Docker AIO Apache unhealthy and no access to Nextcloud on OVM 6

ℹ️ Support 📦 Appliances (Docker, Snappy, VM, NCP, AIO)
, , , ,
1

Hello, I am trying to get Nextcloud AIO to run locally on my OMV6 (OS based un Debian).
I have used this composefile:

services:
  nextcloud:
    image: nextcloud/all-in-one:latest
    restart: always
    container_name: nextcloud-aio-mastercontainer # This line is not allowed to be changed as otherwise AIO will not work correctly
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work
      - /var/run/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'!
    ports:
    #  - 80:80 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
      - 8080:8080
    #  - 8443:8443 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
    environment: # Is needed when using any of the options below
      # - AIO_DISABLE_BACKUP_SECTION=false # Setting this to true allows to hide the backup section in the AIO interface. See https://github.com/nextcloud/all-in-one#how-to-disable-the-backup-section
      - APACHE_PORT=11000 # Is needed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
      - APACHE_IP_BINDING=127.0.0.1 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
      # - BORG_RETENTION_POLICY=--keep-within=7d --keep-weekly=4 --keep-monthly=6 # Allows to adjust borgs retention policy. See https://github.com/nextcloud/all-in-one#how-to-adjust-borgs-retention-policy
      # - COLLABORA_SECCOMP_DISABLED=false # Setting this to true allows to disable Collabora's Seccomp feature. See https://github.com/nextcloud/all-in-one#how-to-disable-collaboras-seccomp-feature
      - NEXTCLOUD_DATADIR=/srv/dev-disk-by-uuid-cc6e214c-17e7-40d9-9e23-f7fdc7dc5450/NextcloudData # Allows to set the host directory for Nextcloud's datadir. ⚠️⚠️⚠️ Warning: do not set or adjust this value after the initial Nextcloud installation is done! See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
      # - NEXTCLOUD_MOUNT=/mnt/ # Allows the Nextcloud container to access the chosen directory on the host. See https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host
      - NEXTCLOUD_UPLOAD_LIMIT=10G # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud
      - NEXTCLOUD_MAX_TIME=3600 # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud
      - NEXTCLOUD_MEMORY_LIMIT=1024M # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-php-memory-limit-for-nextcloud
      - NEXTCLOUD_TRUSTED_CACERTS_DIR=/appdata/nextcloud/cacerts # CA certificates in this directory will be trusted by the OS of the nexcloud container (Useful e.g. for LDAPS) See See https://github.com/nextcloud/all-in-one#how-to-trust-user-defined-certification-authorities-ca
      # - NEXTCLOUD_STARTUP_APPS=deck twofactor_totp tasks calendar contacts notes # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. See https://github.com/nextcloud/all-in-one#how-to-change-the-nextcloud-apps-that-are-installed-on-the-first-startup
      - NEXTCLOUD_ADDITIONAL_APKS=imagemagick # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container
      - NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=imagick # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container
      # - NEXTCLOUD_ENABLE_DRI_DEVICE=true # This allows to enable the /dev/dri device in the Nextcloud container. ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host! If it should not exist on your host, don't set this to true as otherwise the Nextcloud container will fail to start! See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud
      # - TALK_PORT=3478 # This allows to adjust the port that the talk container is using. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port
      # - WATCHTOWER_DOCKER_SOCKET_PATH=/var/run/docker.sock # Needs to be specified if the docker socket on the host is not located in the default '/var/run/docker.sock'. Otherwise mastercontainer updates will fail. For macos it needs to be '/var/run/docker.sock'
    # networks: # Is needed when you want to create the nextcloud-aio network with ipv6-support using this file, see the network config at the bottom of the file
      # - nextcloud-aio # Is needed when you want to create the nextcloud-aio network with ipv6-support using this file, see the network config at the bottom of the file
      - SKIP_DOMAIN_VALIDATION=true

