A guide to (1) setting up Nextcloud AIO with a subdomain and non-static public IP and (2) handling a Port 443 error message

🏷️ General
, , ,
1

I found the official ‘How to Install the Nextcloud All-in-One on Linux’ documentation to be very helpful; however, as a newcomer to many networking concepts, I also thought it would be helpful to share more detailed steps in case they would help other users.

The following steps are either additional configuration tasks that were helpful for my particular setup or more detailed versions of the steps in the existing guide. In other words, this post is meant to augment, rather than replace, the steps in the previous link.

I used Linux Mint as the OS for my installation, but these steps should apply to many other Linux distributions as well. (Also, for privacy reasons, many of the addresess and domains shown here don’t reflect my actual addresses/domains.)

  1. To enable external storage, I added --env NEXTCLOUD_MOUNT=“/media/” \ within the AIO launch command (right above the final line that begins with gchr.io).

  2. My local router doesn’t have a static IP address. Therefore, I chose to set up a DDNS (dynamic DNS) service using my Deco router. I did this by opening my Deco app, then going to More (at the bottom) → Advanced → DDNS. I turned DDNS on and choose home_ip as my domain name (thus making home_ip.tplinkdns.com my full domain). This will allow Nextcloud to successfully connect to my public IP address even if Ting changes that address.

  3. I also needed to set up port forwarding so that requests to access my NextCloud account could come to my Linux Mint computer. I was able to do this within the Deco router as well; under More → Advanced → NAT Forwarding, I chose Port Forwarding. I then created two port forwarding rules, one for 443 and one for 80. For each of these rules, under Internal IP, select Use Client IP Address, then select your server’s internal IP address (e.g. 192.168.20.30. I found my address by opening Linux Mint’s Network settings menu; clicking on my internet connection’s settings; and then reviewing my computer’s IPV4 address. Note that this address is not to be confused with your public IP address, which you can find by going to whatsmyip.org).

    For the 443 port forwarding rule, select 443 as the internal and external port; similarly, for the 80 port forwarding rule, select 80 as the internal and external port.

  4. I have a public domain (mypubdomain.com) hosted on Hostinger, but I wanted to connect a subdomain (nextcloud.mypubdomain.com) to my NextCloud container rather than the domain itself. Therefore, I added a new subdomain entry within my my domain’s DNS page with the following info:

    1. Type: CNAME [not A–which would be used to connect a subdomain to an IP address, rather than the DDNS URL that I’m using]
    2. Name: nextcloud (for the nextcloud.mypubdomain.com subdomain)
    3. Data: home_ip.tplinkdns.com. [The period at the end is an intentional part of the entry]
    4. TTL: 60 (this value is in seconds on Hostinger, so I probably could have set something like 1800 instead–but thsi setting ended up working just fine.)

    Note: If you had a public static IP, you could use an A rather than CNAME type and pass the static IP, rather than your dynamic IP domain, to the ‘Data’ field. (You could also skip the DDNS step in this case.)

  5. Note: When attempting to connect either to your nextcloud.mypubdomain.com subdomain (at this point) or to home_ip.tplinkdns.com (even after completing the following steps), you might get an error message that says “This site can’t provide a secure connection.” This confused me at first; however, my understanding is that domains by themselves generally don’t have any SSL certificates applied to them. Therefore, because this domain wasn’t connected to a website just yet, it made sense that I would receive this error.

    (Also, I mistakenly thought that I would need to get an SSL certificate from my domain registrar in order to make Nextcloud work; however, since Nextcloud AIO provides its own SSL certificates via Let’s Encrypt, this actually wasn’t necessary. Thus, you don’t need a public domain with SSL for Nextcloud AIO to function–just a public domain.)

  6. To connect to Nextcloud the first time, I went to https://192.168.20.30:8080 (not 91/8080) within my Brave browser. I saw a ‘Your connection is not private’ warning that read: 'Attackers might be trying to steal your information . . . “. However, I figured that it would be OK here to click ‘Advanced’ within Brave and then 'Proceed to 192.168.20.30 (unsafe).”

  7. If all went well, I could now complete the setup process and then access my Nextcloud at nextcloud.mypubdomain.com .

  8. To further secure your site, you should strongly consider setting up 2FA for all users (but have everyone save their 2FA recovery codes, too!). In addition, you may want to update your brute-force settings so that users are temporarily prevented from trying to log in after 3 failed attempts. Further security measures include setting up the Fail2Ban community container and/or the GeoBlocker app.

Dealing with a Port 443 error

In my case, even after following the above DDNS, port forwarding, and subdomain-creation steps, I kept receiving the following error within the NextCloud setup page:

Error: The domain is not reachable on Port 443 from within this container. Have you opened port 443/tcp in your router/firewall? If yes is the problem most likely that the router or firewall forbids local access to your domain. You can work around that by setting up a local DNS-server.

I was confused as to why I was receiving this error. Using https://portchecker.co, I confirmed that ports 80 and 443 were open for nextcloud.mypubdomain.com. In addition, Running dig nextcloud.mypubdomain.com within my Linux terminal revealed the following info:

;nextcloud.mypubdomain.com. IN A

;; ANSWER SECTION:
nextcloud.mypubdomain.com. IN CNAME home_ip.tplinkdns.com.
home_ip.tplinkdns.com. IN A {my public IP adrdess}

I think this confirmed that my subdomain record was correctly forwarding traffic to my TP-Link DDNS account.

To solve this issue, I chose to skip domain validation by resetting my NextCloud AIO instance; adding --env SKIP_DOMAIN_VALIDATION=true above the last line of the Docker command that I was using earlier; and then rerunning this comand. This time, everything finally worked! I was able to access and log in to Nextcloud just fine. My browser also reported, following this login, that the connection was secure (and had a Let’s Encrypt certificate.)

(Note: during my debugging process, I had also turned on my UFW firewall on my server and allowed traffic from ports 80 and 443, but I imagine that this wasn’t the fix for my issue–since my firewall had been off beforehand.)

(One more note: I had been using Godaddy as my domain registrar; however, I learned that they had parked my domain because of a ‘security concern.’ (I wonder if this was due to strange activity they might have seen when I was trying to get a local instance of NextCloud to work). They wanted me to pay for enhanced security in order to re-enable the domain. Since this would cost around $60 a year, I decided to simply create a separate domain with Hostinger.)