Certificate issues with LetsEncryt and Nextcloud

🚧 Installation
21

Good morning all,

I did a little more research last night and I’m pretty certain that I’m not missing a docker image, I’ve got all the parts needed.
I think I now know which config file you needed. The file structure seems a bit different on my install, maybe due to it being on Unraid and combined with Nextcloud.

`## Version 2020/03/05 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default`
    # redirect all traffic to https
    server {
    	listen 80 default_server;
    	listen [::]:80 default_server;
    	server_name _;
    	return 301 https://$host$request_uri;
    }

    # main server block
    server {
    	listen 443 ssl http2 default_server;
    	listen [::]:443 ssl http2 default_server;

    	root /config/www;
    	index index.html index.htm index.php;

    	server_name _;

    	# enable subfolder method reverse proxy confs
    	include /config/nginx/proxy-confs/*.subfolder.conf;

    	# all ssl related config moved to ssl.conf
    	include /config/nginx/ssl.conf;

    	# enable for ldap auth
    	#include /config/nginx/ldap.conf;

    	client_max_body_size 0;

    	location / {
    		try_files $uri $uri/ /index.html /index.php?$args =404;
    	}

    	location ~ \.php$ {
    		fastcgi_split_path_info ^(.+\.php)(/.+)$;
    		fastcgi_pass 127.0.0.1:9000;
    		fastcgi_index index.php;
    		include /etc/nginx/fastcgi_params;
    	}

    # sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
    # notice this is within the same server block as the base
    # don't forget to generate the .htpasswd file as described on docker hub
    #	location ^~ /cp {
    #		auth_basic "Restricted";
    #		auth_basic_user_file /config/nginx/.htpasswd;
    #		include /config/nginx/proxy.conf;
    #		proxy_pass http://192.168.1.50:5050/cp;
    #	}

    }

    # sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
    # notice this is a new server block, you need a new server block for each subdomain
    #server {
    #	listen 443 ssl http2;
    #	listen [::]:443 ssl http2;
    #
    #	root /config/www;
    #	index index.html index.htm index.php;
    #
    #	server_name cp.*;
    #
    #	include /config/nginx/ssl.conf;
    #
    #	client_max_body_size 0;
    #
    #	location / {
    #		auth_basic "Restricted";
    #		auth_basic_user_file /config/nginx/.htpasswd;
    #		include /config/nginx/proxy.conf;
    #		proxy_pass http://192.168.1.50:5050;
    #	}
    #}

    # sample reverse proxy config for "heimdall" via subdomain, with ldap authentication
    # ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info
    # notice this is a new server block, you need a new server block for each subdomain
    #server {
    #	listen 443 ssl http2;
    #	listen [::]:443 ssl http2;
    #
    #	root /config/www;
    #	index index.html index.htm index.php;
    #
    #	server_name heimdall.*;
    #
    #	include /config/nginx/ssl.conf;
    #
    #	include /config/nginx/ldap.conf;
    #
    #	client_max_body_size 0;
    #
    #	location / {
    #		# the next two lines will enable ldap auth along with the included ldap.conf in the server block
    #		auth_request /auth;
    #		error_page 401 =200 /login;
    #
    #		include /config/nginx/proxy.conf;
    #		resolver 127.0.0.11 valid=30s;
    #		set $upstream_app heimdall;
    #		set $upstream_port 443;
    #		set $upstream_proto https;
    #		proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    #	}
    #}

    # enable subdomain method reverse proxy confs
    include /config/nginx/proxy-confs/*.subdomain.conf;
    # enable proxy cache for auth
    proxy_cache_path cache/ keys_zone=auth_cache:10m;

Again, another guide I found suggests not using Ports 80 and 443 for this install due to conflicts with Unraid.
I think, later today, I will work through this guide and see if I have any better luck.

I did post this up on the Unraid forums but received no help what so ever from the support thread for this exact app. Pretty disappointing, but very grateful to you guys here.

Let me know you thoughts.
I’m just starting work so will be around all day.

22

@daveo132

@Karl12 is pretty accurate in what he’s telling you. Nextcloud requires nginx or apache to work correctly. I believe you are running letsencrypt, mariadb and nextcloud within docker. Are you using docker-compose to start the docker instances? Where are the config files you are passing to nextcloud?

I’m looking at your screenshot from your containers – specifically the volume mounts. Things don’t seem totally screwed up – but to recap – you have /config mounted within the let’sencrypt container and also within nextcloud (which is totally ok). Inside the /config directory are there Let’s Encrypt certs?

23

I have these…

CERTS1
CERTS1920×217 12.4 KB
CERTS2
CERTS2865×189 10.4 KB

24

@daveo

Just making sure – are you positive those are the correct keys for your domain? They totally could be, however I’m just used to LetsEncrypt (LE) referring to those as privkey.pem and fullchain.pem. Its possible the container you are using changed the name as I’m aware the acme client uses different default names.

Anyway – you do you configure apache or nginx within the nextcloud container? Certainly there are instructions for the container.

25

I honestly have no idea :frowning:
At this point I’m considering asking if any of you guys want to remote on!!

However,
I can say that I did do some config within the nginx folder.

26

Port 80 is required for certbot HTTP validation. If the host OS is using the port, the container won’t be able to listen on it. You may have to change Unraid to another port (or disable HTTP altogether).

27

Argh, You need to post better information if you want better help. If you have no idea, then you need to read the documentation associated with the container. No one here in these forums probably has your exact same setup, however many are willing to help, only if you provide better information.

28

You’re right of course.
I’m getting myself tied up in knots here because I don’t understand some of the terms but mostly my data seems to be in places different to what you guys seem to expect.

To be honest, I think I’m going to take this right back to the basics (3rd time) and try again. I’ve a lot from you guys and I am incredibly greatful.
This turned out to be far more complex that the guides made it out to be.

Give me railway engineering anyday. Can talk about that until the cows come home.

Sorry I couldn’t give you better info.

1 Like
29

to be honest the more I look into things the more I think I have issues with port forwarding on my router.
There seems to be a lot of chat about it not working on my BT Home hub. Checking ports that I have set to open consistently returns as closed.

I’m going to do some more digging.

thank you all for your help.

30

Sure. If you’re in the market for a new firewall, take a look at pfSense.

1 Like
31

one problem at a time :rofl:

32

sorry to jump in late , just to say that if I’m deploying Docker and I want to secure it with letsencrypt, I will use traefik on my docker host to handle the routing. Traefik will get your certificates from LE and handle the renewals, do the SSL offloading, and route to your docker containers.

It’s configured (if you want to do it this way) through labels on your containers. Pretty easy to set up.

33

Hi all,

I thought I would drop back in to say I got this working in the end.

I now have a new router which finally lets me setup Port Forwarding correctly, it seems that was where all my problems lay in the end.

Thanks all.