  # # Optional: Caddy reverse proxy. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
  # # You can find further examples here: https://github.com/nextcloud/all-in-one/discussions/588
  caddy:
     image: caddy:alpine
     restart: always
     container_name: caddy
     volumes:
       - /appdata/nextcloud/caddy/Caddyfile:/etc/caddy/Caddyfile
       - /appdata/nextcloud/caddy/certs:/certs
       - /appdata/nextcloud/caddy/config:/config
       - /appdata/nextcloud/caddy/data:/data
       - /appdata/nextcloud/caddy/sites:/srv
     network_mode: "host"

volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer

As I used my own certs and added them to the certs folder of caddy. I added the cert of my CA to the Nextcloud AIO.
I also had to add the SKIP_DOMAIN_VALIDATION=true because my domain is only locally available through my piHole.

problem is that I am not able to get on my Nextcloud instance. The AIO page works fine and shows that everthing is fine. But Portainer shows that the apache container is unhealthy.

image
image1601Ă—677 83.9 KB

image

I can’t reach it on port 443 and also not on port 11000. Note: Port 80 is occupied by the OVM Page.

Log of AIO:

Trying to fix docker.sock permissions internally...
Creating docker group internally with id 992
e[0;92mInitial startup of Nextcloud All-in-One complete!
You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
E.g. https://internal.ip.of.this.server:8080

If your server has port 80 and 8443 open and you point a domain to your server, you can get a valid certificate automatically by opening the Nextcloud AIO Interface via:
https://your-domain-that-points-to-this-server.tld:8443e[0m
{"level":"info","ts":1688150460.751349,"msg":"using provided configuration","config_file":"/Caddyfile","config_adapter":""}
{"level":"info","ts":1688150460.7542121,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
[Fri Jun 30 18:41:00.764683 2023] [mpm_event:notice] [pid 127:tid 139856078248776] AH00489: Apache/2.4.57 (Unix) OpenSSL/3.1.1 configured -- resuming normal operations
[Fri Jun 30 18:41:00.764944 2023] [core:notice] [pid 127:tid 139856078248776] AH00094: Command line: 'httpd -D FOREGROUND'
[30-Jun-2023 18:41:00] NOTICE: fpm is running, pid 131
[30-Jun-2023 18:41:00] NOTICE: ready to handle connections
NOTICE: PHP message: 404 Not Found
Type: Slim\Exception\HttpNotFoundException

4
Message: Not found.
File: /var/www/docker-aio/php/vendor/slim/slim/Slim/Middleware/RoutingMiddleware.php
Line: 76
Trace: #0 /var/www/docker-aio/php/vendor/slim/slim/Slim/Routing/RouteRunner.php(56): Slim\Middleware\RoutingMiddleware->performRouting(Object(GuzzleHttp\Psr7\ServerRequest))
#1 /var/www/docker-aio/php/vendor/slim/csrf/src/Guard.php(476): Slim\Routing\RouteRunner->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#2 /var/www/docker-aio/php/vendor/slim/slim/Slim/MiddlewareDispatcher.php(168): Slim\Csrf\Guard->process(Object(GuzzleHttp\Psr7\ServerRequest), Object(Slim\Routing\RouteRunner))
#3 /var/www/docker-aio/php/vendor/slim/twig-view/src/TwigMiddleware.php(115): Psr\Http\Server\RequestHandlerInterface@anonymous->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#4 /var/www/docker-aio/php/vendor/slim/slim/Slim/MiddlewareDispatcher.php(121): Slim\Views\TwigMiddleware->process(Object(GuzzleHttp\Psr7\ServerRequest), Object(Psr\Http\Server\RequestHandlerInterface@anonymous))
#5 /var/www/docker-aio/php/src/Middleware/AuthMiddleware.php(38): Psr\Http\Server\RequestHandlerInterface@anonymous->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#6 /var/www/docker-aio/php/vendor/slim/slim/Slim/MiddlewareDispatcher.php(269): AIO\Middleware\AuthMiddleware->__invoke(Object(GuzzleHttp\Psr7\ServerRequest), Object(Psr\Http\Server\RequestHandlerInterface@anonymous))
#7 /var/www/docker-aio/php/vendor/slim/slim/Slim/Middleware/ErrorMiddleware.php(76): Psr\Http\Server\RequestHandlerInterface@anonymous->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#8 /var/www/docker-aio/php/vendor/slim/slim/Slim/MiddlewareDispatcher.php(121): Slim\Middleware\ErrorMiddleware->process(Object(GuzzleHttp\Psr7\ServerRequest), Object(Psr\Http\Server\RequestHandlerInterface@anonymous))
#9 /var/www/docker-aio/php/vendor/slim/slim/Slim/MiddlewareDispatcher.php(65): Psr\Http\Server\RequestHandlerInterface@anonymous->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#10 /var/www/docker-aio/php/vendor/slim/slim/Slim/App.php(199): Slim\MiddlewareDispatcher->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#11 /var/www/docker-aio/php/vendor/slim/slim/Slim/App.php(183): Slim\App->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#12 /var/www/docker-aio/php/public/index.php(181): Slim\App->run()
#13 {main}
Deleting duplicate sessions
NOTICE: PHP message: 404 Not Found
Type: Slim\Exception\HttpNotFoundException

