saarg Posted May 26, 2019 Share Posted May 26, 2019 2 minutes ago, blaine07 said: Anyone? Anything? You did not post you docker run command. The issue is with the config of letsencrypt and not nextcloud. Don't run any commands to renew certificates inside the container unless told to do so. To trigger a renewal of certificates, you can modify your config (add a subdomain), and see what the error is. And post it here along with the docker run command. Quote Link to comment
blaine07 Posted May 26, 2019 Share Posted May 26, 2019 You did not post you docker run command. The issue is with the config of letsencrypt and not nextcloud. Don't run any commands to renew certificates inside the container unless told to do so. To trigger a renewal of certificates, you can modify your config (add a subdomain), and see what the error is. And post it here along with the docker run command. My apologies, I didn’t know anything about a docker run command where do I find it, how do I access it so I can post it? Add a subdomain on the setup page for letsencrypt in unraid? I did post error it gives when trying to renew, will that be different error than when I add a subdomain?At any rate, please provide more information to your request and I’d be happy too; obviously had I known how or that I was supposed to do the above I would’ve. I ain’t hear to inconvenience anyone but everyone starts somewhere. Quote Link to comment
blaine07 Posted May 26, 2019 Share Posted May 26, 2019 You did not post you docker run command. The issue is with the config of letsencrypt and not nextcloud. Don't run any commands to renew certificates inside the container unless told to do so. To trigger a renewal of certificates, you can modify your config (add a subdomain), and see what the error is. And post it here along with the docker run command. -------------------------------------_ ()| | ___ _ __| | / __| | | / \| | \__ \ | | | () ||_| |___/ |_| \__/ Brought to you by linuxserver.ioWe gratefully accept donations at:https://www.linuxserver.io/donate/-------------------------------------GID/UID------------------------------------- User uid: 99User gid: 100------------------------------------- [cont-init.d] 10-adduser: exited 0.[cont-init.d] 15-urllib: executing...Collecting urllib3==1.24.3Downloading https://files.pythonhosted.org/packages/01/11/525b02e4acc0c747de8b6ccdab376331597c569c42ea66ab0a1dbd36eca2/urllib3-1.24.3-py2.py3-none-any.whl (118kB)Installing collected packages: urllib3Found existing installation: urllib3 1.25.3Uninstalling urllib3-1.25.3:Successfully uninstalled urllib3-1.25.3Successfully installed urllib3-1.24.3[cont-init.d] 15-urllib: exited 0.[cont-init.d] 20-config: executing...[cont-init.d] 20-config: exited 0.[cont-init.d] 30-keygen: executing...using keys found in /config/keys[cont-init.d] 30-keygen: exited 0.[cont-init.d] 50-config: executing...Variables set:PUID=99PGID=100TZ=America/ChicagoURL=blainej.netSUBDOMAINS=cloud,blwin10,emby,office,bwEXTRA_DOMAINS=ONLY_SUBDOMAINS=trueDHLEVEL=2048VALIDATION=httpDNSPLUGIN=[email protected]STAGING= 2048 bit DH parameters presentSUBDOMAINS entered, processingSUBDOMAINS entered, processingOnly subdomains, no URL in certSub-domains processed are: -d cloud.blaine.net -d blwin10.blaine.net -d emby.blaine.net -d office.blaine.net -d bw.blaine.netE-mail address entered: [email protected]http validation is selectedCertificate exists; parameters unchanged; starting nginx[cont-init.d] 50-config: exited 0.[cont-init.d] 99-custom-files: executing...[custom-init] no custom files found exiting...[cont-init.d] 99-custom-files: exited 0.[cont-init.d] done.[services.d] starting services[services.d] done.nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html) nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found: no field package.preload['resty.core']no file './resty/core.lua'no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'no file '/usr/local/share/lua/5.1/resty/core.lua'no file '/usr/local/share/lua/5.1/resty/core/init.lua'no file '/usr/share/lua/5.1/resty/core.lua'no file '/usr/share/lua/5.1/resty/core/init.lua'no file '/usr/share/lua/common/resty/core.lua'no file '/usr/share/lua/common/resty/core/init.lua'no file './resty/core.so'no file '/usr/local/lib/lua/5.1/resty/core.so'no file '/usr/lib/lua/5.1/resty/core.so'no file '/usr/local/lib/lua/5.1/loadall.so'no file './resty.so'no file '/usr/local/lib/lua/5.1/resty.so'no file '/usr/lib/lua/5.1/resty.so'no file '/usr/local/lib/lua/5.1/loadall.so')nginx: [warn] could not build optimal variables_hash, you should increase either variables_hash_max_size: 1024 or variables_hash_bucket_size: 64; ignoring variables_hash_bucket_sizeServer ready Quote Link to comment
