Scripted installation of Nextcloud 28 in iocage jail 2018-03-23

[TimvH]

Sent a new pull request.
I've got everything except SSL working, using https still gives ERR_SSL_PROTOCOL_ERROR as error, Firefox describes it as SSL_ERROR_RX_RECORD_TOO_LONG

 

[danb35]

https still gives ERR_SSL_PROTOCOL_ERROR as error, Firefox describes it as SSL_ERROR_RX_RECORD_TOO_LONG

...which means that, for some reason, it's serving HTTP over port 443. More to follow on that in another post.

Sent a new pull request.

Yes, just saw it. It'd be helpful if pull requests were kept to a single issue; as it is I merge (or don't merge) a bunch of unrelated stuff at once.

Changed which modules get loaded.
Added PHP7 module to installer.

No, I'm specifically not doing these; I'm using php-fpm with the mod_mpm_event.so to enable HTTP/2 and improve performance.

Small correction

This isn't a correction; the FQDN should take you directly to Nextcloud without needing to add /nextcloud to the URL.

SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )"

I can't see the reason for this; I can't get the method I'm using to return anything other than the full directory name of the script. To test, I just created a short script:

Code:

#!/bin/sh
SCRIPT=$(readlink -f "$0")
SCRIPTPATH=$(dirname "$SCRIPT")
echo $SCRIPTPATH

...and no matter how I invoke it, it returns the full directory path to its location. I can't get it to return ".", which is what you seem to be indicating. Can you try this, and see if you can duplicate your result?

 

[danb35]

it's serving HTTP over port 443.

...which, of course, it shouldn't ever be doing. Let's check a few things inside the jail ( iocage console nextcloud to enter the jail):

• In /usr/local/etc/apache24/httpd.conf, is the line "Listen 443" present and uncommented?
• Is Include etc/apache24/Includes/*.conf at the end of that file?
• Is /usr/local/etc/apache24/Includes/yourfqdn.conf present?
• What are the contents of that file (masking your domain if you like)?
• Are /usr/local/etc/pki/tls/certs/fullchain.pem and /usr/local/etc/pki/tls/private/privkey.pem present?
• What are the ownership and permissions on /usr/local/etc/pki/tls/private/privkey.pem?

 

[TimvH]

...which means that, for some reason, it's serving HTTP over port 443. More to follow on that in another post.

Yes, just saw it. It'd be helpful if pull requests were kept to a single issue; as it is I merge (or don't merge) a bunch of unrelated stuff at once.

I'm pretty new to using git so my apologies.

No, I'm specifically not doing these; I'm using php-fpm with the mod_mpm_event.so to enable HTTP/2 and improve performance.

Since the php module wasn't working correctly at my install I looked up @dureal99d 's guide to fix it since you have based your script on that guide. This got nextcloud to finally work on my NAS.

This isn't a correction; the FQDN should take you directly to Nextcloud without needing to add /nextcloud to the URL.

Every time I installed Nextcloud using your script Apache served it's default index.html instead of Nextcloud's index.php. I needed to manually add /Nextcloud to my domain name. Maybe it's due to me using vnet?[/QUOTE]

I can't see the reason for this; I can't get the method I'm using to return anything other than the full directory name of the script. To test, I just created a short script:

Code:

#!/bin/sh
SCRIPT=$(readlink -f "$0")
SCRIPTPATH=$(dirname "$SCRIPT")
echo $SCRIPTPATH

...and no matter how I invoke it, it returns the full directory path to its location. I can't get it to return ".", which is what you seem to be indicating. Can you try this, and see if you can duplicate your result?

Your test script works as intended, but somehow nextcloud-jail.sh returned a "." when using dirname. I've only changed it to make sure it can't be giving back a "."

...which, of course, it shouldn't ever be doing. Let's check a few things inside the jail ( iocage console nextcloud to enter the jail):

• In /usr/local/etc/apache24/httpd.conf, is the line "Listen 443" present and uncommented?
• Is Include etc/apache24/Includes/*.conf at the end of that file?
• Is /usr/local/etc/apache24/Includes/yourfqdn.conf present?
• What are the contents of that file (masking your domain if you like)?
• Are /usr/local/etc/pki/tls/certs/fullchain.pem and /usr/local/etc/pki/tls/private/privkey.pem present?
• What are the ownership and permissions on /usr/local/etc/pki/tls/private/privkey.pem?