4
Message: Not found.
File: /var/www/docker-aio/php/vendor/slim/slim/Slim/Middleware/RoutingMiddleware.php
Line: 76
Trace: #0 /var/www/docker-aio/php/vendor/slim/slim/Slim/Routing/RouteRunner.php(56): Slim\Middleware\RoutingMiddleware->performRouting(Object(GuzzleHttp\Psr7\ServerRequest))
#1 /var/www/docker-aio/php/vendor/slim/csrf/src/Guard.php(476): Slim\Routing\RouteRunner->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#2 /var/www/docker-aio/php/vendor/slim/slim/Slim/MiddlewareDispatcher.php(168): Slim\Csrf\Guard->process(Object(GuzzleHttp\Psr7\ServerRequest), Object(Slim\Routing\RouteRunner))
#3 /var/www/docker-aio/php/vendor/slim/twig-view/src/TwigMiddleware.php(115): Psr\Http\Server\RequestHandlerInterface@anonymous->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#4 /var/www/docker-aio/php/vendor/slim/slim/Slim/MiddlewareDispatcher.php(121): Slim\Views\TwigMiddleware->process(Object(GuzzleHttp\Psr7\ServerRequest), Object(Psr\Http\Server\RequestHandlerInterface@anonymous))
#5 /var/www/docker-aio/php/src/Middleware/AuthMiddleware.php(38): Psr\Http\Server\RequestHandlerInterface@anonymous->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#6 /var/www/docker-aio/php/vendor/slim/slim/Slim/MiddlewareDispatcher.php(269): AIO\Middleware\AuthMiddleware->__invoke(Object(GuzzleHttp\Psr7\ServerRequest), Object(Psr\Http\Server\RequestHandlerInterface@anonymous))
#7 /var/www/docker-aio/php/vendor/slim/slim/Slim/Middleware/ErrorMiddleware.php(76): Psr\Http\Server\RequestHandlerInterface@anonymous->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#8 /var/www/docker-aio/php/vendor/slim/slim/Slim/MiddlewareDispatcher.php(121): Slim\Middleware\ErrorMiddleware->process(Object(GuzzleHttp\Psr7\ServerRequest), Object(Psr\Http\Server\RequestHandlerInterface@anonymous))
#9 /var/www/docker-aio/php/vendor/slim/slim/Slim/MiddlewareDispatcher.php(65): Psr\Http\Server\RequestHandlerInterface@anonymous->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#10 /var/www/docker-aio/php/vendor/slim/slim/Slim/App.php(199): Slim\MiddlewareDispatcher->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#11 /var/www/docker-aio/php/vendor/slim/slim/Slim/App.php(183): Slim\App->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#12 /var/www/docker-aio/php/public/index.php(181): Slim\App->run()
#13 {main}

Log of Apache:

Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
{"level":"info","ts":1688152583.4887104,"msg":"using provided configuration","config_file":"/Caddyfile","config_adapter":""}
[Fri Jun 30 19:16:23.497613 2023] [mpm_event:notice] [pid 31:tid 140165138139976] AH00489: Apache/2.4.57 (Unix) configured -- resuming normal operations
[Fri Jun 30 19:16:23.497897 2023] [core:notice] [pid 31:tid 140165138139976] AH00094: Command line: '/usr/local/apache2/bin/httpd -D FOREGROUND'

Notify Push Log:

Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
[2023-06-30 19:16:20.783813 +00:00] ERROR [notify_push] src/main.rs:77: Self test failed: Error while communicating with nextcloud instance

DB Log:

Setting max connections...

PostgreSQL Database directory appears to contain a database; Skipping initialization

2023-06-30 19:15:59.529 UTC [14] LOG:  starting PostgreSQL 15.3 on x86_64-pc-linux-musl, compiled by gcc (Alpine 12.2.1_git20220924-r10) 12.2.1 20220924, 64-bit
2023-06-30 19:15:59.529 UTC [14] LOG:  listening on IPv4 address "0.0.0.0", port 5432
2023-06-30 19:15:59.529 UTC [14] LOG:  listening on IPv6 address "::", port 5432
2023-06-30 19:15:59.532 UTC [14] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
2023-06-30 19:15:59.538 UTC [24] LOG:  database system was shut down at 2023-06-30 19:15:25 UTC
2023-06-30 19:15:59.547 UTC [14] LOG:  database system is ready to accept connections

Nextcloud Log:

              now              
-------------------------------
 2023-06-30 19:16:06.245187+00
(1 row)

User required to trust additional CA certificates, running 'update-ca-certificates.'
+ '[' -f /dev-dri-group-was-added ']'
++ find /dev -maxdepth 1 -mindepth 1 -name dri
+ '[' -n '' ']'
+ set +x
Installing imagemagick via apk...
Enabling Imagick...
Configuring Redis as session handler...
Setting php max children...
System config value tempdirectory set to string /mnt/ncdata/tmp/
Applying one-click-instance settings...
System config value one-click-instance set to boolean true
System config value one-click-instance.user-limit set to integer 100
System config value one-click-instance.link set to string https://nextcloud.com/all-in-one/
support already enabled
Adjusting log files...
System config value upgrade.cli-upgrade-link set to string https://github.com/nextcloud/all-in-one/discussions/2726
System config value logfile set to string /var/www/html/data/nextcloud.log
Config value logfile for app admin_audit set to /var/www/html/data/audit.log
System config value updatedirectory set to string /nc-updater
Applying network settings...
System config value trusted_domains => 1 set to string cloud.tobi
System config value overwrite.cli.url set to string https://cloud.tobi/
System config value htaccess.RewriteBase set to string /
.htaccess has been updated
System config value files_external_allow_create_new_local set to boolean false
System config value trusted_proxies => 0 set to string 127.0.0.1
System config value trusted_proxies => 1 set to string ::1
Config value base_endpoint for app notify_push set to https://cloud.tobi/push
System config value enabledPreviewProviders => 0 set to string OC\Preview\Imaginary
System config value preview_imaginary_url set to string http://nextcloud-aio-imaginary:9000
[30-Jun-2023 19:16:19] NOTICE: fpm is running, pid 229
[30-Jun-2023 19:16:19] NOTICE: ready to handle connections

Redis Log:

Memory overcommit is disabled but necessary for safe operation
See https://github.com/nextcloud/all-in-one/discussions/1731 how to enable overcommit
1:C 30 Jun 2023 19:16:01.001 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
1:C 30 Jun 2023 19:16:01.001 # Redis version=7.0.11, bits=64, commit=00000000, modified=0, pid=1, just started
1:C 30 Jun 2023 19:16:01.001 # Configuration loaded
1:M 30 Jun 2023 19:16:01.002 # Server initialized
1:M 30 Jun 2023 19:16:01.002 # WARNING Memory overcommit must be enabled! Without it, a background save or replication may fail under low memory condition. Being disabled, it can can also cause failures without low memory condition, see https://github.com/jemalloc/jemalloc/issues/1328. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.