blaine07 Posted May 26, 2019 Share Posted May 26, 2019 You did not post you docker run command. The issue is with the config of letsencrypt and not nextcloud. Don't run any commands to renew certificates inside the container unless told to do so. To trigger a renewal of certificates, you can modify your config (add a subdomain), and see what the error is. And post it here along with the docker run command. So apparently adding a dummy site to letsencrypt and restarting letsencrypt and letting it error, then removing and restarting again finally got it to renew certs. No idea why or how that fixed it if when its restarted in general it is supposed to fix certs Sent from my SM-G975U using Tapatalk Edit: on another note how can I edit conf files for sites so that http forwards to appropriate https place as well? It isn't a biggy bug currently have to navigate to https for each of them Quote Link to comment
saarg Posted May 26, 2019 Share Posted May 26, 2019 1 minute ago, blaine07 said: So apparently adding a dummy site to letsencrypt and restarting letsencrypt and letting it error, then removing and restarting again finally got it to renew certs. No idea why or how that fixed it if when its restarted in general it is supposed to fix certs Sent from my SM-G975U using Tapatalk You should remove the domain and email from your previous post. The docker run command is in my signature and also in the docker FAQ that is pinned. Also not so hard to search for it 😉 As for why it didn't renew your certificate, the letsencrypt logs are needed. Not sure where they are, but probably in your appdata somewhere. But it's working now, so no point checking out. The renew is not done on container start anymore. It's a cron job running once a day checking the certs. Quote Link to comment
blaine07 Posted May 26, 2019 Share Posted May 26, 2019 You should remove the domain and email from your previous post. The docker run command is in my signature and also in the docker FAQ that is pinned. Also not so hard to search for it As for why it didn't renew your certificate, the letsencrypt logs are needed. Not sure where they are, but probably in your appdata somewhere. But it's working now, so no point checking out. The renew is not done on container start anymore. It's a cron job running once a day checking the certs. Yes sir, I had just redacted info. Sorry on run command; not seeing signature on mobile will have to pull up PC. Yeah no idea why it didnt renew either. I guess this would've been 90 days from when I set it all up and it felt the need to remind me of initial frustrations I had LOL. I was NOT aware it didnt update them on startup any longer; great info to have! When is cron set to run; a certain time daily or? Also, any idea on this mate? On another note how can I edit conf files for sites so that http forwards to appropriate https place as well? It isn't a biggy bug currently have to navigate to https for each of them Sent from my SM-G975U using Tapatalk Edit: how rude, forgot to say THANK you man! Quote Link to comment
aptalca Posted May 26, 2019 Share Posted May 26, 2019 2 hours ago, blaine07 said: Yes sir, I had just redacted info. Sorry on run command; not seeing signature on mobile will have to pull up PC. Yeah no idea why it didnt renew either. I guess this would've been 90 days from when I set it all up and it felt the need to remind me of initial frustrations I had LOL. I was NOT aware it didnt update them on startup any longer; great info to have! When is cron set to run; a certain time daily or? Also, any idea on this mate? On another note how can I edit conf files for sites so that http forwards to appropriate https place as well? It isn't a biggy bug currently have to navigate to https for each of them Sent from my SM-G975U using Tapatalk Edit: how rude, forgot to say THANK you man! All the conf files are in the config folder. /config/nginx/site-confs/default is the one you want to edit for https redirection. There are instructions in there 1 Quote Link to comment
