Scripted installation of Nextcloud 28 in iocage jail 2018-03-23

[danb35]

{"level":"error","ts":1684810174.3167813,"logger":"tls.obtain","msg":"will retry","error":"[cjcloud.us] Obtain: [cjcloud.us] solving challenges: presenting for challenge: add ing temporary record for zone \"cjcloud.us.\": got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme.zerossl.com/v2/DV90/order/cBNnwX5 hbjOxMRoiBDLdRw) (ca=https://acme.zerossl.com/v2/DV90)","attempt":4,"retrying_in":300,"elapsed":313.412877649,"max_duration":2592000}

This looks like your problem. I see that your DNS is with Cloudflare--are you sure you've obtained a valid DNS token with the appropriate rights? And it's included in your nextcloud-config file?

 

[jhax]

According to online sources the jail ip is resolved to the domain name via the Additional Dnsmasq Options under the Services tab in ddwrt. I get the same response when visiting my urlstill. So i may need to flush the dns service.

Good morning, I am in the process of finishing up the scripted installation and I am running into a few problems.

Code:

Reinstall detected, skipping generation of new config and database
Exception: Not installed in /usr/local/www/nextcloud/lib/base.php:277
Stack trace:
#0 /usr/local/www/nextcloud/lib/base.php(656): OC::checkInstalled(Object(OC\SystemConfig))
#1 /usr/local/www/nextcloud/lib/base.php(1096): OC::init()
#2 /usr/local/www/nextcloud/cron.php(43): require_once('/usr/local/www/...')
#3 {main}
Command: su -m www -c php -f /usr/local/www/nextcloud/cron.php failed!
crontab: /mnt/includes/www-crontab: Permission denied
Command: crontab /mnt/includes/www-crontab failed!
Successfully removed mount from nextcloud's fstab
Installation complete!
Using your web browser, go to https://<registered domain> to log in
You did a reinstall, please use your old database and account credentials 

When I navigate to my registered domain I am getting a NS_ERROR_CONNECTION_REFUSED within my network tab of DevTools, when I navigate to my jail IP address I receive a Error code: SSL_ERROR_INTERNAL_ERROR_ALERT. I have added my jail IP and my registered domain name to my local machine's /etc/hosts file. The caddy log also displays the following error.

Code:

{"level":"error","ts":1684810174.3167813,"logger":"tls.obtain","msg":"will retry","error":"[cjcloud.us] Obtain: [cjcloud.us] solving challenges: presenting for challenge: add
ing temporary record for zone \"cjcloud.us.\": got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme.zerossl.com/v2/DV90/order/cBNnwX5
hbjOxMRoiBDLdRw) (ca=https://acme.zerossl.com/v2/DV90)","attempt":4,"retrying_in":300,"elapsed":313.412877649,"max_duration":2592000}
{"level":"info","ts":1684810438.6551237,"msg":"[ERROR] Keeping lock file fresh: unexpected end of JSON input - terminating lock maintenance (lockfile: /var/db/caddy/data/cadd
y/locks/issue_cert_cjcloud.us.lock)"}
{"level":"info","ts":1684810474.3278074,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"cjcloud.us"}
{"level":"info","ts":1684810474.4833858,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"cjcloud.us","challenge_type":"dns-01","ca":"https://acme-s
taging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1684810474.61267,"logger":"http.acme_client","msg":"cleaning up solver","identifier":"cjcloud.us","challenge_type":"dns-01","error":"no memory of presen
ting a DNS record for \"_acme-challenge.cjcloud.us\" (usually OK if presenting also failed)"}
{"level":"error","ts":1684810474.6447444,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"cjcloud.us","issuer":"acme-v02.api.letsencrypt.org-
directory","error":"[cjcloud.us] solving challenges: presenting for challenge: adding temporary record for zone \"cjcloud.us.\": got error status: HTTP 400: [{Code:6003 Messa
ge:Invalid request headers}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/103285914/8880944484) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"
}
{"level":"info","ts":1684810476.4144492,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"<registered.domain>","challenge_type":"dns-01","ca":"https://acme.z
erossl.com/v2/DV90"}
{"level":"error","ts":1684810476.5029292,"logger":"http.acme_client","msg":"cleaning up solver","identifier":"<registered.domain>","challenge_type":"dns-01","error":"no memory of pres
enting a DNS record for \"_acme-challenge.<registered.domain>.us\" (usually OK if presenting also failed)"}
{"level":"error","ts":1684810476.9713395,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"cjcloud.us","issuer":"acme.zerossl.com-v2-DV90","er
ror":"[c<registered.domain>] solving challenges: presenting for challenge: adding temporary record for zone \"<registered.domain>.\": got error status: HTTP 400: [{Code:6003 Message:Invalid req
uest headers}] (order=https://acme.zerossl.com/v2/DV90/order/vrVk152XGIds5PS1FUfg6A) (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1684810476.9715223,"logger":"tls.obtain","msg":"will retry","error":"[<registered.domain>] Obtain: [<registered.domain>] solving challenges: presenting for challenge: add
ing temporary record for zone \"<registered.domain>\": got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme.zerossl.com/v2/DV90/order/vrVk152
XGIds5PS1FUfg6A) (ca=https://acme.zerossl.com/v2/DV90)","attempt":5,"retrying_in":600,"elapsed":616.067618908,"max_duration":2592000}

