AIO: Error code: SSL_ERROR_INTERNAL_ERROR_ALERT

i have aio running on my rock64 in the docker image. everything seems to be fine but i cannot access the interface due to the ssl is missing.

i tryed to go to the domain.kk:8443 to get the ssl but nothing happened .

how do i make ssl work?

Hi, I think this is a limitation of caddy that is running inside the container that should create the ssl certificate automatically. You can either create a subdomain and point that at the same server and the use https://subdomain.domain.kk:8843 to access the AIO interface or use https://ip.of.this.server:8080 to open the AIO interface.

Hi Szaimen

thanks for you reply. i dont know much about these things.

But i can open the interface but i cannot change anything related to ssl there?

Here is my caddy file:

sudo docker exec 590dc5cae442 cat /Caddyfile

{
	auto_https disable_redirects

	storage file_system {
		root /mnt/data/caddy
	}

	log {
		level ERROR
	}
}

{$PROTOCOL}://{$NC_DOMAIN}:{$APACHE_PORT} {
	# Notify Push
	route /push/* {
		uri strip_prefix /push
		reverse_proxy {$NEXTCLOUD_HOST}:7867 {
			# trusted_proxies placeholder
		}
	}

	# Talk
	route /standalone-signaling/* {
		uri strip_prefix /standalone-signaling
		reverse_proxy {$TALK_HOST}:8081 {
			# trusted_proxies placeholder
		}
	}

	# Collabora
	route /browser/* {
		reverse_proxy {$COLLABORA_HOST}:9980 {
			# trusted_proxies placeholder
		}
	}
	route /hosting/* {
		reverse_proxy {$COLLABORA_HOST}:9980 {
			# trusted_proxies placeholder
		}
	}
	route /cool/* {
		reverse_proxy {$COLLABORA_HOST}:9980 {
			# trusted_proxies placeholder
		}
	}

	# Onlyoffice
	route /onlyoffice/* {
		uri strip_prefix /onlyoffice
		reverse_proxy {$ONLYOFFICE_HOST}:80 {
			header_up X-Forwarded-Host {http.request.host}/onlyoffice
			header_up X-Forwarded-Proto https
			# trusted_proxies placeholder
		}
	}

	# Nextcloud
	route {
		rewrite /.well-known/carddav /remote.php/dav
		rewrite /.well-known/caldav /remote.php/dav
		header Strict-Transport-Security max-age=31536000;
		reverse_proxy localhost:8000 {
			# See https://github.com/nextcloud/all-in-one/issues/828
			# trusted_proxies placeholder
		}
	}

	# TLS options
	tls {
		issuer acme {
			disable_http_challenge
		}
	}
}

Hi, as I sadi, you can either create a subdomain like subdomain.domain.kk and point that towards your server or open the AIO interface using https://ip.address.of.this.server:8080.

Hi szaimen
thanks for replieing againg. maybe i don’t understand but i thought i already did.
i used freedns that points to my server ip. and i can open the 192.168.1.8:8080 but that redirects me to: https://192.168.1.8:8080/containers where when i click on “open your nextcloud” then i am sent to the freedns name and get the ssl error.

Ah I see. Can you post the output of sudo docker logs nextcloud-aio-apache here?

its a long one :wink:

Waiting for Nextcloud to start...
{"level":"info","ts":1677933737.3097243,"msg":"using provided configuration","config_file":"/Caddyfile","config_adapter":""}
{"level":"info","ts":1677933739.687252,"msg":"[INFO][FileStorage:/mnt/data/caddy] Lock for 'issue_cert_jadajada.chickenkiller.com' is stale (created: 2023-03-04 13:32:36.882836328 +0200 EET, last update: 2023-03-04 14:37:27.197052351 +0200 EET); removing then retrying: /mnt/data/caddy/locks/issue_cert_jadajada.chickenkiller.com.lock"}
[Sat Mar 04 14:42:20.054509 2023] [mpm_event:notice] [pid 163:tid 281473191501912] AH00489: Apache/2.4.55 (Unix) configured -- resuming normal operations
[Sat Mar 04 14:42:20.056519 2023] [core:notice] [pid 163:tid 281473191501912] AH00094: Command line: '/usr/local/apache2/bin/httpd -D FOREGROUND'
{"level":"error","ts":1677933741.1108634,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"jadajada.chickenkiller.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 429 urn:ietf:params:acme:error:rateLimited - Error creating new order :: too many certificates already issued for \"chickenkiller.com\". Retry after 2023-03-04T13:00:00Z: see https://letsencrypt.org/docs/rate-limits/"}
{"level":"error","ts":1677933741.111125,"logger":"tls.obtain","msg":"will retry","error":"[jadajada.chickenkiller.com] Obtain: [jadajada.chickenkiller.com] creating new order: attempt 1: https://acme-v02.api.letsencrypt.org/acme/new-order: HTTP 429 urn:ietf:params:acme:error:rateLimited - Error creating new order :: too many certificates already issued for \"chickenkiller.com\". Retry after 2023-03-04T13:00:00Z: see https://letsencrypt.org/docs/rate-limits/ (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":1.404358339,"max_duration":2592000}
{"level":"error","ts":1677933813.0150762,"logger":"http.acme_client","msg":"challenge failed","identifier":"jadajada.chickenkiller.com","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"111.111.11.11: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]}}
{"level":"error","ts":1677933813.0153918,"logger":"http.acme_client","msg":"validating authorization","identifier":"jadajada.chickenkiller.com","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"111.111.11.11: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/91326224/7551200424","attempt":1,"max_attempts":3}
{"level":"error","ts":1677933813.0156465,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"jadajada.chickenkiller.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - 111.111.11.11: Timeout during connect (likely firewall problem)"}
{"level":"error","ts":1677933813.0159492,"logger":"tls.obtain","msg":"will retry","error":"[jadajada.chickenkiller.com] Obtain: [jadajada.chickenkiller.com] solving challenge: jadajada.chickenkiller.com: [jadajada.chickenkiller.com] authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - 111.111.11.11: Timeout during connect (likely firewall problem) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":2,"retrying_in":120,"elapsed":73.309179673,"max_duration":2592000}
{"level":"error","ts":1677933944.3320167,"logger":"http.acme_client","msg":"challenge failed","identifier":"jadajada.chickenkiller.com","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"111.111.11.11: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]}}
{"level":"error","ts":1677933944.3321753,"logger":"http.acme_client","msg":"validating authorization","identifier":"jadajada.chickenkiller.com","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"111.111.11.11: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/91326224/7551228164","attempt":1,"max_attempts":3}
{"level":"error","ts":1677933944.3323197,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"jadajada.chickenkiller.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - 111.111.11.11: Timeout during connect (likely firewall problem)"}
{"level":"error","ts":1677933944.332479,"logger":"tls.obtain","msg":"will retry","error":"[jadajada.chickenkiller.com] Obtain: [jadajada.chickenkiller.com] solving challenge: jadajada.chickenkiller.com: [jadajada.chickenkiller.com] authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - 111.111.11.11: Timeout during connect (likely firewall problem) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":3,"retrying_in":120,"elapsed":204.625712961,"max_duration":2592000}
{"level":"error","ts":1677934075.63954,"logger":"http.acme_client","msg":"challenge failed","identifier":"jadajada.chickenkiller.com","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"111.111.11.11: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]}}
{"level":"error","ts":1677934075.6398077,"logger":"http.acme_client","msg":"validating authorization","identifier":"jadajada.chickenkiller.com","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"111.111.11.11: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/91326224/7551256994","attempt":1,"max_attempts":3}
{"level":"error","ts":1677934075.6400704,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"jadajada.chickenkiller.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - 111.111.11.11: Timeout during connect (likely firewall problem)"}
{"level":"error","ts":1677934075.640369,"logger":"tls.obtain","msg":"will retry","error":"[jadajada.chickenkiller.com] Obtain: [jadajada.chickenkiller.com] solving challenge: jadajada.chickenkiller.com: [jadajada.chickenkiller.com] authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - 111.111.11.11: Timeout during connect (likely firewall problem) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":4,"retrying_in":300,"elapsed":335.933593076,"max_duration":2592000}
{"level":"error","ts":1677934387.4511824,"logger":"http.acme_client","msg":"challenge failed","identifier":"jadajada.chickenkiller.com","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"111.111.11.11: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]}}
{"level":"error","ts":1677934387.451344,"logger":"http.acme_client","msg":"validating authorization","identifier":"jadajada.chickenkiller.com","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"111.111.11.11: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/91326224/7551322984","attempt":1,"max_attempts":3}
{"level":"error","ts":1677934387.4514983,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"jadajada.chickenkiller.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - 111.111.11.11: Timeout during connect (likely firewall problem)"}
{"level":"error","ts":1677934387.4516876,"logger":"tls.obtain","msg":"will retry","error":"[jadajada.chickenkiller.com] Obtain: [jadajada.chickenkiller.com] solving challenge: jadajada.chickenkiller.com: [jadajada.chickenkiller.com] authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - 111.111.11.11: Timeout during connect (likely firewall problem) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":5,"retrying_in":600,"elapsed":647.744921343,"max_duration":2592000}
{"level":"error","ts":1677935000.1420603,"logger":"http.acme_client","msg":"challenge failed","identifier":"jadajada.chickenkiller.com","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"111.111.11.11: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]}}
{"level":"error","ts":1677935000.142198,"logger":"http.acme_client","msg":"validating authorization","identifier":"jadajada.chickenkiller.com","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"111.111.11.11: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/91326224/7551447144","attempt":1,"max_attempts":3}
{"level":"error","ts":1677935000.1423018,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"jadajada.chickenkiller.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - 111.111.11.11: Timeout during connect (likely firewall problem)"}
{"level":"error","ts":1677935000.1424346,"logger":"tls.obtain","msg":"will retry","error":"[jadajada.chickenkiller.com] Obtain: [jadajada.chickenkiller.com] solving challenge: jadajada.chickenkiller.com: [jadajada.chickenkiller.com] authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - 111.111.11.11: Timeout during connect (likely firewall problem) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":6,"retrying_in":1200,"elapsed":1260.435669032,"max_duration":2592000}
{"level":"error","ts":1677936211.980622,"logger":"http.acme_client","msg":"challenge failed","identifier":"jadajada.chickenkiller.com","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"111.111.11.11: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]}}
{"level":"error","ts":1677936211.9808788,"logger":"http.acme_client","msg":"validating authorization","identifier":"jadajada.chickenkiller.com","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"111.111.11.11: Timeout during connect (likely firewall problem)","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/91326224/7551725484","attempt":1,"max_attempts":3}
{"level":"error","ts":1677936211.9811063,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"jadajada.chickenkiller.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - 111.111.11.11: Timeout during connect (likely firewall problem)"}
{"level":"error","ts":1677936211.9814072,"logger":"tls.obtain","msg":"will retry","error":"[jadajada.chickenkiller.com] Obtain: [jadajada.chickenkiller.com] solving challenge: jadajada.chickenkiller.com: [jadajada.chickenkiller.com] authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - 111.111.11.11: Timeout during connect (likely firewall problem) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":7,"retrying_in":1200,"elapsed":2472.274638488,"max_duration":2592000}