Imaginary Log:

Well.... It's empty

Please help me… I have been trying to get Nextcloud to work for ages.

2

Hi, sadly I cannot help directly but I wanted to tell you that I have the same problem and I am unable to solve it as well. My logs look pretty much identical to yours. One thing that is peculiar is that I am able to access my Nextcloud instance from certain devices (like my laptop for example) when I’m in the same network as the server. I could not reach it from other browsers on other devices (my smartphone). I hope someone has a good idea on how to fix this.

3

Hello, so I fixed my issue.

Why was I not able to reach my Nextcloud over port 11000? Well because I blocked it with this line:

APACHE_IP_BINDING=127.0.0.1

Why was I not able to reach my Nextcloud over the Proxy? For some reason caddy tries to listen on port 80. Since port 80 is allready in use by my Open Media Vault (OMV) server admin panel, caddy just dies and doesn’t respond to https requests. Fix: Tell caddy to not listen on port 80 but something else, by adding the following lines at the top of your caddyfile:

{
	http_port 8081
}

Also, I had to tell caddy to use my cert by adding the following line to the caddyfile:

tls /certs/yourdomain.crt /certs/yourdomain.key

My caddyfile looks like this now:

{
	http_port 8081
	acme_ca_root /certs/TobiCA.pem
}
https://cloud.tobi:443 {
	reverse_proxy localhost:11000
	tls /certs/cloud.tobi.crt /certs/cloud.tobi.key
}

Note: I am using self signed certs, thus the CA reference. Also, the push container does not seem to work due to that. It just keeps logging BadCertificate. Adding my CA to the push container would probably solve this but since the filesystem of that container is read only, solving this is not that easy. Really looking forward to solving this… not.
I would REALLY appreciate and ideas on how to solve this.

Also upload speed over the windows client is horrible (107 mbit/s). Its actually worse than the community maintained fpm image and performance was basically the whole reason I switched to AIO…

Now to your problem thariton. I think you have a different problem then me.

I could not reach it from other browsers on other devices (my smartphone)

Could you please be more specific? If you can’t access your Nextcloud from your browser, you should get an error message, like “err_connection_refused” or “nx_domain” or something like that.

Can you ping the server from other devices than your laptop?

2 Likes
4

@CodeTobi Thank you so much for your elaborate response! I am very happy to hear that you managed to fix your issue. I ran into that apache ip binding problem as well on my first attempt.
I believe I have fixed my issue as well. To all those reading this in the future:
I am using Cloudflare as my dns provider. To update the dns (since I have a dnyDns) I am using a script running as a cron job every ten minutes which requests my current public ip and updates it using the Cloudflare API. In the end, the problem seemed to be two things:

  1. Using the “proxied” forwarding method without informing nextcloud about it being behind two proxies (cloudflare+traefik)
  2. (and this was the major issue) The update script was faulty and updated the dns entry with the wrong ip ._.

You might wonder why I was able to connect to the nc instance from some browsers, regardless of that faulty entry. Well, besides using Cloudflare, I run pi-hole for internal ip addresses. Some weeks ago I added a local dns entry for my nextcloud instance… As a result, all devices configured for the local dns were able to reach the nextcloud as long as they were using my home network.
Well, a couple of stupid mistakes later I have learned that even though it should make no difference, you shouldn’t add two entries with different availability scopes to not be confused between “working” and “not reachable” services…
Thanks again to you @CodeTobi I hope that someone finds this short thread helpful in the future.

2 Likes
5

@thariton very happy to hear you solved your problem as well.

Unfortunatelly I think I am going to abandon the AIO image because it requires a valid cert to function correctly. I am having issues with the imaginary container and the push container. I have no clue what problem is with the imaginary container and I don’t think that I going to be abel to fix the push container from throwing the “Bad Certificate” error.

6

Hi, see https://github.com/nextcloud/all-in-one/blob/main/local-instance.md for options.