My router is running DDWRT and I think dnsmasq is the area in which one can assign a domain name to my jail IP but I am unsure. I do not suspect that these issues are related. But what can be done to resolve them?

 

[jhax]

Thank you for your reply, I did as the instructions said and create two API tokens and they are as follows...

Edit zone DNS API token summary​

This API token will affect the below accounts and zones, along with their respective permissions

• All zones - Zone:Read, DNS:Edit

Client IP Address Filtering

• Is in - <jail IP address>

I copied the generated token and pasted it within the nextcloud-config file and re-ran the software last night. I entered it in the config file as follows...

Code:

DNS_CERT=1
DNS_PLUGIN=cloudflare
DNS_TOKEN="<token string>"
CERT_EMAIL="<my email address>" 

Should the token string have double quotes? Single quotes? No quotes?

I am happy to redo the API token creation and report back post script execution.

And what of the failed permissions change on the cron job?

Thank you so much,
Justin

 

[danb35]

Client IP Address Filtering

• Is in - <jail IP address>

That doesn't look right; Cloudflare wouldn't see the jail's IP address but rather your public IP address. Try changing to that--or maybe even removing that restriction for the time being.

Should the token string have double quotes? Single quotes? No quotes?

I believe it should work in any of these ways, but I use double quotes.

Reinstall detected, skipping generation of new config and database

Were you intending to reinstall Nextcloud? That is, had you previously had a working installation using my script with your data in the directories you told the script to use?

 

[jhax]

That doesn't look right; Cloudflare wouldn't see the jail's IP address but rather your public IP address. Try changing to that--or maybe even removing that restriction for the time being.

As in the WAN IP address?

I believe it should work in any of these ways, but I use double quotes.

Were you intending to reinstall Nextcloud? That is, had you previously had a working installation using my script with your data in the directories you told the script to use?

I initially installed and had my config file set up fot local network only, so i burned down the jail added DNS_HOST to the config, re ran scrit, realized i didnt have the token, burned it down again, re-ran script, now im about to burn it down again and reinstall using the new api token once i give it my WAN

 

[jhax]

It seems that my current setup is DHCP which means it will expire and change, I have the option in DDWRT to change it to STATIC and set it, would this be an ideal case for the nextcloud server setup?

 

[danb35]

As in the WAN IP address?

Correct.

now im about to burn it down again and reinstall using the new api token

Before you reinstall, make sure the directories (config, files, etc.) are empty.

It seems that my current setup is DHCP which means it will expire and change,

For your WAN IP? That's normal. Which would suggest you should remove the IP address restriction on your API token, as I previously suggested.

I have the option in DDWRT to change it to STATIC and set it, would this be an ideal case for the nextcloud server setup?

It would, but only if your ISP will give you a static IP address.

 

[jhax]

Also in the DNS Records UI in Cloudflare I had the following set, I have since changed <jail IP> to <WAN IP>

Type	Name	Content	Proxy Status	TTL	Actions
A	<domain name>	<jail IP>	DNS Only	Auto	Edit
A	www	<jail IP>	DNS Only	Auto	Edit

 

[jhax]

And when you say "Before you reinstall, make sure the directories (config, files, etc.) are empty." You are referring to the directories within, usr/local/www/nextcloud/?

 

[danb35]

You are referring to the directories within, usr/local/www/nextcloud/?

No, I'm referring to the directories in your data pool where this stuff is stored. Destroy the jail, empty those directories, then reinstall.

 

[jhax]

No, I'm referring to the directories in your data pool where this stuff is stored. Destroy the jail, empty those directories, then reinstall.