Can you try to remove the AAAA DNS-record of your domain and check if that makes it work?

thanks szaimen. i only have a “A” record on freedns. I will now try to install certbot and see if that helps me out… but do you know if i need to install and run it inside the docker container for that to work?

Hm… did you open port 443 correctly?

I may have made a mistake but I would not really be able to tell myself.

I have put in my local ip adress in “LAN Host IP Address” and port 443 in both WAN start and end port as well as in LAN start and end port. I did not set any ip adress in WAN host start or end IP - could that be a mistake…

by the way i installed certbot and ran :slight_smile:

sudo certbot --apache -d athstar.chickenkiller.com

but it returned:

An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates already issued for “chickenkiller.com”. Retry after 2023-03-04T16:00:00Z: see https://letsencrypt.org/docs/rate-limits/
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details

What exactly did you do, sorry I cannot follow.

Are you trying to run AIO only locally without public access?

I am trying to install it on my rock64 (kinda like a raspberry pi) and i am trying to have access via dyndns jadajada.chikenkiller.com - also from outside my local network.

however i am not sure if this is even possible - it seems like it is when reading the github page but… maybe i am wrong?

No, you are wrong. This is actually the default setup of AIO.

Are you trying to get it running behind a reverse proxy or without?

Is port 443 forwarded to the host running docker and AIO?

Can you check if your are behind CGNAT? Carrier-grade NAT - Wikipedia

port 443 is forwarded to the host running docker and AIO.

I dont think i am behind a CGNAT.

I am not using a reverse proxy at this point.

We’ve found your issue.

You need to wait now or use subdomain. See https://github.com/nextcloud/all-in-one#how-to-change-the-domain

I will give it a rest for now :slight_smile: . And see if I have better internet-karma tomorrow ;).

Thanks so much szaimen.

BTW, I’ve created What can I do when I get `SSL_ERROR_INTERNAL_ERROR_ALERT` when opening Nextcloud? · nextcloud/all-in-one · Discussion #2105 · GitHub now since this came up a few times in the past.

i never could make this work. even after reinstall and all sorts of variations of installing docker and nextcloud.

i hope it will become easier to make work in the future…

Did you follow What can I do when I get `SSL_ERROR_INTERNAL_ERROR_ALERT` when opening my Nextcloud domain? · nextcloud/all-in-one · Discussion #2105 · GitHub?