router -> now it points to local - jail IP.

The issue was that i didnt restart caddy ; service caddy reload

after that all seems to work.
sorry and thanks

 

[Patrick M. Hausen]

That's your offcial domain name? cloudph1.duckdns.org? If yes, it's curious how that worked once, then failed after login. It's half an hour to midnight here and I personally would think, "ok ... some DNS cache thing, let's check tomorrow".

If it persists ... need to think about it. Remote diagnosis is difficult.

If that is not the FQDN you used for initial login, then that is not correctly set in the nextcloud configuration. You need to check that.

 

[phier]

@Patrick M. Hausen i have some serious networking issues apparently

operators router- doesnt support hairpin
my openwrt router is not working properly ...

my androids clients are not using local DNS ; they use other dot/doh servers....

just one big mess.

 

[Patrick M. Hausen]

Split-DNS. Set up a local recursive and authoritative DNS server, e.g. BIND. Make all your clients use that one. Create a zone not for your domain but for the complete FQDN of your Nextcloud jail as a domain/zone. Have that resolve to your private IP address. Alternatively with Unbound instead of BIND configure a host override for your Nextcloud's FQDN. The intended effect is that whenever an internal client asks for the FQDN of your Nextcloud it gets the internal IP address. Clients on the Internet will get the external IP address from your external DNS.

Or at least for all "real computers" add a local /etc/hosts entry. The general idea is to make access from outside work reliably, and hack around any problems you have from inside.

Good night for now.

 

[danb35]

in recent years I have come to avoid split DNS and very much prefer reflection/hairpin NAT. So would your script work if port forwarding from an external IP to the jail was active and working from inside and outside the home LAN?

AFAIK, it should work with properly-functioning hairpin NAT--but I was never able to get hairpin NAT working for me with pfSense, so I wasn't able to really test that (I think there's some not-especially-polite discussion on my thread with Ornias (sp?) on that question). I know it works with split DNS. I don't know about hairpin NAT, but don't know any reason it shouldn't work.

 

[phier]

Split-DNS. Set up a local recursive and authoritative DNS server, e.g. BIND. Make all your clients use that one. Create a zone not for your domain but for the complete FQDN of your Nextcloud jail as a domain/zone. Have that resolve to your private IP address. Alternatively with Unbound instead of BIND configure a host override for your Nextcloud's FQDN. The intended effect is that whenever an internal client asks for the FQDN of your Nextcloud it gets the internal IP address. Clients on the Internet will get the external IP address from your external DNS.

Or at least for all "real computers" add a local /etc/hosts entry. The general idea is to make access from outside work reliably, and hack around any problems you have from inside.

Good night for now.

thanks, seems thats how i configured it... just have issue with one device - android - that one cant see that translation and i have no clue why ... ;/

 

[phier]

i was wondering if hairpin is not possible, also split dns doesnt work...

isnt fix for that reverse proxy?

thanks

 

[Patrick M. Hausen]

If the reverse proxy is outside your LAN on a publicly reachable address - yes. But most commonly you will have it behind the same router as the Nextcloud installation which again calls for hairpin NAT to reach the reverse proxy ...

You could try to make it work from outside first (including Let's Encrypt and friends), then get at that split DNS setup again for your internal hosts.

HTH,
Patrick

 

[phier]

i dont know... the issue is android has some problem with dns split ... maybe its android bug ... all my devices can resolv public to local ip ...
only android cant.