Scripted installation of Nextcloud 28 in iocage jail 2018-03-23

[danb35]

I’m trying to transfer files through scp to the nextcloud data directory and to get them to show I use this “sudo -u www-data php occ files:scan user” but it fails to run saying it can’t find occ

The command would be, inside the jail, su -m www -c "php /usr/local/www/nextcloud/occ followed by whatever occ commands you wanted to give. Whatever guide you got that from doesn't apply to my installation.

The other part I have upgraded to a 10gbe intel nic and I’m still only getting 35mbps on data transfer

There are lots of possible bottlenecks there, scp being among them.

 

[bnorman93]

 

[bnorman93]

The command would be, inside the jail, su -m www -c "php /usr/local/www/nextcloud/occ followed by whatever occ commands you wanted to give. Whatever guide you got that from doesn't apply to my installation.

There are lots of possible bottlenecks there, scp being among them.

Sorry I thought maybe they were universal like most linux commands and I’ll give it a shot with that and thank you

 

[bnorman93]

This is what I got for output. I’m just trying to transfer a lot of files fastly hence my new 10gbe nic lol

 

[danb35]

First, the close quote should be at the end of the command. Second, as I already said, and even put in bold, you need to run that command inside the jail.

 

[bnorman93]

First, the close quote should be at the end of the command. Second, as I already said, and even put in bold, you need to run that command inside the jail.

Sorry was replying to the other person, the command you sent in the code block is that a quote first because when I try to close it off at the end it says quote unmatched

 

[victort]

Sorry was replying to the other person, the command you sent in the code block is that a quote first because when I try to close it off at the end it says quote unmatched

su -m www -c “php /usr/local/www/nextcloud/occ files:scan —all”

Not that there are 2 ticks - in front of the world all at the end.

 

[danb35]

OK, now I'm confused. Is that screenshot from the shell inside your jail? If so, why is there a file called freenas-iocage-nextcloud in it? Or is your server called nextcloud too?

The command you should be running, as I said, is su -m www -c "php /usr/local/www/nextcloud/occ followed by the command you want to run, followed by (and I didn't say this part, but thought it would be reasonably obvious) a close quote. So, in your case, su -m www -c "php /usr/local/www/nextcloud/occ files:scan --all". This should be run in the jail.

I just tested this in a clean installation of my jail, and it works perfectly.

 

[bnorman93]

OK, now I'm confused. Is that screenshot from the shell inside your jail? If so, why is there a file called freenas-iocage-nextcloud in it? Or is your server called nextcloud too?

The command you should be running, as I said, is su -m www -c "php /usr/local/www/nextcloud/occ followed by the command you want to run, followed by (and I didn't say this part, but thought it would be reasonably obvious) a close quote. So, in your case, su -m www -c "php /usr/local/www/nextcloud/occ files:scan --all". This should be run in the jail.

I just tested this in a clean installation of my jail, and it works perfectly.

Thank you, Got it to run but the files are not showing up for some reason under the nextcloud site when I go to it

 

[waynemer]

As noted in the README:

This is all about your local DNS, not about Cloudflare.

Thanks! So I have just set up a pfsense router and set up the domain name to resolve to the local IP address I'm using for the jail.

My noob question:
1. Is it assumed that my FQDN (mydomain.com) points to my public IP address and is set up with dynamic DNS (like with a raspberry pi or other and cloudflare)?
1a. If so, then for the nextcloud-config file, can I use "nextcloud.mydomain.com" as the HOST_NAME?

I'v purchased a domain name and made a cloudflare account, but I'm not sure how to configure the domain name in cloudflare for this use case. The script has run and I have the nextcloud jail in TrueNAS. I am able to login to nextcloud on my local network, but cannot from the public network.

I am definitely in the learning stages of networking and appreciate any and all help.

 

[danb35]

Is it assumed that my FQDN (mydomain.com) points to my public IP address and is set up with dynamic DNS (like with a raspberry pi or other and cloudflare)?

It's not particularly important, though it'd probably be the norm, that the domain itself points to your public IP address. If you have a dynamic IP address, you'd need something set up to update the DNS record accordingly, whether a rPi, something in a jail, or something else. You'd also want nextcloud.mydomain.com to point to that IP, which would ordinarily be done using a CNAME record.

 

[waynemer]

It's not particularly important, though it'd probably be the norm, that the domain itself points to your public IP address. If you have a dynamic IP address, you'd need something set up to update the DNS record accordingly, whether a rPi, something in a jail, or something else. You'd also want nextcloud.mydomain.com to point to that IP, which would ordinarily be done using a CNAME record.

What do you mean by it's not particularly important that the domain itself points to your public IP address? You mean it doesn't have to point to anything? I can't seem to wrap my head around how all this works.

So if I understand correctly,

• mydomain.com doesn't have to point to my public IP address, but it can if I want?
• nextcloud.mydomain.com has to point to my public IP address using a CNAME record? In Cloudflare, I cannot point this CNAME record to an IP.

Where I'm at now:

• I've set mydomain.com to point to my public IP address using an A record.
• I've set nextcloud.mydomain.com to be an alias of mydomain.com using a CNAME record.
• Added a host override in pfsense for nextcloud.mydomain.com to return the IP of the jail.
• Deleted the nextcloud jail and re-run the script.
• Still cannot access nextcloud from outside my LAN. Inside LAN it works fine.

Is it weird that the IP addresses of my TrueNAS and the Nextcloud Jail are not shown in the DHCP Leases list or is that just a result of having static IP addresses?

 

[victort]

Still cannot access nextcloud from outside my LAN. Inside LAN it works fine.

Port forwarding is needed to access it outside your LAN.

 

[danb35]

You mean it doesn't have to point to anything?

No, it doesn't have to. Often (probably "usually") it will, but it doesn't have to. If you're going to run your Nextcloud installation on nextcloud.yourdomain.com, that FQDN needs to resolve to your public IP address. There are two (relatively simple) ways to do this:

• Set up an A record for nextcloud.yourdomain.com pointing to your public IP address
• Set up a CNAME record for nextcloud.yourdomain.com pointing to something else (like yourdomain.com), that in turn points to your public IP address.

If you're not going to be exposing anything else to the public Internet, it probably doesn't much matter which one you do. But if you're anticipating running other public services, the second is probably the better way to go.

Is it weird that the IP addresses of my TrueNAS and the Nextcloud Jail are not shown in the DHCP Leases list or is that just a result of having static IP addresses?

Not weird at all; it's entirely as expected given that you're using static IP addresses.

 

[waynemer]

No, it doesn't have to. Often (probably "usually") it will, but it doesn't have to. If you're going to run your Nextcloud installation on nextcloud.yourdomain.com, that FQDN needs to resolve to your public IP address. There are two (relatively simple) ways to do this:

• Set up an A record for nextcloud.yourdomain.com pointing to your public IP address
• Set up a CNAME record for nextcloud.yourdomain.com pointing to something else (like yourdomain.com), that in turn points to your public IP address.

If you're not going to be exposing anything else to the public Internet, it probably doesn't much matter which one you do. But if you're anticipating running other public services, the second is probably the better way to go.

Not weird at all; it's entirely as expected given that you're using static IP addresses.

Gotcha. So is it true that I will need to forward ports to access it from public networks? The readme had me thinking that I could either forward ports 80 and 443 or use DNS hosting to do this. I guess I assumed that DNS hosting was a way around having to use port forwarding to access it securely over the internet, but I'm just learning all this so I may easily be mistaken.

 

[victort]

Gotcha. So is it true that I will need to forward ports to access it from public networks? The readme had me thinking that I could either forward ports 80 and 443 or use DNS hosting to do this. I guess I assumed that DNS hosting was a way around having to use port forwarding to access it securely over the internet, but I'm just learning all this so I may easily be mistaken.

I actually thought the same when I first started. But DNS hosting is just a way for letsencrypt to verify your own the domain without forwarding ports.

 

[danb35]

So is it true that I will need to forward ports to access it from public networks?

Yes.

The readme had me thinking that I could either forward ports 80 and 443 or use DNS hosting to do this.

Those are the two alternatives to validate that you own the domain, and therefore to get a cert from Let's Encrypt. DNS validation will let you get a cert without having the ports open, in case you want to use it with encryption on a local network (which is how I use a lot of services on my LAN).

I guess I assumed that DNS hosting was a way around having to use port forwarding to access it securely over the internet,

Nope. Now, what Cloudflare in particular can do is set up a tunnel with cloudflared, which would allow you public access without port forwarding (it's pretty much a form of VPN), but that isn't something my script implements, or really that I've looked much at in this regard.

 

[waynemer]

Okay I think I'm learning now. Thank you guys! @danb35 and @victort

I'm going to look into the cloudflare tunnel stuff. I've seen a few videos about it but never pursued it.

No, it doesn't have to. Often (probably "usually") it will, but it doesn't have to. If you're going to run your Nextcloud installation on nextcloud.yourdomain.com, that FQDN needs to resolve to your public IP address.

Just to confirm. I don't need any DNS records set up in Cloudflare in order for Let'sEncrypt to validate that I own the domain?

 

[danb35]

I don't need any DNS records set up in Cloudflare in order for Let'sEncrypt to validate that I own the domain?

You need DNS records somewhere. Either some combination of A and CNAME records to point the world to your public IP (along with ports 80 and 443 forwarded to the jail), or TXT records that Caddy would create itself. Whether those are on Cloudflare or somewhere else is up to you, though Cloudflare is known to work well and is free for DNS service.

 

[jhax]

Good morning, I am in the process of finishing up the scripted installation and I am running into a few problems.

[CODE}
Reinstall detected, skipping generation of new config and database
Exception: Not installed in /usr/local/www/nextcloud/lib/base.php:277
Stack trace:
#0 /usr/local/www/nextcloud/lib/base.php(656): OC::checkInstalled(Object(OC\SystemConfig))
#1 /usr/local/www/nextcloud/lib/base.php(1096): OC::init()
#2 /usr/local/www/nextcloud/cron.php(43): require_once('/usr/local/www/...')
#3 {main}
Command: su -m www -c php -f /usr/local/www/nextcloud/cron.php failed!
crontab: /mnt/includes/www-crontab: Permission denied
Command: crontab /mnt/includes/www-crontab failed!
Successfully removed mount from nextcloud's fstab
Installation complete!
Using your web browser, go to https://<registered domain> to log in
You did a reinstall, please use your old database and account credentials [/CODE]

When I navigate to my registered domain I am getting a NS_ERROR_CONNECTION_REFUSED within my network tab of DevTools, when I navigate to my jail IP address I receive a Error code: SSL_ERROR_INTERNAL_ERROR_ALERT. I have added my jail IP and my registered domain name to my local machine's /etc/hosts file. The caddy log also displays the following error.

Code:

{"level":"error","ts":1684810174.3167813,"logger":"tls.obtain","msg":"will retry","error":"[cjcloud.us] Obtain: [cjcloud.us] solving challenges: presenting for challenge: add
ing temporary record for zone \"cjcloud.us.\": got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme.zerossl.com/v2/DV90/order/cBNnwX5
hbjOxMRoiBDLdRw) (ca=https://acme.zerossl.com/v2/DV90)","attempt":4,"retrying_in":300,"elapsed":313.412877649,"max_duration":2592000}
{"level":"info","ts":1684810438.6551237,"msg":"[ERROR] Keeping lock file fresh: unexpected end of JSON input - terminating lock maintenance (lockfile: /var/db/caddy/data/cadd
y/locks/issue_cert_cjcloud.us.lock)"}
{"level":"info","ts":1684810474.3278074,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"cjcloud.us"}
{"level":"info","ts":1684810474.4833858,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"cjcloud.us","challenge_type":"dns-01","ca":"https://acme-s
taging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1684810474.61267,"logger":"http.acme_client","msg":"cleaning up solver","identifier":"cjcloud.us","challenge_type":"dns-01","error":"no memory of presen
ting a DNS record for \"_acme-challenge.cjcloud.us\" (usually OK if presenting also failed)"}
{"level":"error","ts":1684810474.6447444,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"cjcloud.us","issuer":"acme-v02.api.letsencrypt.org-
directory","error":"[cjcloud.us] solving challenges: presenting for challenge: adding temporary record for zone \"cjcloud.us.\": got error status: HTTP 400: [{Code:6003 Messa
ge:Invalid request headers}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/103285914/8880944484) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"
}
{"level":"info","ts":1684810476.4144492,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"<registered.domain>","challenge_type":"dns-01","ca":"https://acme.z
erossl.com/v2/DV90"}
{"level":"error","ts":1684810476.5029292,"logger":"http.acme_client","msg":"cleaning up solver","identifier":"<registered.domain>","challenge_type":"dns-01","error":"no memory of pres
enting a DNS record for \"_acme-challenge.<registered.domain>.us\" (usually OK if presenting also failed)"}
{"level":"error","ts":1684810476.9713395,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"cjcloud.us","issuer":"acme.zerossl.com-v2-DV90","er
ror":"[c<registered.domain>] solving challenges: presenting for challenge: adding temporary record for zone \"<registered.domain>.\": got error status: HTTP 400: [{Code:6003 Message:Invalid req
uest headers}] (order=https://acme.zerossl.com/v2/DV90/order/vrVk152XGIds5PS1FUfg6A) (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1684810476.9715223,"logger":"tls.obtain","msg":"will retry","error":"[<registered.domain>] Obtain: [<registered.domain>] solving challenges: presenting for challenge: add
ing temporary record for zone \"<registered.domain>\": got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme.zerossl.com/v2/DV90/order/vrVk152
XGIds5PS1FUfg6A) (ca=https://acme.zerossl.com/v2/DV90)","attempt":5,"retrying_in":600,"elapsed":616.067618908,"max_duration":2592000}

My router is running DDWRT and I think dnsmasq is the area in which one can assign a domain name to my jail IP but I am unsure. I do not suspect that these issues are related. But what can be done to resolve them?