Dan,

I deleted the jail, deleted all files within my /mnt/jailhouse/apps/nextcloud/(config, db, files, themes) directories, re-executed the script with my new API token and the following stack trace is thrown in the nextcloud.log

Code:

 Reinstall detected, skipping generation of new config and database
{"reqId":"tsfT8sqgr97ajAkVQ2pX","level":3,"time":"2023-05-24T19:53:23+00:00","remoteAddr":"","user":"--","app":"cron","method":"","url":"--","message":"Not installed","userAgent":"--","version":"","exception":{"Exception":"Exception","Message":"Not installed","Code":0,"Trace":[{"file":"/usr/local/www/nextcloud/lib/base.php","line":656,"function":"checkInstalled","class":"OC","type":"::","args":[{"__class__":"OC\\SystemConfig"}]},{"file":"/usr/local/www/nextcloud/lib/base.php","line":1096,"function":"init","class":"OC","type":"::","args":[]},{"file":"/usr/local/www/nextcloud/cron.php","line":43,"args":["/usr/local/www/nextcloud/lib/base.php"],"function":"require_once"}],"File":"/usr/local/www/nextcloud/lib/base.php","Line":277,"CustomMessage":"--"}}
Exception: Not installed in /usr/local/www/nextcloud/lib/base.php:277
Stack trace:
#0 /usr/local/www/nextcloud/lib/base.php(656): OC::checkInstalled(Object(OC\SystemConfig))
#1 /usr/local/www/nextcloud/lib/base.php(1096): OC::init()
#2 /usr/local/www/nextcloud/cron.php(43): require_once('/usr/local/www/...')
#3 {main}
Command: su -m www -c php -f /usr/local/www/nextcloud/cron.php failed!
crontab: /mnt/includes/www-crontab: Permission denied
Command: crontab /mnt/includes/www-crontab failed!
Successfully removed mount from nextcloud's fstab
Installation complete!

 

[danb35]

deleted all files within my /mnt/jailhouse/apps/nextcloud/(config, db, files, themes) directories

If those correspond to DB_PATH, FILES_PATH, CONFIG_PATH, and THEMES_PATH, then I think you must have missed something, otherwise you wouldn't have seen this:

Reinstall detected, skipping generation of new config and database

 

[jhax]

Dan,

Once again, nail on the head. I had my Pool location set to "not where I needed it" in the config file. I removed the files it created in the unwanted place and pointed it to where it should be and the script is already giving me correct outputs.

Cheers,
Justin

 

[jhax]

Although I still get a permission denied error

Code:

 Set mode for background jobs to 'cron'
crontab: /mnt/includes/www-crontab: Permission denied
Command: crontab /mnt/includes/www-crontab failed!
Successfully removed mount from nextcloud's fstab
Installation complete!

I went into the script and manually executed the

Code:

me@truenas:~ # iocage exec "<jail name>" su -m www -c 'php /usr/local/www/nextcloud/occ background:cron'
Set mode for background jobs to 'cron'
me@truenas:~ # iocage exec "<jail name>" su -m www -c 'php -f /usr/local/www/nextcloud/cron.php'
me@truenas:~ # iocage exec "<jail name>" crontab -u www /mnt/includes/www-crontab
crontab: /mnt/includes/www-crontab: No such file or directory
Command: crontab /mnt/includes/www-crontab failed!

I then created the directory and executed the same commands and it seemed to work. This is what the directory looks like now. My question is, i dont see the command in the script to make that directory, on what lined does that happen?

Code:

drwxr-xr-x  2 root  wheel  2 May 25 18:22 www-crontab

As for resolving the host to the jail IP using DDWRT, i believe that that is assigned using Dnsmasq (Services --> Services Management --> Additional Dnsmasq Options) adding

Code:

address=/<domain.name>/<jail IP>/

or adding that line in the dnsmasq.config file as sampled in the lines below.

Code:

# Add local-only domains here, queries in these domains are answered
# from /etc/hosts or DHCP only.
#local=/localnet/

# Add domains which you want to force to an IP address here.
# The example below send any host in double-click.net to a local
# web-server.
#address=/double-click.net/127.0.0.1

When i visit my domain i continually get the NS_ERROR_GENERATE_FAILURE(NS_ERROR_MODULE_SECURITY, SSL_ERROR_INTERNAL_ERROR_ALERT). What am i missing?

I can ping my domain from my local machine...

