Certificate issues with LetsEncryt and Nextcloud

šŸš§ Installation
#1

First off,
I really want to thank devnull for helping me solve some issues to get my Install accessible from the internet.
I am extremely grateful.

I now have Nextcloud accessable from the internet but it is not yet secure.

After talking with devnull they suggested I start a new thread with the below details to help diagnosis this.

a.) i use docker for nextcloud
b.) i use linuxserver.io certificate
c.) there is acually no CA for the certifcate (look in browser info)
d.) post link https://docs.linuxserver.io/images/docker-letsencrypt

If there is any info I can supply to help, please shout.

#2

Just based on that description, it sounds like an intermediate certificate is missing from the chain. Can you confirm if thatā€™s the case?

#3

Hi,
How would I do that

devnull helped me out with that

#4

I do not use docker. I think the nextcloud-docker-images includes the linuxserver.io-certificate without the other certificates. Perhaps it is also possible to change it to Lets Encrypt.

Perhaps someone can help with the docker-configuration or post the way for change the certificate in the docker-container. Perhaps it is possible to install ā€œcertbotā€ and use this software.

#5

@devnull

If you want to use Letā€™s Encrypt certs ā€“ (which I recommend) ā€“ itā€™s actually pretty easy to do.

You need to install an acme client (certbot or acme.sh or a docker container that runs either certbot or acme). It just depends on what you want to do. I personally just install acme.sh on the docker host and obtain certs that method, however Iā€™m aware many use a docker container. For example one container you could use is: https://hub.docker.com/r/linuxserver/letsencrypt/.

It just depends on you how want to install your certs.

#6

Iā€™ve seen a few different ways people have enabled (or tried to enable) certbot with Docker. My solution to this was to run a reverse proxy and certbot on the host. I wrote a guide for this type of setup if you want to have a look.

https://help.nextcloud.com/t/howto-ubuntu-docker-nextcloud-talk-collabora/76430

Can you explain what you mean by this? What are you seeing?

#7

Iā€™m sorry Iā€™ll have to defer to @devnull about that.
He (she? not sure!) picked it up when helping me get it accessible.

I know my way around a PC but Linux is a little bit beyond me but I am trying to learn.

What I can say is;
I have nextcloud, mariadb and letscert installed in docker on UnRaid.
I can access the nextcloud over the web but it isnā€™t secured.
I donā€™t know if there is something up with ports maybe?

#8

I figured a snapshot of my docker might help.
I donā€™t think there is any info in here that puts me at risk. All the IPs seem to be internal to my networkā€¦
I hope youā€™ll tell me if I left something in I didnā€™t notice!

Capture
Capture1462Ɨ357 49.7 KB

#9

How are you getting the cert from Letā€™s Encrypt to Nextcloud? Can you post your NC vhost config?

#10

I might need to tell me how to find thatā€¦ :flushed:

#11

Was it this you were after @KarlF12

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'ocarcswhs8e5',
  'passwordsalt' => 'KradlQc9H9+2t2YjMKJuFQ2su+oQAw',
  'secret' => 'ENU2yii6SDjNIZTF2it/DdsjgGRlRiajZQYbbduGd1/FRvQu',
  'trusted_domains' => 
  array (
    0 => '192.168.1.200:444',
	1 => 'nextcloud.***********.co.uk',
  ),
  'dbtype' => 'mysql',
  'version' => '18.0.4.2',
  'overwrite.cli.url' => 'https://nextcloud.*************.co.uk',
  'overwriteprotocol' => 'https',
  'dbname' => 'nextcloud',
  'dbhost' => '192.168.1.200:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'dave',
  'dbpassword' => '*************',
  'installed' => true,
);
#12

No, thatā€™s your Nextcloud config. Iā€™m talking about your web server virtual host config. This would be Apache running in the Nextcloud container.

You should familiarize yourself with Apache. It will help you a lot long term in dealing with Nextcloud.

#13

right ok, Apache wasnā€™t mentioned in Spaceinvaderones guide.
Is it part of the Nextcloud install?

Is so, do I need to go into the terminal and get it that way, or is it within the files for nextcloud on the root?

and I will get on that and read up about it, thanks.

#14

Okā€¦ I donā€™t know how someone writes a guide for running a website without mentioning the web server, but I guess thatā€™s beside the point.

So Nextcloud is a website. A web server is what actually ā€œrunsā€ a website. In the Nextcloud Docker container, there is a web server called Apache that is ā€œrunningā€ Nextcloud. This is already running on your system.

Apache is what ultimately needs to use the Letā€™s Encrypt certificate to provide HTTPS for the site.

#15

ok, that makes sense! Iā€™m learning.
So I just to know which config you need.

#16

So, I just want to make sure I understand.
Apache is already part of my Nextcloud?

Capture

#17

Is it this one @KarlF12

# Section for Apache 2.4 to 2.6
<IfModule mod_authz_core.c>
  Require all denied
</IfModule>
<IfModule mod_access_compat.c>
  Order Allow,Deny
  Deny from all
  Satisfy All
</IfModule>

# Section for Apache 2.2
<IfModule !mod_authz_core.c>
  <IfModule !mod_access_compat.c>
    <IfModule mod_authz_host.c>
      Order Allow,Deny
      Deny from all
    </IfModule>
    Satisfy All
  </IfModule>
</IfModule>

# Section for Apache 2.2 to 2.6
<IfModule mod_autoindex.c>
  IndexIgnore *
</IfModule>

EDIT
Ok I think i might know what Iā€™m looking for now, I just have no idea how to find itā€¦

#18

Ok, Iā€™m sorry.
I have no idea where to find the config file your after.

Feeling very out of my depth right now but appreciate the help.

#19

In the container, under /etc/apache2/sites-available is probably where youā€™ll find the site configs.

Apache needs to use the certificate thatā€™s being pulled by the Letā€™s Encrypt container. Iā€™m wondering if thatā€™s where this is getting messed up because I donā€™t see a mount in common between them in your containers. I donā€™t use unraid so it may just be that Iā€™m not seeing it, but somehow that cert would have to be getting from one container to the other.

But yes, to answer your question, there is a web server running in the Nextcloud container (actually the only ā€œprogramā€ being executed, Docker calls it an entrypoint). If you want to see some more about that, you can check out the official image documentation. They have quite a few versions of the Nextcloud image, but the default one uses Apache.

https://hub.docker.com/_/nextcloud

#20

Wow, sorry but how to I explore the files inside the docker image?
Found a few commands to try but they donā€™t seem to work.

Iā€™m also wondering if something is missing outright.

Iā€™ll be off to bed soon. Far more complicated that I thought. Iā€™m sure the guide didnā€™t go through any of this but seemed to just ā€˜workā€™

The guide Iā€™m talking about is here.