Everything is there so it should in theory work if we didn't forget anything.

Edit: Include etc/apache24/extra/httpd-ssl.conf was commented, so that's a problem.

 

[danb35]

Everything is there

• Is /usr/local/etc/apache24/Includes/yourfqdn.conf present?

• What are the contents of that file (masking your domain if you like)?

 

[TimvH]

[root@nextcloud ~]# cat /usr/local/etc/apache24/Includes/domain.example.conf
<VirtualHost domain.example:80>
DocumentRoot "/usr/local/www/apache24/data/nextcloud"
ServerName domain.example
Redirect / https://domain.example/
</VirtualHost>

<VirtualHost domain.example:443>
ServerAdmin admin@example.com
ServerName domain.example
DocumentRoot "/usr/local/www/apache24/data/nextcloud"
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/usr/local/www/apache24/data/nextcloud/$1
DirectoryIndex /index.php index.php
SSLCertificateFile /usr/local/etc/pki/tls/certs/fullchain.pem
SSLCertificateKeyFile /usr/local/etc/pki/tls/private/privkey.pem
SSLEngine on
# Modern configuration, tweak to your needs
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
# SSLUseStapling on
SSLSessionTickets off
# SSLOpenSSLConfCmd DHParameters "/usr/local/etc/pki/tls/private/dhparams_4096.pem"
SSLOptions +StrictRequire
<Directory /usr/local/www/apache24/data/nextcloud>
AllowOverride all
</Directory>
<IfModule mod_headers.c>
# Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
</VirtualHost>

 

[danb35]

Edit: Include etc/apache24/extra/httpd-ssl.conf was commented, so that's a problem.

No, that isn't a problem.

Your symptoms suggest to me that the virtualhost file (domain.example.conf) isn't being read/used. That would account both for the lack of SSL, and also for the fact that the server isn't giving you Nextcloud directly. Edit 2: I'm trying to figure out how to check this, but the Apache logging directives I've found so far don't seem to be helping.

Edit: ownership/permissions on domain.example.conf?

 

[TimvH]

No, that isn't a problem.

Your symptoms suggest to me that the virtualhost file (domain.example.conf) isn't being read/used. That would account both for the lack of SSL, and also for the fact that the server isn't giving you Nextcloud directly.

Edit: ownership/permissions on domain.example.conf?

[root@nextcloud ~]# ls -l /usr/local/etc/apache24/Includes/
total 7
-rwxr-xr-x 1 root wheel 89 Mar 15 03:25 no-accf.conf
-rwxr-xr-x 1 root wheel 1538 Apr 2 22:17 domain.example.conf
I even tried to copy the contents of these two files to the end of httpd.conf but even that doesn't work. I'll reinstall everything once again, maybe something fucked up.
After reinstalling everything I checked Apache's error log which contains the following:

[root@nextcloud /usr/local/etc]# cat /var/log/httpd-error.log
[Tue Apr 03 00:34:39.379486 2018] [ssl:warn] [pid 59326:tid 34397585408] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Tue Apr 03 00:34:39.382189 2018] [mpm_event:notice] [pid 59326:tid 34397585408] AH00489: Apache/2.4.29 (FreeBSD) OpenSSL/1.0.2k-freebsd configured -- resuming normal operations
[Tue Apr 03 00:34:39.382256 2018] [core:notice] [pid 59326:tid 34397585408] AH00094: Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT'



 

[danb35]

I even tried to copy the contents of these two files to the end of httpd.conf but even that doesn't work.

That's sounding very bizarre indeed. It does have me wondering if it would be better to just do a single httpd.conf file, removing the need for the separate virtual host file, but that's going to take a good bit of editing.

 

[TimvH]

That's sounding very bizarre indeed. It does have me wondering if it would be better to just do a single httpd.conf file, removing the need for the separate virtual host file, but that's going to take a good bit of editing.

Probably won't be needed, the error log says that the SSL Session Cache isn't configured, which makes it skip the whole vhost file if I understand it correctly.

 

[danb35]

which makes it skip the whole vhost file if I understand it correctly.

No, it doesn't. Probably should add that directive, but it isn't required. From the Apache docs:

This cache is an optional facility which speeds up parallel request processing.

Edit: I expect we're both going to feel pretty silly when we find the issue, in that it's probably something that's simple, obvious, and staring us in the face.

 

[danb35]

As a suggestion only it'd be sweet if you'd make us able to store the files, sql files and the port files in different datasets.

This should be done now.

 

[danb35]

Edit: I expect we're both going to feel pretty silly when we find the issue, in that it's probably something that's simple, obvious, and staring us in the face.

I might have found it, though I thought I'd addressed this previously--are you browsing to your jail by IP address or by FQDN?

 

[danb35]

U2 doesn't work with the repo as of 11pm eastern on 4/1.

What exactly happened? I just tried it under 11.1-U2 with the script as it now sits, and it seems to have worked fine.

 

[cunningorb]

What exactly happened? I just tried it under 11.1-U2 with the script as it now sits, and it seems to have worked fine.

I was getting redirected to freenas gui.

I'm about to try running it on fresh U4 with workaround as needed.

 

[TimvH]

I might have found it, though I thought I'd addressed this previously--are you browsing to your jail by IP address or by FQDN?

I've found a working solution, changing <VirtualHost domain.example:80> and <VirtualHost domain.example:443> to <VirtualHost *:80> and <VirtualHost *:443> and restarting apache made it work.
Somehow it doesn't read my FQDN well...

 

[danb35]

Somehow it doesn't read my FQDN well.

So you were browsing to the FQDN and it didn't work, but changing the VirtualHost declarations to *:80 and *:443 worked? Strange, but easy enough to fix.

 

[cunningorb]

Again from fresh install on Freenas 11.1 U4 using the latest instructions from the git resource, we have a successful nextcloud install.
There's just no stopping you is there @danb35
One thing about this install that I noticed is it won't open pdf out of the box on my server at least.

Code:

PDF.js v1.9.426 (build: 2558a58d)
Message: Unexpected server response (0) while retrieving PDF "https://heylookitsmydomain.com/remote.php/webdav/Nextcloud%20Manual.pdf".

I didn't spend too much time trying to track this down last install because I wasn't finding a lot of similar errors with google-fu.
This is all I found before:
https://help.nextcloud.com/t/errors-viewing-and-downloading-pdf-files/3499
https://github.com/mozilla/pdf.js/issues/7993

2nd issue is an inability to upload certain file types. Size doesn't matter, could be as small as 5kb or large as 100mb. The upload progress bar runs to 100% (sometimes, if it appears at all) but the file never appears in nextcloud files list. The most common file types that fail are .pdf, .docx, .mp4. Some that have been uploaded without issue were .jpg, .png. This is all I have in the nextcloud log:

Code:

{"reqId":"TJmvPcekzPLhMJDE8K7W","level":3,"time":"2018-04-03T18:48:40-04:00","remoteAddr":"","user":"--","app":"PHP","method":"--","url":"--","message":"Redis::connect(): connect() failed: Connection refused at \/usr\/local\/www\/apache24\/data\/nextcloud\/lib\/private\/RedisFactory.php#84","userAgent":"--","version":"13.0.1.1"}
{"reqId":"k9pcGczJkUWW5lF9wjci","level":3,"time":"2018-04-03T18:48:43-04:00","remoteAddr":"","user":"--","app":"PHP","method":"--","url":"--","message":"Redis::connect(): php_network_getaddresses: getaddrinfo failed: Non-recoverable failure in name resolution at \/usr\/local\/www\/apache24\/data\/nextcloud\/lib\/private\/RedisFactory.php#84","userAgent":"--","version":"13.0.1.1"}
{"reqId":"k9pcGczJkUWW5lF9wjci","level":3,"time":"2018-04-03T18:48:43-04:00","remoteAddr":"","user":"--","app":"PHP","method":"--","url":"--","message":"Redis::connect(): connect() failed: php_network_getaddresses: getaddrinfo failed: Non-recoverable failure in name resolution at \/usr\/local\/www\/apache24\/data\/nextcloud\/lib\/private\/RedisFactory.php#84","userAgent":"--","version":"13.0.1.1"}

And httpd-error.log

Code:

[Tue Apr 03 18:47:27.569026 2018] [ssl:warn] [pid 99185:tid 34397577216] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Tue Apr 03 18:47:27.575055 2018] [mpm_event:notice] [pid 99185:tid 34397577216] AH00489: Apache/2.4.29 (FreeBSD) OpenSSL/1.0.2k-freebsd configured -- resuming normal operations
[Tue Apr 03 18:47:27.575163 2018] [core:notice] [pid 99185:tid 34397577216] AH00094: Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT'
[Tue Apr 03 19:42:16.434706 2018] [proxy_fcgi:error] [pid 164:tid 34399165952] [client xxx.xxx.x.xx:xxxxx] Invalid status line from script 'Nextcloud%20Manual.pdf': 0, referer: https://heylookitsmydomain.com/index.php/apps/files_pdfviewer/?file=%2Fremote.php%2Fwebdav%2FNextcloud%2520Manual.pdf
[Tue Apr 03 19:44:03.892212 2018] [proxy_fcgi:error] [pid 99190:tid 34399160832] [client xxx.xxx.x.xx:xxxxx] Invalid status line from script 'Nextcloud%20Manual.pdf': 0, referer: https://heylookitsmydomain.com/index.php/apps/files_pdfviewer/?file=%2Fremote.php%2Fwebdav%2FNextcloud%2520Manual.pdf
[Tue Apr 03 19:47:18.073315 2018] [proxy_fcgi:error] [pid 164:tid 34399162112] [client xxx.xxx.x.xx:xxxxx] Invalid status line from script 'Just%20Ship%20It.pdf': 0
[Tue Apr 03 19:51:21.293326 2018] [proxy_fcgi:error] [pid 99188:tid 34397591296] [client xxx.xxx.x.xx:xxxxx] Invalid status line from script 'Just%20Ship%20It.pdf': 0

Is this a possible resource? https://help.nextcloud.com/t/unable-to-access-directories-starting-with-a-hash-sign/6308/5

 

[TimvH]

Again from fresh install on Freenas 11.1 U4 using the latest instructions from the git resource, we have a successful nextcloud install.
There's just no stopping you is there @danb35

Indeed there isn't :P

One thing about this install that I noticed is it won't open pdf out of the box on my server at least.

Code:

PDF.js v1.9.426 (build: 2558a58d)
Message: Unexpected server response (0) while retrieving PDF "https://heylookitsmydomain.com/remote.php/webdav/Nextcloud%20Manual.pdf".

I'm also experiencing the same issue, I'll take a look.

 

[cunningorb]

Indeed there isn't :p

I'm also experiencing the same issue, I'll take a look.

Hey the link I posted was the correct fix. Here were my steps in rough form:

Code:

root@freenas:~ # nano /mnt/iocage/jails/nextcloud/root/usr/local/etc/apache24/Includes/heyitsmydomain.com.conf

<VirtualHost *:80>
DocumentRoot "/usr/local/www/apache24/data/nextcloud"
ServerName heyitsmydomain.com
Redirect / https://heyitsmydomain.com/
</VirtualHost>

<VirtualHost *:443>
  ServerAdmin admin@example.com
  ServerName heyitsmydomain.com
  DocumentRoot "/usr/local/www/apache24/data/nextcloud"
  RewriteEngine On
  RewriteCond %{HTTP:Authorization} ^(.*)
  RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
#  ProxyPassMatch ^/(.*\.php(/.*)?)$
#fcgi://127.0.0.1:9000/usr/local/www/apache24/data/nextcloud/$1
  <FilesMatch \.php$>
		 SetHandler "proxy:fcgi://localhost:9000"
  </FilesMatch>
  DirectoryIndex /index.php index.php


root@freenas:~ # jexec 3
root@nextcloud:/ # service apache24 restart
Performing sanity check on apache24 configuration:
Syntax OK
Stopping apache24.
Waiting for PIDS: 99185.
Performing sanity check on apache24 configuration:
Syntax OK
Starting apache24.
root@nextcloud:/ # service php-fpm restart
Performing sanity check on php-fpm configuration:
[03-Apr-2018 21:18:12] NOTICE: configuration file /usr/local/etc/php-fpm.conf test is successful

Stopping php_fpm.
Waiting for PIDS: 98977.
Performing sanity check on php-fpm configuration:
[03-Apr-2018 21:18:13] NOTICE: configuration file /usr/local/etc/php-fpm.conf test is successful

Starting php_fpm.

I can now view PDF files in browser. I can also upload PDF and DOCX.