Can't connect with nextcloud remotely on my subdomain

Nextcloud version _ 28.01`
Operating system and version _ ubuntu 20.04
Apache or nginx version _: Apache2
PHP version __: 8.1

The issue

hello - i have set up a nextcloud server on my LAN and everything works fine (after some struggles) - i am very new to this but see it as a local solution for storing the family’s ridiculous amount of data …

to that end it works, but i also need to reach the server from outside my local network from time to time…

i have set up a subdomain for a (new) domain. the domain itself is hosted by godaddy and seems to work fine… i added an A record with my public IP and also a CNAME record pointing at the main domain …

After a week of finding myself hitting brick walls, i am afraid i need direct help…

If any of you smart folk can help, i would be eternally grateful - i feel like throwing things about at the moment :slight_smile:
the main thing is that it works on my LAN but I would love it to be available remotely…

Is this the first time you’ve seen this error? (Y/N): NO

Steps to replicate it:

  1. Install nextcloud and adjust virtualhosts config files and sites-available
  2. Access locally - no issue
  3. Try to connect remotely - does not
  4. Try to get certbot certifcation - failure each and every time with the following message…

certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: blah.mxxxxx.com
Type: connection

Detail: 118.172.162.32: Fetching http://blah.blah.com/.well-known/acme-challenge/3Gy1rUr6iX_S1f_eO_O_NlqsPH6snh0jIMET_2qnusw: Timeout during connect (likely firewall problem)

I have disabled any firewalls temporarily and it has no effect …

ports 80 and 443 are open on my router

I will be able to log into the host computer in a few hours, if you need any extra information like log files or config files

this is my first attempt at setting up a home server and i am thrilled with the way it works at home for the family… but blimey am i frustrated at my failure to get it done all the way

i have been using various flavors of linux for years but i don’t think i have messes about so much under the hood as i have done trying to get this to work over the past 10 days

i am in no hurry and am happy to learn

much appreciated

have a look at your trusted sites list

Your firewall should stay up.

You should not open but forward the ports 80 and 443 to the ip address of your server in your local network.

So that every request on that ports will be forwarded to your server. Without the redirection, the request will try to speak with your router but your server does not reside there :wink:


ernolf

sorry - i mix up terminology quite a lot… i do mean - forwarding my ports

because certbot is flailing, i posted similar on the letsencrypt forum and they thought it may be that my ISP is blocking ports 80 and 443, which i understand are necessary for certbot to give you ssl …

trusted sites list is absolutely as they should be - one of the few things i am certain about…

i will try changing the ports in virtual hosts - can i use any open ports for nextcloud and which configs= files would need changing?

i will worry about certifbot after i get the http working right - i will get there eventually - i reckon the juice will prove worth the squeeze

Have you set up port-forwarding for port 80/443 on your router? Can you access it from outside via HTTP and HTTPS? Is your router even accessible from the outside via an IPv4 address?

yes

no - neither

i have an emby server working from my home router so i assume so

but please don’t confuse me with someone who knows what they are talking about

the fact i am getting certbot failures suggests that ports 80 and 443 are blocked by my ISP — i think

if that were the case, is it just a matter of changing the port information in my nextcloud config and apache sites-available files?

i don’t need to forward those particular ports for nextcloud right - only for certbot to run

or is there more to it than that?

i think i could manage that but am scared of buggering up the local network connection

one of the greatest things about the internet is the number of people who help out for no other reason than they want to help out

i now strongly suspect that those ports are actually unreachable full stop - no doubt an attempt to stop people hosting their own https domains

Hi,

  1. please just answer which port from the outside is open. Use any tool like this

  2. If for example 443 is open Check the device behind the port with curl -v https://your_ip and analyse or send the result

You can use this tool in case there is no cli

Now we know a) is there an open port and b) who is serving this port.

Care about certbot, firewall, portforwarding etc. in the next step. :slight_smile:

Hope this helps

sorry this took so long - yesterday morning i went onto my server on my LAN and found my very insecure set up admin password had been changed and i could not get back into the account

anyway i set up the whole thing again and this time made sure my firewall rules allowed incoming connections from ports 80 and 443 (a step i missed first time)

set up went smoothly enough and i now have a proper password in place… everything is good again on the LAN