7

@szaimen Hi, your link doesn’t really solve my problem. I have read that page before and it only describes how to get a valid certificate for a local instance. But I really don’t think that requiring a valid certificate for a local instance is the way to go. I already have a working DNS Server at home and my own CA added to all my devices. So, using a certificate signed by my CA just makes sense for me. I also only access my NC via my VPN and don’t plan to share any files over the internet, so there is no real benefit in using a valid certificate. But there certainly are some downsides of using a valid certificate:

  • If you buy one… well that costs money
  • If you want to get a free let’s encrypt certificate, you need to open port 80 for the acme challenge and need a valid domain.
  • A easy to remember domain from a reputable provider is going to cost you money and still might not look like you want it to.
  • If you don’t want to pay for a domain, you can get a free one, but it will look horrible and end with something like verygreate.freedomainandhosting.org.net.
  • If you have a Fritz Box, you could use your MyFritz domain. But if you know that service, you’re probably also aware that their domains are more complex than my password.
  • In the end you’re going to be stuck with a hard to remember and unintuitive domain and no option to change it because you opted for a free let’s encrypt certificate that is only valid for that domain you never liked in the first place.

I am aware that Nextcloud AIO doesn’t support self-signed certificates, but I don’t really know why and wasn’t able to find a technical explanation why it shouldn’t be possible to implement support for it.

I also managed to get the notify-push container to work. The high-performance backend for files supports self-signed certificates you just have to tell it to. After taking a look at the container, all it does is run the correct binary from the Nextcloud container and pass all the arguments to it. So to get the push container to work, I added allow-self-signed to the start.sh file of the push-container and replaced it using a Docker file and Portainer.

My new start.sh

#!/bin/bash

if [ -z "$NEXTCLOUD_HOST" ]; then
    echo "NEXTCLOUD_HOST need to be provided. Exiting!"
    exit 1
elif [ -z "$POSTGRES_HOST" ]; then
    echo "POSTGRES_HOST need to be provided. Exiting!"
    exit 1
elif [ -z "$REDIS_HOST" ]; then
    echo "REDIS_HOST need to be provided. Exiting!"
    exit 1
fi

# Only start container if nextcloud is accessible
while ! nc -z "$NEXTCLOUD_HOST" 9000; do
    echo "Waiting for Nextcloud to start..."
    sleep 5
done

# Correctly set CPU_ARCH for notify_push
CPU_ARCH="$(uname -m)"
export CPU_ARCH
if [ -z "$CPU_ARCH" ]; then
    echo "Could not get processor architecture. Exiting."
    exit 1
elif [ "$CPU_ARCH" != "x86_64" ]; then
    export CPU_ARCH="aarch64"
fi

# Run it                    
/nextcloud/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push \
    --database-prefix="oc_" \
    --nextcloud-url "https://$NC_DOMAIN" \
    --port 7867 \
    --redis-url "redis://:$REDIS_HOST_PASSWORD@$REDIS_HOST" \
    --database-url "postgres://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST/$POSTGRES_DB" \
    --allow-self-signed

exec "$@"

The Docker file:

FROM nextcloud/aio-notify-push:latest
USER root
RUN rm start.sh
COPY modified_start.sh start.sh
RUN chmod 775 start.sh

The other problem with the imaginary container that I was encountering actually had nothing to do with me using my own certificates. As seen here:
https://help.nextcloud.com/t/error-app-photos-preview-vipsimage/165228

So if you still don’t want to support self-signed certificates, at least add an environment variable like the SKIP_DOMAIN_VALIDATION=true as explained above to make it more usable. You could still say that you don’t support it and shouldn’t use it if you make your Nextcloud public and don’t know what you are doing.

8

+1 For @CodeTobi to add support for self signed certs or if technically possible no cert. I plan to run NC on my home network only and not open it up to the public. Also all external access will occur over VPN.

@CodeTobi Were you able to get it to work in the end or did you abandon NC AIO?

9

Hi, see https://github.com/nextcloud/all-in-one/blob/main/local-instance.md