Resource icon

Scripted installation of Nextcloud 28 in iocage jail 2018-03-23

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
This sounds like another instance of the clusterf*ck that Let's Encrypt has caused (or at least highlighted) with their recent change in the certificate chain--which isn't helped by the fact that you're using an EOL OS. See:

Best answer is probably to download the "Root X1" certificate and install it on the client system(s) as a trusted root CA:

Or try getting the cert from ZeroSSL instead. Make this change in the Caddyfile to do that:
Code:
{
    # debug
    acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
    email youremailhere

Change acme_ca to https://acme.zerossl.com/v2/DV90, then restart Caddy.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
It's also been suggested that simply browsing to https://valid-isrgrootx1.letsencrypt.org/ on an affected client system may result in it loading the required root cert, which should resolve the issues you're seeing.
 

T_T

Explorer
Joined
Jul 24, 2018
Messages
64
I have been running and configured everything to my liking and it seem to work great. What would be a best practice to backup all my files from nextcloud? Any pointers would be much appreciated!
 

InGenetic

Contributor
Joined
Dec 18, 2013
Messages
183
This sounds like another instance of the clusterf*ck that Let's Encrypt has caused (or at least highlighted) with their recent change in the certificate chain--which isn't helped by the fact that you're using an EOL OS. See:

Best answer is probably to download the "Root X1" certificate and install it on the client system(s) as a trusted root CA:

Or try getting the cert from ZeroSSL instead. Make this change in the Caddyfile to do that:
Code:
{
    # debug
    acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
    email youremailhere

Change acme_ca to https://acme.zerossl.com/v2/DV90, then restart Caddy.
Hi Mr. Danb35,
thanks for replying,
if i want to try the second way :

Or try getting the cert from ZeroSSL instead. Make this change in the Caddyfile to do that:
Code:
{
    # debug
    acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
    email youremailhere

Change acme_ca to https://acme.zerossl.com/v2/DV90, then restart Caddy.
[/QUOTE]
then i only have to change the caddy file? ? , please let me know , where's the located that caddy's file ?

fyi , thanks for your info about this :

Best answer is probably to download the "Root X1" certificate and install it on the client system(s) as a trusted root CA:

it's work now ,

please more advice , did i have to change the caddy file or not for this situation ? because for some user which using windows 7 , i install Root X1 on their OS , and for user using windows 10 , there's no issue .

Please advice .


Thanks n regards,
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
because for some user which using windows 7 , i install Root X1 on their OS , and for user using windows 10 , there's no issue .
Windows 10 has this cert already, so there's no need to add it. Windows 7 should be able to load this cert if you visit https://valid-isrgrootx1.letsencrypt.org/, but I don't have a Windows 7 machine to test this on. But no, if you're putting the root cert onto the affected machines, there's no need to change the Caddyfile at all.

If you're using the second method--getting the cert from ZeroSSL rather than Let's Encrypt--then yes, you only need to change the Caddyfile. It's located in the jail, at /usr/local/www/Caddyfile.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
What would be a best practice to backup all my files from nextcloud?
To be complete, you'd want to back up everything in $POOL_PATH/nextcloud.
 

ThatGuyAZ

Dabbler
Joined
Apr 28, 2021
Messages
32
I just received a message from LetsEncrypt that my certificate is still in staging and is about to expire. I had already done the command
Code:
iocage exec nextcloud /root/remove-staging.sh 
nearly 2 months ago when I installed NextCloud.

I went in today and did it again and I get the following:
Code:
2021/10/12 18:55:56.601 INFO    using provided configuration    {"config_file": "/usr/local/www/Caddyfile", "config_adapter": "caddyfile"}


How to I verify that this is now working?

I
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
I just received a message from LetsEncrypt that my certificate is still in staging and is about to expire.
No, the message said that the certificate issued by the staging server is about to expire. And since you've issued a new cert from the production server, that's to be expected. You can safely ignore this message.

If you want to be sure, well, do you get a certificate error when you browse to your site? If not, you're 99% certain to be OK. If you want to check for sure, use one of the many SSL checker websites (I like ssllabs.com, as it's a pretty comprehensive check), which will show you (among other things) where your certificates come from.
 
Joined
Jan 4, 2014
Messages
1,644
NC 22.2.0 became available for me overnight in the stable update channel. The update from 21.0.5 to 22.2.0 completed without issue.
 

dr4k4th

Cadet
Joined
Oct 8, 2014
Messages
4
I tried installing with your script today but had an error with the SSL.
I followed the following steps for my main freenas system to remove they key that a bug in OpenSSL keeps favoring:
https://www.truenas.com/community/t...the-openssl-1-0-2-vs-letsencrypt-issue.95874/
I tried using the script again and it failed again.
I looked into the same location into the jail and it has the same entry.
Seems like all FreeNAS 11 and older will suffer from this bug.

Code:
2021/10/14 19:26:05 [INFO] Build complete: /usr/local/bin/caddy
2021/10/14 19:26:05 [INFO] Cleaning up temporary folder: /tmp/buildenv_2021-10-14-1922.344068315
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
34374374552:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
fetch: https://download.nextcloud.com/server/releases/latest-21.tar.bz2: Authentication error
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
34374374552:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
fetch: https://download.nextcloud.com/server/releases/latest-21.tar.bz2.asc: Authentication error
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
34374374552:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
fetch: https://nextcloud.com/nextcloud.asc: Authentication error
Command: fetch -o /tmp https://download.nextcloud.com/server/releases/latest-21.tar.bz2 https://download.nextcloud.com/server/releases/latest-21.tar>
Failed to download Nextcloud
 
Last edited:

Aephir

Dabbler
Joined
Apr 25, 2021
Messages
47
Code:
Internal Server Error

The server encountered an internal error and was unable to complete your request.
Please contact the server administrator if this error reappears multiple times, please include the technical details below in your report.
More details can be found in the webserver log.

For the sake of closure (and anyone else running into the same error message looking for answers), I think I found the issue. Or two, actually, that will both give this error message. I can at least replicate this on a fresh install by setting:
Code:
'overwriteprotocol' => 'https',

in config.php. I'm not sure why though, since I have used this for months (maybe an update in nginx that I'm using to serve externally?).

However, I also found someone having the same error if they had a corrupted database.
 
Last edited:

Dave-g08

Dabbler
Joined
Sep 29, 2014
Messages
22
I tried using the script again yesterday, but (I think) due to the changes in Go 1.16 it expects to find a go.mod so I get the error:
Code:
go get: installing executables with 'go get' in module mode is deprecated.
    Use 'go install pkg@version' instead.
    For more information, see https://golang.org/doc/go-get-install-deprecation
    or run 'go help get' or 'go help install'.
no required module provides package github.com/caddyserver/xcaddy/cmd/xcaddy: go.mod file not found in current directory or any parent directory; see 'go help modules'
Command: go build -o /usr/local/bin/xcaddy github.com/caddyserver/xcaddy/cmd/xcaddy failed!

Anyone know how to solve this while using the script?
 
Last edited:

Dave-g08

Dabbler
Joined
Sep 29, 2014
Messages
22
I tried using the script again yesterday, but (I think) due to the changes in Go 1.16 it expects to find a go.mod so I get the error:
Code:
go get: installing executables with 'go get' in module mode is deprecated.
    Use 'go install pkg@version' instead.
    For more information, see https://golang.org/doc/go-get-install-deprecation
    or run 'go help get' or 'go help install'.
no required module provides package github.com/caddyserver/xcaddy/cmd/xcaddy: go.mod file not found in current directory or any parent directory; see 'go help modules'
Command: go build -o /usr/local/bin/xcaddy github.com/caddyserver/xcaddy/cmd/xcaddy failed!

Anyone know how to solve this while using the script?

Ignore my stupidity, I hadn't delete the old script so was running the wrong one. All up and running using my old database
 

Aephir

Dabbler
Joined
Apr 25, 2021
Messages
47
I see this pop up whenever I run occ commands (and at the install):

Code:
The current PHP memory limit is below the recommended value of 512MB.


I saw a fix in this thread, but after editing the /usr/local/etc/php.ini instde the jail to 1G (and a full system reboot), I still see

Code:
# sudo -u www php -i | grep memory_limit
memmory_limit => 128M => 128M


And the error/warning still appears. It actually said 512M before editing the /usr/local/etc/php.ini, hinting that this was not the file to edit?

I found a thread on the Nextcloud forum saying that there are two different php.ini I need to edit. But I don't know where they are in the jail. Any idea where to look?
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,737
This command will likely tell you which configuration file is loaded:
php -i | fgrep php.ini
 

Aephir

Dabbler
Joined
Apr 25, 2021
Messages
47
php -i | fgrep php.ini
Odd, that outputs

Code:
root@nextcloud:~ # php -i | fgrep php.ini
Configuration File (php.ini) Path => /usr/local/etc
Loaded Config /usr/local/etc/php.ini

Which is the file where I already put

Code:
memory_limit = 1G


But I still see:
Code:
root@nextcloud:~ # sudo -u www php -i | grep memory_limit
memory_limit => 128M => 128M
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,737
All the files in /usr/local/etc/php are applied after php.ini if they exist ... look there.
 

Aephir

Dabbler
Joined
Apr 25, 2021
Messages
47
/usr/local/etc/php
Thanks, but there's nothing in that folder about memory_limit. In fact,

Code:
grep -R "memory_limit" /


from within the jail returns only one thing that says either memory_limit in combination with 128, which is in in the file /usr/local/lib/php/build/run-tests.php. But when changing that to memory_limit=1G in that file and restarting the jail, the sudo -u www php -i | grep memory_limit it still shows memory_limit => 128M => 128M.
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,737
If the installation is using php-fpm, then any configuration file in /usr/local/etc/php-fpm.d might also set that.
 

Aephir

Dabbler
Joined
Apr 25, 2021
Messages
47
Sorry, nothing that mentions memory_limit inn that directory.

I fact,

Code:
grep -R memory_limit /


only shows five instances of 128M, one in the file /usr/local/lib/php/build/run-tests.php. I tried changing that to 1G and restarting the jail, but nothing changed.

The others were in super long lists within

Code:
/mnt/files/updater-oc3z0uht4lmj/backups/nextcloud-21.0.5.1-1634651018/core/doc/admin/searchindex.js


and

Code:
/usr/local/www/nextcloud/core/doc/admin/searchindex.js


where one entry in a dictionary in something that looks like json is ... ,"128m":4,"128mb":83, ...... But I'm a bit hesitant to manually change those?

EDIT:
So the CLI still gives warnings about 128M memory limits for PHP, and the output of sudo -u www php -i | grep memory_limit still shows 128M, but in the nextcloud web UI under "system", I see:
Screenshot 2021-10-25 at 09.52.51.png
 
Last edited:
Top