BUT ALAS - i am unable to connect from outside the network and am getting hit by timeout errors… certbot also times out

according to any port checkers online - none of my ports are open but the connection activity in my firewall suggests they are

i even hit chat gpt up and as much as i love her at times, she did not help a great deal - just told me to check my DNS settings - like what does she think i have been doing the past ten days …

here is the output of the curl command

*   Trying 127.0.1.1:443...
* Connected to blahblah.mollywonka.com (127.0.1.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* (5454) (IN), , Unknown (72):
* error:0A00010B:SSL routines::wrong version number
* Closing connection 0
curl: (35) error:0A00010B:SSL routines::wrong version number

  • actual subdomain name redacted
  1. Everything works well on the local network with the subdomain name
  2. Remote connection times out
  3. certbot complains about firewall issues

Detail: 118.172.162.32: Fetching http://blah.blah.com/.well-known/acme-challenge/3Gy1rUr6iX_S1f_eO_O_NlqsPH6snh0jIMET_2qnusw: Timeout during connect (likely firewall problem)

basically the same issue as i had with the my first failed attempt

i am looking at so many posts here and on lets encryot and reddit and so on but hitting a wall…

thanks for your patience

btw - that public ip 118 . xxx.xxx - belongs to my ISP TOT but is not static and changes fairly often - i added a cname to the DNS table pointing at the subdomain but not sure i should have

one thing that seems wrong is that when i run nslookup, the server name and the IP do not match precisely and i am sure that they should - well --everyone else’s seems to be the same in the examples i have looked at

honestly - i think people like me should get a proper license to drive a computer before they are allowed on the internet -

:frowning:

rather surprisingly, i am not headbutting the walls yet - empirical evidence that age has made me less cranky - an unexpected bonus :slight_smile:

127.0.1.1 is not the IP your are curling?

it is - isn’t it?

i ran the command you gave me

I was referring to the 118 xxxx public IP which this morning is a 125. xxx public ip - modifying the public IP in my domain’s DNS settings has no effect either way…

same TIMEOUT complaints in my firewall logs and certbot failures

are there router settings i should be looking at?

my model is a ZTE 670 - it is not the easiest interface for me to get round

I would say you have a network problem not an Nextcloud Problem. 127.0.1.1 is your localhost, the curl should done with the public IP on the external interface (WAN). And with this rapid changes you can work with some dyndns tools, because it is hard to tell if your IP has changed or we still confronting an error.

Here is a basic portforwarding for the ZTE 670:

But as this is more a network problem you might check this issue first with somebody who is better than me :slightly_smiling_face:

thanks kindly for the help so far

i am pretty sure it isn’t a nextcloud issue either and your ruling stuff out is very helpful to me

i am not quite as useless with a laptop as i seem - BUT I have never really bothered with networking - i managed to get an emby server working well remotely a while back but that gave me a less severe headache …

while there is no great urgency, this is a pretty important project for me to get going and i have plenty of time over the next few weeks so it is a good opportunity

i am just a bit sick of searching and randomly trying stuff out that i think looks like my issue

i will stick to whatever people tell me to try here for now

talking to myself here to keep track of what i am doing but i have a feeling my ISP blocks port 80 - going to try port 8080 first

Did This

  • forwarded ports 8080 and 8443 in my router.
  • allow those ports as ufw rule
  • change virtual hosts in apache sites-available -nextcloud.conf
  • restart everything - reboot router and whatnot
  • try to log in remotely
  • same timeout failures as with the standard ports

sigh

re-ran the curl command with the public IP

willow@willow-server:~$  curl -v https://125.27.181.80
*   Trying 125.27.181.80:443...
* connect to 125.27.181.80 port 443 failed: Connection timed out
* Failed to connect to 125.27.181.80 port 443 after 135272 ms: Connection timed out
* Closing connection 0
curl: (28) Failed to connect to 125.27.181.80 port 443 after 135272 ms: Connection timed out
willow@willow-server:~$ 

Ok.

If : forwarded ports 8080 and 8443 are aktive you might curl:

curl -v 125.27.181.80:8080 or :8443

No https

Compare this with the same curl local → local:

And please curl the public IP from a independet computer "outside" not from your localnet. You might have issues with the routing, firewall, etc.
(Some like your wifi from the simcard or something like this.)

So I am kind of just glancing through all the replies and maybe I missed it but can you access the site the the IP address of the server as in 192.168.x.x not the localhost or 127.0.0.1.

^
thanks for the response… i have managed to get it working in the last 5 minutes

as i suspected, it was my ISP blocking ports 80 and 443… they have now unblocked them for me and i am a proud owner of a remotely connectable pretty much free cloud server with unlimited amounts of storage garnered from 12 years-worth of old hard drives…

thanks so much for the advice - nextcloud looks wonderful — i am genuinely excited about this :slight_smile: