Always 403 Forbidden - Help after flashing NextCloudPi_RPi_03-28-20.img to Raspberry Pi 4 B with 4 GB RAM

🚧 Installation
1

Hi at all,
I am having problems flashing or installing NextCloudPi in general to a 32 GB micro sd card.
After flashing the NextCloudPi_RPi_03-28-20.img file with balena Etcher from here I try to access the NCP-webinterface over the assigned IP or dns-name, but I am getting the

"403 Forbidden - You don't have permission to access this resource." error and I can’t reach the activation page.

What I did so far without success:

  • Searching in the Nextcloud community and in Google, but couldn’t find a solution
  • Add an exception in Mozilla Firefox for the non valid certificate
  • Try other browser like Edge or Internet Explorer --> same error…
  • Flashing a clean Raspbian Buster image and install NextCloudPi with
    wget https://raw.githubusercontent.com/nextcloud/nextcloudpi/master/install.sh
    sudo bash install.sh --> same error…
  • Activate nc-webui by ncp-config --> same error…

My environment:

  • I access the Raspberry Pi via Wifi
  • SSH access is possible

My nextcloud.conf:
/etc/apache2/sites-available $ cat nextcloud.conf


DocumentRoot /var/www/nextcloud
CustomLog /var/log/apache2/nc-access.log combined
ErrorLog /var/log/apache2/nc-error.log
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

<Directory /var/www/nextcloud/>
Options +FollowSymlinks
AllowOverride All

Dav off

LimitRequestBody 0
SSLRenegBufferSize 10486000

NextCloudPi diagnostics:

------

NextCloudPi diagnostics 

NextCloudPi version  v1.24.0
NextCloudPi image    NextCloudPi_03-28-20
distribution         Raspbian GNU/Linux 10 \n \l
automount            no
USB devices          none
datadir              /var/www/nextcloud/data
data in SD           yes
data filesystem      ext2/ext3
data disk usage      2.1G/29G
rootfs usage         2.1G/29G
swapfile             /var/swap
dbdir                /var/lib/mysql
Nextcloud check      ok
Nextcloud version    18.0.3.0
HTTPD service        up
PHP service          up
MariaDB service      up
Redis service        up
Postfix service      up
internet check       ok
port check 80        closed
port check 443       closed
IP                   ***REMOVED SENSITIVE VALUE***
gateway              ***REMOVED SENSITIVE VALUE***
interface            wlan0
certificates         ***REMOVED SENSITIVE VALUE***
NAT loopback         no
uptime               9min
Nextcloud configuration 

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": {
            "0": "localhost",
            "5": "nextcloudpi.local",
            "7": "nextcloudpi",
            "8": "nextcloudpi.lan",
            "11": "2003:f4:ef36:f400:a2ef:51c:***REMOVED***",
            "1": "11.***REMOVED***"
        },
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "18.0.3.0",
        "overwrite.cli.url": "http:\/\/localhost",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "memcache.local": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "timeout": 0,
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "tempdirectory": "\/var\/www\/nextcloud\/data\/tmp",
        "mail_smtpmode": "sendmail",
        "mail_smtpauthtype": "LOGIN",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "preview_max_x": "2048",
        "preview_max_y": "2048",
        "jpeg_quality": "60",
        "overwriteprotocol": "https"
    }
}
HTTPd logs 

