AIO: Error code: SSL_ERROR_INTERNAL_ERROR_ALERT

jake · March 6, 2023, 4:09pm

yeah. it eventually went away… but then i got a different errror and startet over with the install… but now after installing docker i just get:

Digest: sha256:e14ba91102506131899eb3faf1215efb961122f509dfe4e9c551c63c073ace83
Status: Downloaded newer image for nextcloud/all-in-one:latest
docker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: unable to apply apparmor profile: apparmor failed to apply profile: write /proc/self/attr/apparmor/exec: no such file or directory: unknown.

then i read about apparmor and installed that but no luck…

szaimen · March 6, 2023, 4:12pm

I found these related issues for you: https://github.com/nextcloud/all-in-one/discussions/1747 generell nextcloud aio issue · nextcloud/all-in-one · Discussion #1091 · GitHub.

Basically in both cases was the hoster the problem.

jake · March 6, 2023, 4:15pm

yeah it could probably be a lot of different things that is wrong…i host on a rock64 which ran a limp version of nextcloud yesterday that never really got to work… i will keep going for some time but i think there are so many moving parts in this that it is almost impossible for a leyman

jake · March 6, 2023, 4:16pm

the internet suggests:

profile docker-default flags=(attach_disconnected,mediate_deleted) {
…
/proc/self/attr/apparmor/exec w,
…
}

jake · March 7, 2023, 9:18am

Afte the certificate error goes away - there seems to be a firewall issue. however I think it is more likely it is some sort of conflict in the AIO since i have no firewall and ports are set up…

It is probably an issue with the Caddy/letsencrypt or similar setup. but it is impossible to debug for me since the output is not really understandable to me.

Here is the output from docker (it prints this out each time i try to refresh):

{“level”:“error”,“ts”:1678180256.8522437,“logger”:“http.acme_client”,“msg”:“challenge failed”,“identifier”:“blabla.chickenkiller.com”,“challenge_type”:“http-01”,“problem”:{“type”:“urn:ietf:params:acme:error:connection”,“title”:“”,“detail”:“1.2.3.4: Fetching http://blabla.chickenkiller.com/.well-known/acme-challenge/nIYf-cSIQrYRgx6EcDi6cjuFAKySaR8ZrmopnvNAVZk: Timeout during connect (likely firewall problem)”,“instance”:“”,“subproblems”:}}
{“level”:“error”,“ts”:1678180256.8525202,“logger”:“http.acme_client”,“msg”:“validating authorization”,“identifier”:“blabla.chickenkiller.com”,“problem”:{“type”:“urn:ietf:params:acme:error:connection”,“title”:“”,“detail”:“1.2.3.4: Fetching http://d3athstar.chickenkiller.com/.well-known/acme-challenge/nIYf-cSIQrYRgx6EcDi6cjuFAKySaR8ZrmopnvNAVZk: Timeout during connect (likely firewall problem)”,“instance”:“”,“subproblems”:},“order”:“https://acme-staging-v02.api.letsencrypt.org/acme/order/91690674/7600705204",“attempt”:1,"max_attempts”:3}
{“level”:“error”,“ts”:1678180256.8528497,“logger”:“tls.obtain”,“msg”:“could not get certificate from issuer”,“identifier”:“blabla.chickenkiller.com”,“issuer”:“acme-v02.api.letsencrypt.org-directory”,“error”:“HTTP 400 urn:ietf:params:acme:error:connection - 1.2.3.4: Fetching http://blabla.chickenkiller.com/.well-known/acme-challenge/nIYf-cSIQrYRgx6EcDi6cjuFAKySaR8ZrmopnvNAVZk: Timeout during connect (likely firewall problem)”}
{“level”:“error”,“ts”:1678180256.853216,“logger”:“tls.obtain”,“msg”:“will retry”,“error”:“[blabla.chickenkiller.com] Obtain: [blabla.chickenkiller.com] solving challenge: blabla.chickenkiller.com: [blabla.chickenkiller.com] authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - 1.2.3.4: Fetching http://blabla.chickenkiller.com/.well-known/acme-challenge/nIYf-cSIQrYRgx6EcDi6cjuFAKySaR8ZrmopnvNAVZk: Timeout during connect (likely firewall problem) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)”,“attempt”:2,“retrying_in”:120,“elapsed”:84.84235697,“max_duration”:2592000}

szaimen · March 7, 2023, 9:26am

Can you post the output of sudo docker inspect nextcloud-aio-apache here?