Code:

ping <domain.name>
PING <domain.name> (<jail IP>) 56(84) bytes of data.
64 bytes from <domain.name> (<jail IP>): icmp_req=1 ttl=64 time=1.71 ms
64 bytes from <domain.name> (<jail IP>): icmp_req=2 ttl=64 time=1.93 ms

Perhaps it has something to do with my domain name? Mine ends in a .us and it seems that that is what caddy is not liking as shown in the error message of the caddy.log file.

Code:

{"level":"error","ts":1685175045.1849961,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"domain.us","issuer":"acme-staging-v02.api.letsencr
ypt.org-directory","error":"[domain.us] solving challenges: presenting for challenge: adding temporary record for zone \"us.\": got error status: HTTP 400: [{Code:6003 Messa
ge:Invalid request headers}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/103797094/8950125714) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"

but the log that is created for my domain in /var/logs/domain.log shows the following message

Code:

{"level":"info","ts":1685126258.9671397,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"192.168.1.134","remote_port":"55130","proto":"HTTP/1.1
","method":"GET","host":"domain.us","uri":"/","headers":{"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0"],"Accept":["text/html,applica
tion/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"],"Accept-Language":["en-US,en;q=0.5"],"Accept-Encoding":["gzip, deflate"],"Dnt":["1"],"Connection":["kee
p-alive"],"Upgrade-Insecure-Requests":["1"]}},"user_id":"","duration":0.00007459,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["
https://domain.us/"],"Content-Type":[]}}

Thank you

 

[jhax]

Okay, I have now managed to make it to the nextcloud login screen when entering in my domain URL. I ended up making changes to my CaddyFile in accordance with this post as my original CaddyFile was missing my JAIL_IP after my domain name and replacing the line below the tls heading from

Code:

dns cloudflare

to

Code:

ca https://acme-v02.api.letsencrypt.org/directory

. I also ended up setting up my nextcloud-config file in accordance with this post as opposed to using the DNS_TOKEN. Let's see how far I can get now.

 

[jhax]

So it was working earlier today, and now I am unable to access my domain. the following error is thrown in the caddy.log

Code:

{"level":"error","ts":1685581434.7112556,"logger":"tls.obtain","msg":"could not get certificate from issuer",
"identifier":"<domain>.us",
"issuer":"staging-acme-v02.api.letsencrypt.org-directory",
"error":"registering account [mailto:<cloudflare email address>]
with server: provisioning client: performing request: Get \"https://staging-acme-v02.api.letsencrypt.org/directory\": 
dial tcp: lookup staging-acme-v02.api.letsencrypt.org on 192.168.1.1:53: no such host"}

 

[danb35]

dial tcp: lookup staging-acme-v02.api.letsencrypt.org on 192.168.1.1:53: no such host"}

The staging URL is https://acme-staging-v02.api.letsencrypt.org/directory; if you've run the remove_staging.sh script (which you should if you're using it in production), the acme_ca line in the Caddyfile should be commented out. Looks like you've tinkered with the Caddyfile and entered the wrong URL.

 

[jhax]

Right, my apologies, I was mucking around with the staging file, and when I do that and restart caddy, i am getting the error I was originally getting earlier today.

Code:

Successfully started Caddy (pid=83438) - Caddy is running in the background
{"level":"info","ts":1685584607.403295,"logger":"tls.obtain","msg":"lock acquired","identifier":"<jail IP>"}
{"level":"info","ts":1685584607.403562,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"<jail IP>"}
{"level":"error","ts":1685584607.4041812,"logger":"tls.obtain","msg":"will retry","error":"[<jail IP>] Obtain: subject does not qualify for a public certificate: <jail IP>","attempt":1,"retrying_in":60,"elapsed":0.000775581,"max_duration":2592000} 

 

[danb35]

{"level":"error","ts":1685584607.4041812,"logger":"tls.obtain","msg":"will retry","error":"[<jail IP>] Obtain: subject does not qualify for a public certificate: <jail IP>","attempt":1,"retrying_in":60,"elapsed":0.000775581,"max_duration":2592000}

The use of an IP address isn't supported for a number of reasons, one of which is that you can't get a cert for it. Continuing to mess with the Caddyfile is likely to have further undesirable results.

 

[jhax]

The use of an IP address isn't supported for a number of reasons, one of which is that you can't get a cert for it. Continuing to mess with the Caddyfile is likely to have further undesirable results.

Sounds good, however, as I had mentioned in my previous post, I modified my caddy file based on THIS POST and obtained desired results. So I assume that I need to modify my caddy file again by switching the location of the Jail IP and the Domain name?