[Thu Feb 13 16:10:23.283988 2020] [ssl:warn] [pid 736:tid 3069231632] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
[Thu Feb 13 16:10:23.284769 2020] [ssl:error] [pid 736:tid 3069231632] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=archlinux / issuer: CN=archlinux / serial: 2A964521A5A0AD28440B39B1D781ABFDD1281F7C / notbefore: Mar 28 20:04:49 2020 GMT / notafter: Mar 26 20:04:49 2030 GMT]
[Thu Feb 13 16:10:23.284810 2020] [ssl:error] [pid 736:tid 3069231632] AH02604: Unable to configure certificate localhost:443:0 for stapling
[Thu Feb 13 16:10:23.406798 2020] [ssl:warn] [pid 1063:tid 3069231632] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
[Thu Feb 13 16:10:24.329770 2020] [ssl:error] [pid 1063:tid 3069231632] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=archlinux / issuer: CN=archlinux / serial: 2A964521A5A0AD28440B39B1D781ABFDD1281F7C / notbefore: Mar 28 20:04:49 2020 GMT / notafter: Mar 26 20:04:49 2030 GMT]
[Thu Feb 13 16:10:24.329848 2020] [ssl:error] [pid 1063:tid 3069231632] AH02604: Unable to configure certificate localhost:443:0 for stapling
[Thu Feb 13 16:10:24.340397 2020] [mpm_event:notice] [pid 1063:tid 3069231632] AH00489: Apache/2.4.38 (Raspbian) OpenSSL/1.1.1d configured -- resuming normal operations
[Thu Feb 13 16:10:24.340519 2020] [core:notice] [pid 1063:tid 3069231632] AH00094: Command line: '/usr/sbin/apache2'
[Tue Mar 31 14:31:44.599190 2020] [authz_host:error] [pid 1065:tid 2755138592] [client 11.***:60086] AH01753: access check of 'localhost' to / failed, reason: unable to get the remote host name
[Tue Mar 31 14:31:44.599353 2020] [authz_core:error] [pid 1065:tid 2755138592] [client 11.***:60086] AH01630: client denied by server configuration: /var/www/ncp-web/
[Tue Mar 31 14:31:44.628684 2020] [authz_host:error] [pid 1065:tid 2755138592] [client 11.***:60086] AH01753: access check of 'localhost' to /favicon.ico failed, reason: unable to get the remote host name
[Tue Mar 31 14:31:44.628753 2020] [authz_core:error] [pid 1065:tid 2755138592] [client 11.***:60086] AH01630: client denied by server configuration: /var/www/ncp-web/favicon.ico
Database logs 

2020-02-13 16:10:31 0 [Note] InnoDB: Compressed tables use zlib 1.2.11
2020-02-13 16:10:31 0 [Note] InnoDB: Number of pools: 1
2020-02-13 16:10:31 0 [Note] InnoDB: Using generic crc32 instructions
2020-02-13 16:10:31 0 [Note] InnoDB: Initializing buffer pool, total size = 1.625G, instances = 1, chunk size = 128M
2020-02-13 16:10:31 0 [Note] InnoDB: Completed initialization of buffer pool
2020-02-13 16:10:31 0 [Note] InnoDB: If the mysqld execution user is authorized, page cleaner thread priority can be changed. See the man page of setpriority().
2020-02-13 16:10:31 0 [Note] InnoDB: 128 out of 128 rollback segments are active.
2020-02-13 16:10:31 0 [Note] InnoDB: Creating shared tablespace for temporary tables
2020-02-13 16:10:31 0 [Note] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...
2020-02-13 16:10:31 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB.
2020-02-13 16:10:31 0 [Note] InnoDB: Waiting for purge to start
2020-02-13 16:10:31 0 [Note] InnoDB: 10.3.22 started; log sequence number 4286416; transaction id 2809
2020-02-13 16:10:31 0 [Note] InnoDB: Loading buffer pool(s) from /var/lib/mysql/ib_buffer_pool
2020-02-13 16:10:31 0 [Note] Plugin 'FEEDBACK' is disabled.
2020-02-13 16:10:31 0 [Note] Server socket created on IP: '127.0.0.1'.
2020-02-13 16:10:31 0 [Note] Reading of all Master_info entries succeeded
2020-02-13 16:10:31 0 [Note] Added new Master_info '' to hash table
2020-02-13 16:10:31 0 [Note] /usr/sbin/mysqld: ready for connections.
Version: '10.3.22-MariaDB-0+deb10u1'  socket: '/run/mysqld/mysqld.sock'  port: 3306  Raspbian 10
2020-02-13 16:10:31 0 [Note] InnoDB: Buffer pool(s) load completed at 200213 16:10:31
Nextcloud logs 

{"reqId":"rxe9xZTDtfX0z0JGTRF6","level":2,"time":"2020-03-31T13:30:20+00:00","remoteAddr":"","user":"--","app":"appstoreFetcher","method":"","url":"--","message":"Could not connect to appstore: cURL error 28: Operation timed out after 10000 milliseconds with 4154304 out of 4591347 bytes received (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)","userAgent":"--","version":"18.0.3.0"}

------

Any help is much appreciated. This is my first time setting up Nextcloud on the Raspberry Pi. I am relatively new to using linux commands like sudo and all that as well, so please explain steps thoroughly.
Many thanks in advance!

Best regards
SBC

2

Have none of you any ideas? :pleading_face:

3

Could someone give me some advice/solution please???
Any help is much appreciated! :+1: :+1: :+1:

Thanks!

4

Please post the URL you put into your browser:

https://a.b.c.d:4443

Please post all answers of the browser. problems with certificate, …

5

Do you use the version from this directory?
https://ownyourbits.com/downloads/NextCloudPi_RPi_03-28-20/

6

Hi devnull,
thanks for the reply!

The URL I put in my Mozilla Firefox (MF) browser is:
https://11.***.***.***:4443/
If you really need the entire URL, I can send you via PM.

All the answers of the MF browser are:
Warnung: Mögliches Sicherheitsrisiko erkannt
Firefox hat ein mögliches Sicherheitsrisiko erkannt und 11.***.***.*** nicht geladen. Falls Sie die Website besuchen, könnten Angreifer versuchen, Passwörter, E-Mails oder Kreditkartendaten zu stehlen.

English translation:
Warning: Potential safety risk detected
Firefox has detected a possible security risk and 11.***.***.*** has not loaded. If you visit the website, attackers may try to steal passwords, e-mail, or credit card information.

I confirm the warning with “Advanced…” button, then I press “Accept risk and continue” and the error
403 Forbidden - You don't have permission to access this resource. appears and I can’t reach the activation page.

“Do you use the version from this directory?
https://ownyourbits.com/downloads/NextCloudPi_RPi_03-28-20/”
Yes I do.

Best regards!
SBC

7

No. But there is a certificate error. But perhaps it is ok for the website …:4443
Can you access to nextcloud with …:443 `?

When I type https://11...***:443 I got the same error (I think, it’s the same like just https://… without the 443 port?!)

403 Forbidden...

the apache2 conf is the conf for your nextcloud https://11. . .*** (443) and not the admin-tool https://11. . .***:4443

Read the link and show in your config.

https://ownyourbits.com/2017/07/24/nextcloupi-gets-a-web-interface/

THANK YOU VERY MUCH FOR THE LINK, IT NOW FINALLY WORKS!!! :slightly_smiling_face:
What I did, I played around with the ncp.conf and changed it to:
Listen 4443
<VirtualHost _default_:4443>
DocumentRoot /var/www/ncp-web
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
</VirtualHost>
<Directory /var/www/ncp-web/>
AllowOverride None
Require all granted
</Directory>

My last question:
From what I understand from the link, the “new UI is included by default in the new image, and will be installed through remote updates.” So in my new image from March, 28 2020 the web ui should work by default, right? So why I have to add/change something inside the ncp.conf manually? :thinking:

Best regards!
SBC

8

I have the same problem and after adding these two lines:
…
AllowOverride None
Require all granted
…

I’ve finally seen activation page, nevertheless initial euphoria dimmed after it appeared that activation doesn’t proceed :frowning:

@SBC Do you use DDNS and some domain or access via IP? I only use IP.
Any tips how to start tackle it?

1 Like
9

Hello Parsley, unfortunately I have the same problem. I also added the lines to ncp.conf, but nothing happens. Is it normal that ncp.conf is empty? Do you have an idea how to get on?

Best regards,
Tom!

10

Hi Tom,
Unfortunately I didn’t find a solution yet :frowning:
Do you use it on Rock64? Did you try to install with that “curl method” (if yes, which Debian release you use)? Do you access it via IP or some domain?
I’ll to post some debugging info and maybe someone will help…

With issues like that I drift towards getting some x64 based board and be independent from all this modified distributions… for a price of more energy used

11

In case somoene has the same problem again, I found another solution. (plus I didn’t find the ncp.conf file mentioned in other solutions.

One needs to manually enable the webui in the config menu. To do so, one needs to SSH into the pi, run

ncp-config

then move to “CONFIG” (and press ENTER)

ncp-config-overview
ncp-config-overview1069Ă—475 6.91 KB

then scroll down to ncp-webui (and press ENTER)

scroll-to-ncp-webui
scroll-to-ncp-webui1076Ă—477 14.3 KB

and then replace the “no” with a “yes”
(unfortunately I wasn’t allowed to add a third screenshot, but this part should be self explenatory)

Afterwards, the command line prompt will ask you to restart the apache server by executing

sudo systemctl reload apache2

Additional tip
While you are already in the config menu, you can also change the password by changing the value for “ncp-passwd” (or executing nc-passwd, I’m not sure about phrasing here). Since you will need to change the password before you can log into the web ui