Lynxphp Posted May 26, 2019 Share Posted May 26, 2019 Hi I previously had a working nextcloud instance with reverse proxy, but i kept having problems after i moved and got a new ISP router. I have made several unsuccesful attempts in the past months to get it working so tonight i'm finally posting here and hope someone can help. Nextcloud is setup and works just fine on the local network. Let's encrypt is able to get new certs and to renew old ones. My issues lies with setting up the reverse proxy to access nextcloud with my duckdns URL. It times out whenever i try to reach the site from behind the pfsense router, the internet or behind the isp router. I would very much appreciate any help or suggestion. Below i posted my config. My network: The Pfsense Router is in the DMZ of the ISP router Here are my port forwards in both routers (first ISP router then pfsense) NAT loopback is enabled in the pfsense port forwards. Here is my letsencrypt template: appdata/letsencrypt/nginx/site-confs/nextcloud server { listen 443 ssl; server_name XXX.duckdns.org; root /config/www; index index.html index.htm index.php; ###SSL Certificates ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ###Diffie–Hellman key exchange ### ssl_dhparam /config/nginx/dhparams.pem; ###SSL Ciphers ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ###Extra Settings### ssl_prefer_server_ciphers on; ###ssl_session_cache shared:SSL:10m; ### Add HTTP Strict Transport Security ### add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; add_header Front-End-Https on; client_max_body_size 0; location / { proxy_pass https://19.16.17.101:444/; proxy_max_temp_file_size 2048m; include /config/nginx/proxy.conf; } } appdata/nextcloud/www/nextcloud/config/config.php <?php $CONFIG = array ( 'memcache.local' => '\\OC\\Memcache\\APCu', 'datadirectory' => '/data', 'instanceid' => 'XXX', 'passwordsalt' => 'XXX', 'secret' => 'XXX', 'trusted_domains' => array ( 0 => '19.16.17.101:444', 1 => 'XXX.duckdns.org', ), 'dbtype' => 'mysql', 'version' => '16.0.1.1', 'overwrite.cli.url' => 'https://XXX.duckdns.org', 'overwritehost' => 'XXX.duckdns.org', 'overwriteprotocol' => 'https', 'dbname' => 'nextcloud', 'dbhost' => '19.16.17.101:3306', 'dbport' => '', 'dbtableprefix' => 'oc_', 'mysql.utf8mb4' => true, 'dbuser' => 'XXX', 'dbpassword' => 'XXX', 'installed' => true, ); Quote Link to comment
CHBMB Posted May 26, 2019 Share Posted May 26, 2019 @Lynxphp Use the preconfigured reverse proxy conf for Nextcloud and see if that works before you do anything else. Quote Link to comment
gacpac Posted May 27, 2019 Share Posted May 27, 2019 (edited) 1 hour ago, Lynxphp said: Hi I previously had a working nextcloud instance with reverse proxy, but i kept having problems after i moved and got a new ISP router. I have made several unsuccesful attempts in the past months to get it working so tonight i'm finally posting here and hope someone can help. Nextcloud is setup and works just fine on the local network. Let's encrypt is able to get new certs and to renew old ones. My issues lies with setting up the reverse proxy to access nextcloud with my duckdns URL. It times out whenever i try to reach the site from behind the pfsense router, the internet or behind the isp router. I would very much appreciate any help or suggestion. Below i posted my config. My network: The Pfsense Router is in the DMZ of the ISP router Here are my port forwards in both routers (first ISP router then pfsense) NAT loopback is enabled in the pfsense port forwards. Here is my letsencrypt template: appdata/letsencrypt/nginx/site-confs/nextcloud server {listen 443 ssl;server_name XXX.duckdns.org;root /config/www;index index.html index.htm index.php;###SSL Certificatesssl_certificate /config/keys/letsencrypt/fullchain.pem;ssl_certificate_key /config/keys/letsencrypt/privkey.pem;###Diffie–Hellman key exchange ###ssl_dhparam /config/nginx/dhparams.pem;###SSL Ciphersssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';###Extra Settings###ssl_prefer_server_ciphers on;###ssl_session_cache shared:SSL:10m; ### Add HTTP Strict Transport Security ###add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";add_header Front-End-Https on;client_max_body_size 0;location / { proxy_pass https://19.16.17.101:444/; proxy_max_temp_file_size 2048m; include /config/nginx/proxy.conf;}} appdata/nextcloud/www/nextcloud/config/config.php php$CONFIG = array ('memcache.local' => '\\OC\\Memcache\\APCu','datadirectory' => '/data','instanceid' => 'XXX','passwordsalt' => 'XXX','secret' => 'XXX','trusted_domains' => array (0 => '19.16.17.101:444',1 => 'XXX.duckdns.org',),'dbtype' => 'mysql','version' => '16.0.1.1','overwrite.cli.url' => 'https://XXX.duckdns.org','overwritehost' => 'XXX.duckdns.org','overwriteprotocol' => 'https','dbname' => 'nextcloud','dbhost' => '19.16.17.101:3306','dbport' => '','dbtableprefix' => 'oc_','mysql.utf8mb4' => true,'dbuser' => 'XXX','dbpassword' => 'XXX','installed' => true,); This is a dejavu, i was having issues today after setting my first pfsense router. My question is, was this working before? Because if it was it could be network issue. In my case what solved the problem was removing a setting in my WAN interface called "block private networks and loopback addresses" I'm have a double NAT situation as well. Also go to the website canyouseeme.org and check if the port is actually open. Also, follow the instructions from @CHBMB maybe that's all you need. Sent from my Pixel 2 XL using Tapatalk Edited May 27, 2019 by gacpac Quote Link to comment
Lynxphp Posted May 27, 2019 Share Posted May 27, 2019 5 hours ago, CHBMB said: @Lynxphp Use the preconfigured reverse proxy conf for Nextcloud and see if that works before you do anything else. Thanks! I got remote access! However, still no access from the local network. 4 hours ago, gacpac said: This is a dejavu, i was having issues today after setting my first pfsense router. My question is, was this working before? Because if it was it could be network issue. In my case what solved the problem was removing a setting in my WAN interface called "block private networks and loopback addresses" I'm have a double NAT situation as well. Also go to the website canyouseeme.org and check if the port is actually open. Also, follow the instructions from @CHBMB maybe that's all you need. Sent from my Pixel 2 XL using Tapatalk I only setup my pfsense router after moving (with my new ISP router that doesnt support NAT loopback). I never got local access working with this ISP router. I tried unchecking "block private networks and loopback addresses" (both on WAN and LAN) but no change. canyouseeme.org reports that port 443 is open, 80 is not. I tried setting up a NAT forward rule to be able to gain local access, but no succes: Any suggestion? Quote Link to comment
aptalca Posted May 27, 2019 Share Posted May 27, 2019 8 minutes ago, Lynxphp said: Thanks! I got remote access! However, still no access from the local network. I only setup my pfsense router after moving (with my new ISP router that doesnt support NAT loopback). I never got local access working with this ISP router. I tried unchecking "block private networks and loopback addresses" (both on WAN and LAN) but no change. canyouseeme.org reports that port 443 is open, 80 is not. I tried setting up a NAT forward rule to be able to gain local access, but no succes: Any suggestion? 133.92 kB · 0 downloads Go to services/dns resolver and add your host overrides at the bottom Quote Link to comment
Stubbs Posted May 27, 2019 Share Posted May 27, 2019 (edited) Why does it say I don't have permission to save anything inside the proxy-confs file in Windows SMB? I can read and write everything else in appdata except for this folder. Even if I set appdata to public, I still get this message. Edited May 27, 2019 by Stubbs Quote Link to comment
saarg Posted May 27, 2019 Share Posted May 27, 2019 33 minutes ago, Stubbs said: Why does it say I don't have permission to save anything inside the proxy-confs file in Windows SMB? I can read and write everything else in appdata except for this folder. Even if I set appdata to public, I still get this message. That is because otæf the permissions on the files. Do not change the permissions. Instead edit them through command line on the server. Quote Link to comment