jake · March 7, 2023, 9:31am

rock64:~:% sudo docker inspect nextcloud-aio-apache

[
    {
        "Id": "3a045c1bd6a2251cd8735d2a536f47a2c0c8abf477cde16657b3d57e75c75963",
        "Created": "2023-03-06T17:03:07.448947512Z",
        "Path": "start.sh",
        "Args": [
            "/usr/bin/supervisord",
            "-c",
            "/supervisord.conf"
        ],
        "State": {
            "Status": "running",
            "Running": true,
            "Paused": false,
            "Restarting": false,
            "OOMKilled": false,
            "Dead": false,
            "Pid": 12071,
            "ExitCode": 0,
            "Error": "",
            "StartedAt": "2023-03-06T17:03:10.009303837Z",
            "FinishedAt": "0001-01-01T00:00:00Z",
            "Health": {
                "Status": "healthy",
                "FailingStreak": 0,
                "Log": [
                    {
                        "Start": "2023-03-07T11:24:25.337544884+02:00",
                        "End": "2023-03-07T11:24:25.647917158+02:00",
                        "ExitCode": 0,
                        "Output": ""
                    },
                    {
                        "Start": "2023-03-07T11:24:55.68039358+02:00",
                        "End": "2023-03-07T11:24:55.973849413+02:00",
                        "ExitCode": 0,
                        "Output": ""
                    },
                    {
                        "Start": "2023-03-07T11:25:26.005193245+02:00",
                        "End": "2023-03-07T11:25:26.34938557+02:00",
                        "ExitCode": 0,
                        "Output": ""
                    },
                    {
                        "Start": "2023-03-07T11:25:56.370035312+02:00",
                        "End": "2023-03-07T11:25:56.834472299+02:00",
                        "ExitCode": 0,
                        "Output": ""
                    },
                    {
                        "Start": "2023-03-07T11:26:26.869917423+02:00",
                        "End": "2023-03-07T11:26:27.21633393+02:00",
                        "ExitCode": 0,
                        "Output": ""
                    }
                ]
            }
        },
        "Image": "sha256:5571d6d4869c03874fe4a04cb664f183c5388c242f6e781ad53669b23297de63",
        "ResolvConfPath": "/var/lib/docker/containers/3a045c1bd6a2251cd8735d2a536f47a2c0c8abf477cde16657b3d57e75c75963/resolv.conf",
        "HostnamePath": "/var/lib/docker/containers/3a045c1bd6a2251cd8735d2a536f47a2c0c8abf477cde16657b3d57e75c75963/hostname",
        "HostsPath": "/var/lib/docker/containers/3a045c1bd6a2251cd8735d2a536f47a2c0c8abf477cde16657b3d57e75c75963/hosts",
        "LogPath": "/var/lib/docker/containers/3a045c1bd6a2251cd8735d2a536f47a2c0c8abf477cde16657b3d57e75c75963/3a045c1bd6a2251cd8735d2a536f47a2c0c8abf477cde16657b3d57e75c75963-json.log",
        "Name": "/nextcloud-aio-apache",
        "RestartCount": 0,
        "Driver": "overlay2",
        "Platform": "linux",
        "MountLabel": "",
        "ProcessLabel": "",
        "AppArmorProfile": "docker-default",
        "ExecIDs": null,
        "HostConfig": {
            "Binds": [
                "nextcloud_aio_nextcloud:/var/www/html:ro",
                "nextcloud_aio_apache:/mnt/data:rw"
            ],
            "ContainerIDFile": "",
            "LogConfig": {
                "Type": "json-file",
                "Config": {}
            },
            "NetworkMode": "nextcloud-aio",
            "PortBindings": {
                "443/tcp": [
                    {
                        "HostIp": "",
                        "HostPort": "443"
                    }
                ]
            },
            "RestartPolicy": {
                "Name": "unless-stopped",
                "MaximumRetryCount": 0
            },
            "AutoRemove": false,
            "VolumeDriver": "",
            "VolumesFrom": null,
            "ConsoleSize": [
                0,
                0
            ],
            "CapAdd": null,
            "CapDrop": null,
            "CgroupnsMode": "private",
            "Dns": null,
            "DnsOptions": null,
            "DnsSearch": null,
            "ExtraHosts": null,
            "GroupAdd": null,
            "IpcMode": "private",
            "Cgroup": "",
            "Links": null,
            "OomScoreAdj": 0,
            "PidMode": "",
