Certificate issues with LetsEncryt and Nextcloud

ℹ️ Support
1

First off,
I really want to thank devnull for helping me solve some issues to get my Install accessible from the internet.
I am extremely grateful.

I now have Nextcloud accessable from the internet but it is not yet secure.

After talking with devnull they suggested I start a new thread with the below details to help diagnosis this.

a.) i use docker for nextcloud
b.) i use linuxserver.io certificate
c.) there is acually no CA for the certifcate (look in browser info)
d.) post link https://docs.linuxserver.io/images/docker-letsencrypt

If there is any info I can supply to help, please shout.

2

Just based on that description, it sounds like an intermediate certificate is missing from the chain. Can you confirm if that’s the case?

3

Hi,
How would I do that

devnull helped me out with that

4

I do not use docker. I think the nextcloud-docker-images includes the linuxserver.io-certificate without the other certificates. Perhaps it is also possible to change it to Lets Encrypt.

Perhaps someone can help with the docker-configuration or post the way for change the certificate in the docker-container. Perhaps it is possible to install “certbot” and use this software.

5

@devnull

If you want to use Let’s Encrypt certs – (which I recommend) – it’s actually pretty easy to do.

You need to install an acme client (certbot or acme.sh or a docker container that runs either certbot or acme). It just depends on what you want to do. I personally just install acme.sh on the docker host and obtain certs that method, however I’m aware many use a docker container. For example one container you could use is: https://hub.docker.com/r/linuxserver/letsencrypt/.

It just depends on you how want to install your certs.

6

I’ve seen a few different ways people have enabled (or tried to enable) certbot with Docker. My solution to this was to run a reverse proxy and certbot on the host. I wrote a guide for this type of setup if you want to have a look.

https://help.nextcloud.com/t/howto-ubuntu-docker-nextcloud-talk-collabora/76430

Can you explain what you mean by this? What are you seeing?

7

I’m sorry I’ll have to defer to @devnull about that.
He (she? not sure!) picked it up when helping me get it accessible.

I know my way around a PC but Linux is a little bit beyond me but I am trying to learn.

What I can say is;
I have nextcloud, mariadb and letscert installed in docker on UnRaid.
I can access the nextcloud over the web but it isn’t secured.
I don’t know if there is something up with ports maybe?

8

I figured a snapshot of my docker might help.
I don’t think there is any info in here that puts me at risk. All the IPs seem to be internal to my network…
I hope you’ll tell me if I left something in I didn’t notice!

Capture
Capture1462×357 49.7 KB

9

How are you getting the cert from Let’s Encrypt to Nextcloud? Can you post your NC vhost config?

10

I might need to tell me how to find that… :flushed:

11

Was it this you were after @KarlF12

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'ocarcswhs8e5',
  'passwordsalt' => 'KradlQc9H9+2t2YjMKJuFQ2su+oQAw',
  'secret' => 'ENU2yii6SDjNIZTF2it/DdsjgGRlRiajZQYbbduGd1/FRvQu',
  'trusted_domains' => 
  array (
    0 => '192.168.1.200:444',
	1 => 'nextcloud.***********.co.uk',
  ),
  'dbtype' => 'mysql',
  'version' => '18.0.4.2',
  'overwrite.cli.url' => 'https://nextcloud.*************.co.uk',
  'overwriteprotocol' => 'https',
  'dbname' => 'nextcloud',
  'dbhost' => '192.168.1.200:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'dave',
  'dbpassword' => '*************',
  'installed' => true,
);
12

No, that’s your Nextcloud config. I’m talking about your web server virtual host config. This would be Apache running in the Nextcloud container.

You should familiarize yourself with Apache. It will help you a lot long term in dealing with Nextcloud.

13

right ok, Apache wasn’t mentioned in Spaceinvaderones guide.
Is it part of the Nextcloud install?

Is so, do I need to go into the terminal and get it that way, or is it within the files for nextcloud on the root?

and I will get on that and read up about it, thanks.

14

Ok… I don’t know how someone writes a guide for running a website without mentioning the web server, but I guess that’s beside the point.

So Nextcloud is a website. A web server is what actually “runs” a website. In the Nextcloud Docker container, there is a web server called Apache that is “running” Nextcloud. This is already running on your system.

Apache is what ultimately needs to use the Let’s Encrypt certificate to provide HTTPS for the site.

15

ok, that makes sense! I’m learning.
So I just to know which config you need.

16

So, I just want to make sure I understand.
Apache is already part of my Nextcloud?

Capture

17

Is it this one @KarlF12

# Section for Apache 2.4 to 2.6
<IfModule mod_authz_core.c>
  Require all denied
</IfModule>
<IfModule mod_access_compat.c>
  Order Allow,Deny
  Deny from all
  Satisfy All
</IfModule>

# Section for Apache 2.2
<IfModule !mod_authz_core.c>
  <IfModule !mod_access_compat.c>
    <IfModule mod_authz_host.c>
      Order Allow,Deny
      Deny from all
    </IfModule>
    Satisfy All
  </IfModule>
</IfModule>

# Section for Apache 2.2 to 2.6
<IfModule mod_autoindex.c>
  IndexIgnore *
</IfModule>

EDIT
Ok I think i might know what I’m looking for now, I just have no idea how to find it…

18

Ok, I’m sorry.
I have no idea where to find the config file your after.

Feeling very out of my depth right now but appreciate the help.

19

In the container, under /etc/apache2/sites-available is probably where you’ll find the site configs.

Apache needs to use the certificate that’s being pulled by the Let’s Encrypt container. I’m wondering if that’s where this is getting messed up because I don’t see a mount in common between them in your containers. I don’t use unraid so it may just be that I’m not seeing it, but somehow that cert would have to be getting from one container to the other.

But yes, to answer your question, there is a web server running in the Nextcloud container (actually the only “program” being executed, Docker calls it an entrypoint). If you want to see some more about that, you can check out the official image documentation. They have quite a few versions of the Nextcloud image, but the default one uses Apache.

https://hub.docker.com/_/nextcloud

20

Wow, sorry but how to I explore the files inside the docker image?
Found a few commands to try but they don’t seem to work.

I’m also wondering if something is missing outright.

I’ll be off to bed soon. Far more complicated that I thought. I’m sure the guide didn’t go through any of this but seemed to just ‘work’

The guide I’m talking about is here.