Lynxphp Posted May 27, 2019 Share Posted May 27, 2019 2 hours ago, aptalca said: Go to services/dns resolver and add your host overrides at the bottom Thanks for the suggestion. I still can't get local acces... Quote Link to comment
saarg Posted May 27, 2019 Share Posted May 27, 2019 24 minutes ago, Lynxphp said: Thanks for the suggestion. I still can't get local acces... That doesn't look correct. The domain should be your duckdns domain and host only the subdomain for nextcloud. Quote Link to comment
ICDeadPpl Posted May 27, 2019 Share Posted May 27, 2019 How come any edits I make to 'quassel-web.subfolder.conf' gets undone when I restart the Letsencrypt container? I have other proxy conf files with edits that work just fine, they don't get reverted to default values when I restart Letsencrypt. Quote Link to comment
pingmanping Posted May 27, 2019 Share Posted May 27, 2019 22 hours ago, CHBMB said: Try again, I've deleted it from our repository, Sent from my Mi A1 using Tapatalk I just updated the letsencrypt container and the moment it got started, the error is still showing up in logs. The container also created another instance of quassel-web-subfolder.conf without the .sample Quote Link to comment
pingmanping Posted May 27, 2019 Share Posted May 27, 2019 22 hours ago, CHBMB said: Try again, I've deleted it from our repository, Sent from my Mi A1 using Tapatalk I just updated the letsencrypt container and the moment it got started, the error is still showing up in logs. The container also created another instance of quassel-web-subfolder.conf without the .sample Quote Link to comment
Lynxphp Posted May 27, 2019 Share Posted May 27, 2019 (edited) 8 hours ago, saarg said: That doesn't look correct. The domain should be your duckdns domain and host only the subdomain for nextcloud. Thanks for your correction. I previously used mydomain.duckdns.org to reach nextcloud directly. I now made the change in the nextcloud and letsencrypt config to have nextcloud at nextcloud.mydomain.duckdns.org. I can reach nextcloud remotely, but still not locally (timeout) :(. Here is my Host override in the DNS resolver: Edited May 27, 2019 by Lynxphp words Quote Link to comment
blaine07 Posted May 27, 2019 Share Posted May 27, 2019 Thanks for your correction. I previously used mydomain.duckdns.org to reach nextcloud directly. I now made the change in the nextcloud and letsencrypt config to have nextcloud at nextcloud.mydomain.duckdns.org. I can reach nextcloud remotely, but still not locally (timeout) . Here is my Host override in the DNS resolver: In pfsense firewall tab then Nat tab. How are your port forwards setup? Below is how my 443 is setup. Until I got the forwarding stuff I was having issues externally or internally until I got it right. Sent from my SM-G975U using Tapatalk Quote Link to comment
Lynxphp Posted May 27, 2019 Share Posted May 27, 2019 (edited) Thanks for the tip @blaine07. I have no problems reaching nextcloud externally, which leads to me to think that my port forwarding rules are okay. It's only internally that the connection times out. Heres a screen of my rules: Edited May 27, 2019 by Lynxphp Quote Link to comment
blaine07 Posted May 27, 2019 Share Posted May 27, 2019 Thanks for the tip [mention=88940]blaine07[/mention]. I have no problems reaching nextcloud externally, which leads to me to think that my port forwarding rules are okay. It's only internally that the connection times out. Heres a screen of my rules: Try changing that nat proxy option to default or one of the others. May require pfsense to reboot. I'd bet still that's related to your problem as far as locally being able to access it Sent from my SM-G975U using Tapatalk Quote Link to comment
blaine07 Posted May 27, 2019 Share Posted May 27, 2019 But also not sure what you have going on because I think you should have 80/443 forwarded to letsencrypt container? I just have those two forwarded. Maybe your doing something I'm oblivious too though. Sent from my SM-G975U using Tapatalk Quote Link to comment
gacpac Posted May 27, 2019 Share Posted May 27, 2019 What I still don't get is that port 80 is not open when you check canyouseeme.org mine is open. And it has to be open for the container to work properly. Maybe I'm wrong, just let me knowSent from my Pixel 2 XL using Tapatalk Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.