            "Privileged": false,
            "PublishAllPorts": false,
            "ReadonlyRootfs": false,
            "SecurityOpt": null,
            "UTSMode": "",
            "UsernsMode": "",
            "ShmSize": 67108864,
            "Runtime": "runc",
            "Isolation": "",
            "CpuShares": 0,
            "Memory": 0,
            "NanoCpus": 0,
            "CgroupParent": "",
            "BlkioWeight": 0,
            "BlkioWeightDevice": null,
            "BlkioDeviceReadBps": null,
            "BlkioDeviceWriteBps": null,
            "BlkioDeviceReadIOps": null,
            "BlkioDeviceWriteIOps": null,
            "CpuPeriod": 0,
            "CpuQuota": 0,
            "CpuRealtimePeriod": 0,
            "CpuRealtimeRuntime": 0,
            "CpusetCpus": "",
            "CpusetMems": "",
            "Devices": null,
            "DeviceCgroupRules": null,
            "DeviceRequests": null,
            "MemoryReservation": 0,
            "MemorySwap": 0,
            "MemorySwappiness": null,
            "OomKillDisable": null,
            "PidsLimit": null,
            "Ulimits": null,
            "CpuCount": 0,
            "CpuPercent": 0,
            "IOMaximumIOps": 0,
            "IOMaximumBandwidth": 0,
            "MaskedPaths": [
                "/proc/asound",
                "/proc/acpi",
                "/proc/kcore",
                "/proc/keys",
                "/proc/latency_stats",
                "/proc/timer_list",
                "/proc/timer_stats",
                "/proc/sched_debug",
                "/proc/scsi",
                "/sys/firmware"
            ],
            "ReadonlyPaths": [
                "/proc/bus",
                "/proc/fs",
                "/proc/irq",
                "/proc/sys",
                "/proc/sysrq-trigger"
            ]
        },
        "GraphDriver": {
            "Data": {
                "LowerDir": "/var/lib/docker/overlay2/60cb51f3ae4ecb708a990cda678e9c532066399a7880bd75a893205532691f08-init/diff:/var/lib/docker/overlay2/37030c52a61395d6c599444798fba18672ae4a7cb86dbc86318320b66e0a6548/diff:/var/lib/docker/overlay2/747b33c8eefbda0dcc193b37efbea3a67d2046703e4b209f3aa5a29f34fae6f8/diff:/var/lib/docker/overlay2/64f2a270fcc990b117391af5add5d41117c916b188858eba407299d7a1d19d09/diff:/var/lib/docker/overlay2/6b66eb19db8534435c238daf29e1590580d03aeb9ace464b01618e519316c36d/diff:/var/lib/docker/overlay2/012659408a15464425f6b73c75c8e5a7af5b0df9e5cc66b2a7609985e846f58a/diff:/var/lib/docker/overlay2/1746ae3738ee19b7c8fccdce0f9084a5bae4cbe4c61eaf98784676c19f0eb995/diff:/var/lib/docker/overlay2/3412faa48a4246439219ab8ae833f23472b08307a1267d58a1cd4ebd4df160b7/diff:/var/lib/docker/overlay2/07e2671419c13354c3f59a29d7331b4dfc35e7bfbb51e60f6079224dc1ee35ce/diff:/var/lib/docker/overlay2/b760a2ef31e32df5d03775b7541b5b6253f2253724a71d144c782d54bb5305ef/diff:/var/lib/docker/overlay2/c082135929ee562a1b71a501c496082c847ff9e921fd59a9d7e8b485b6a31091/diff:/var/lib/docker/overlay2/e7047c60f255ec55929d97836f5f25a5f2f5fa122a9c8836b77bd8bbea65d91b/diff:/var/lib/docker/overlay2/92ba7a36a2df861794194fa38af84fd2921f20f4fc97a0f0dd0d9820c8f3a77a/diff:/var/lib/docker/overlay2/12b93307942333ffe8dda92425ee7fee77dd472fcc9fa40529d4cce7af593f18/diff:/var/lib/docker/overlay2/fe81d1ec7111fcc5ef8c5db73eccc37f547274d456a353ef07428431021f4906/diff:/var/lib/docker/overlay2/7c8a0013c2a5b07be124293caa6cc6412380b242b91f09caa4bc0fece5d59339/diff:/var/lib/docker/overlay2/7ad753b03c234adb9bb09cffb092006f08e46ad2929849714c5bd46487099116/diff:/var/lib/docker/overlay2/1e659439cf4a0592c459259d8f0e4fa3383149a25ec00f4e6cbff1eea10feedc/diff:/var/lib/docker/overlay2/3f262523d86a459dda1e790f465d126e48fded85cad19bb3aff61000a170ae35/diff:/var/lib/docker/overlay2/cbe2f92b1e2227cf8c19fd3a14d1a62836a667d73529deabb4d1af4f416b6e50/diff:/var/lib/docker/overlay2/6c1f178289102e3bd42b4e6819860ee583141571cfc7312bb4e398a7c499f902/diff:/var/lib/docker/overlay2/ec2a37ba471db5c79ecf99122e61b8efff10c83e2474e8f27c228ac6da22a225/diff",
                "MergedDir": "/var/lib/docker/overlay2/60cb51f3ae4ecb708a990cda678e9c532066399a7880bd75a893205532691f08/merged",
                "UpperDir": "/var/lib/docker/overlay2/60cb51f3ae4ecb708a990cda678e9c532066399a7880bd75a893205532691f08/diff",
                "WorkDir": "/var/lib/docker/overlay2/60cb51f3ae4ecb708a990cda678e9c532066399a7880bd75a893205532691f08/work"
            },
            "Name": "overlay2"
        },
        "Mounts": [
            {
                "Type": "volume",
                "Name": "nextcloud_aio_nextcloud",
                "Source": "/var/lib/docker/volumes/nextcloud_aio_nextcloud/_data",
                "Destination": "/var/www/html",
                "Driver": "local",
                "Mode": "ro",
                "RW": false,
                "Propagation": ""
            },
            {
                "Type": "volume",
                "Name": "nextcloud_aio_apache",
                "Source": "/var/lib/docker/volumes/nextcloud_aio_apache/_data",
                "Destination": "/mnt/data",
                "Driver": "local",
                "Mode": "rw",
                "RW": true,
                "Propagation": ""
            }
        ],
        "Config": {
            "Hostname": "3a045c1bd6a2",
            "Domainname": "",
            "User": "www-data",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "ExposedPorts": {
                "443/tcp": {},
                "80/tcp": {}
            },
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": [
                "NC_DOMAIN=blabla.chickenkiller.com",
                "NEXTCLOUD_HOST=nextcloud-aio-nextcloud",
                "COLLABORA_HOST=nextcloud-aio-collabora",
                "TALK_HOST=nextcloud-aio-talk",
                "APACHE_PORT=443",
                "ONLYOFFICE_HOST=nextcloud-aio-onlyoffice",
                "TZ=UTC",
                "APACHE_MAX_SIZE=10737418240",
                "APACHE_MAX_TIME=3600",
                "PATH=/usr/local/apache2/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "HTTPD_PREFIX=/usr/local/apache2",
                "HTTPD_VERSION=2.4.55",
                "HTTPD_SHA256=11d6ba19e36c0b93ca62e47e6ffc2d2f2884942694bce0f23f39c71bdc5f69ac",
                "HTTPD_PATCHES="
            ],
            "Cmd": [
                "/usr/bin/supervisord",
                "-c",
                "/supervisord.conf"
            ],
            "Healthcheck": {
                "Test": [
                    "CMD-SHELL",
                    "healthcheck.sh"
                ]
            },
            "Image": "nextcloud/aio-apache:latest",
            "Volumes": {
                "/mnt/data": {}
            },
            "WorkingDir": "/usr/local/apache2",
            "Entrypoint": [
                "start.sh"
            ],
            "OnBuild": null,
            "Labels": {
                "com.centurylinklabs.watchtower.monitor-only": "true"
            },
            "StopSignal": "SIGWINCH"
        },
        "NetworkSettings": {
            "Bridge": "",
            "SandboxID": "f502a43335d0b000f57719637cdad98ce9e59db372b4b24e45e024650dadc767",
            "HairpinMode": false,
            "LinkLocalIPv6Address": "",
            "LinkLocalIPv6PrefixLen": 0,
            "Ports": {
                "443/tcp": [
                    {
                        "HostIp": "0.0.0.0",
                        "HostPort": "443"
                    },
                    {
                        "HostIp": "::",
                        "HostPort": "443"
                    }
                ],
                "80/tcp": null
            },
            "SandboxKey": "/var/run/docker/netns/f502a43335d0",
            "SecondaryIPAddresses": null,
            "SecondaryIPv6Addresses": null,
            "EndpointID": "",
            "Gateway": "",
            "GlobalIPv6Address": "",
            "GlobalIPv6PrefixLen": 0,
            "IPAddress": "",
            "IPPrefixLen": 0,
            "IPv6Gateway": "",
            "MacAddress": "",
            "Networks": {
                "nextcloud-aio": {
                    "IPAMConfig": null,
                    "Links": null,
                    "Aliases": [
                        "3a045c1bd6a2"
                    ],
                    "NetworkID": "64e9b52c27c96d1510eb8a0ba23f3cef432c7e9ef536146734abf6f15581793f",
                    "EndpointID": "c88d196993982eadce4f11e12d493d5658286ba0e756024c1e823b6007964968",
                    "Gateway": "172.18.0.1",
                    "IPAddress": "172.18.0.8",
                    "IPPrefixLen": 16,
                    "IPv6Gateway": "",
                    "GlobalIPv6Address": "",
                    "GlobalIPv6PrefixLen": 0,
                    "MacAddress": "xx:xx:xx:xx:xx:xx",
                    "DriverOpts": null
                }
            }
        }
    }
]

szaimen · March 7, 2023, 9:38am

ah I see. So you’ve changed the domain and now it is failing with not-reachable log, right?

Are you possibly behind Cloudflare and did you make sure that port 443 is correctly forwarded and you are not behind CGNAT? Also are A and AAAA DNS-records set correctly?

jake · March 7, 2023, 9:41am

i just changed the domain and ip here in the forum post - so not to broadcast it to the world . i will call my ISP and ask them about the situation. i have forwarded port 443 but how do i know if it is correctly… also as i have used the freedns A DNS-record but on freedns I dont think I can edit it. so how to know if it is correctly set up?
I will ask my ISP about the CGNAT situation

Teth · March 10, 2023, 8:30am

I have exactly the same problem. After updating docker I think the day before yesterday, trying to go to my nextcloud address fails and with the same error command from the browser. I haven’t changed anything for over a year, so the problem seems to be in the nextcloud update.

szaimen · March 10, 2023, 9:29am

Hi, can you follow What can I do when I get `SSL_ERROR_INTERNAL_ERROR_ALERT` when opening my Nextcloud domain? · nextcloud/all-in-one · Discussion #2105 · GitHub

Teth · March 10, 2023, 10:47am

The nextcloud-aio-apache log shows no errors:

Waiting for Nextcloud to start…
[Fri Mar 10 10:26:47.463227 2023] [mpm_event:notice] [pid 47:tid 139712051006280] AH00489: Apache/2.4.55 (Unix) configured – resuming normal operations
[Fri Mar 10 10:26:47.463583 2023] [core:notice] [pid 47:tid 139712051006280] AH00094: Command line: ‘/usr/local/apache2/bin/httpd -D FOREGROUND’
{“level”:“info”,“ts”:1678444007.4789498,“msg”:“using provided configuration”,“config_file”:“/Caddyfile”,“config_adapter”:“”}

szaimen · March 10, 2023, 10:52am

I fear without logs is this not possible to debug. BTW are you running AIO behind a reverse proxy or standalone?

Teth · March 10, 2023, 10:54am

To be honest, I don’t have a clue. I once installed Nextcloud-AIO in VirtualBox and so far it has worked without a problem for a year.

szaimen · March 10, 2023, 10:56am

Ah so you used the AIO-VM image.

Can you maybe try to access AIO with a different browser from a different device for a test?

Teth · March 10, 2023, 11:00am

So far, I have checked on devices on the same network. But your suggestion gave me the idea to check from a phone with LTE connection and the page opens. I don’t understand what the problem could be, with some Nextcloud setting that blocks access from the same network displaying an “ERR_SSL_PROTOCOL_ERROR” message in the browser?

szaimen · March 10, 2023, 11:07am

I suspect somehing in your network infrastructure is the culprit then which however is unrelated to AIO and Nextcloud. → Having no logs in the apache container also points towards this.

Teth · March 10, 2023, 11:24am

Thank you for directing me where to look next.

What surprises me is that, after all, I can access https://x.x.x.x:8080/containers from the internal network, and yet there is also a (self-signed) certificate there.

By the way, how will AIO-VM renew the certificate after expiration? Can I check it with some command?

szaimen · March 10, 2023, 11:35am

It does it automatically.

No, it will show a warning in the apache container logs if it is not able to do so.

So did you try to open netcloud via the domain or via ip-address?

Teth · March 10, 2023, 12:04pm

Currently, since it stopped working, from outside I can enter by domain address, but not by IP (then it displays a message that the secure connection failed). On the other hand, from the internal network (LAN) I can’t enter either by domain address or IP - I can only open https://x.x.x.x:8080/containers