Docker compose with caddy ssl error

thed · February 10, 2024, 4:23pm

As a beginner in administration, but with an IT background, I would like to create Nextloud access that is also available externally. I wanted to run this in a Docker container on a device.
Unfortunately i ran into the following issue, when trying to connect in my browser (local and public address):
SSL_ERROR_INTERNAL_ERROR_ALERT

First a summary of my configuration:
Device:
OS: Fedora Linux 39 (Server Edition)
RAM: 16GB
CPU: Intel N100
Further is a pihole running in a container with all DNS Servers checked.

I tried to follow the following tutorial for the installation:

I bought a domain name from name.com further referred as “domain.de”. There i created an “A” record subdomain “nextcloud.domain.de” pointing to my public ipv4 address. Which is the subdomain i entered into the docker-compose.yaml and .env, as in the tutorial, and successfully forwards me to my public ipv4.

On my router, a FRITZ!Box 6591 Cable, as well as on my server i enabled the ports 443 and 80. I also enabled it for the docker container.

After following the guide, the processes are running as follow (docker ps):

CONTAINER ID   IMAGE                                       COMMAND                  CREATED          STATUS                PORTS                                                                                                                                            NAMES
40aa9f633bac   nginx:alpine                                "/docker-entrypoint.…"   59 minutes ago   Up 59 minutes         80/tcp                                                                                                                                           nextcloud-web
9db337d53895   nextcloud:stable-fpm                        "/entrypoint.sh php-…"   59 minutes ago   Up 59 minutes         9000/tcp                                                                                                                                         nextcloud-app
0e475b7b41a1   nextcloud:stable-fpm                        "/cron.sh"               59 minutes ago   Up 59 minutes         9000/tcp                                                                                                                                         nextcloud-cron
113e99e28e64   lucaslorentz/caddy-docker-proxy:ci-alpine   "/bin/caddy docker-p…"   59 minutes ago   Up 59 minutes         0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp, 2019/tcp                                                               reverse-proxy
bc7176048b52   mariadb:10.11                               "docker-entrypoint.s…"   59 minutes ago   Up 59 minutes         3306/tcp                                                                                                                                         mariadb-database
27229a9cd71f   redis:alpine                                "docker-entrypoint.s…"   59 minutes ago   Up 59 minutes         6379/tcp                                                                                                                                         redis-dbcache
267feb0b7adc   pihole/pihole:latest                        "/s6-init"               3 days ago       Up 2 days (healthy)   0.0.0.0:53->53/udp, :::53->53/udp, 0.0.0.0:53->53/tcp, 0.0.0.0:67->67/udp, :::53->53/tcp, :::67->67/udp, 0.0.0.0:8080->80/tcp, :::8080->80/tcp   pihole

Now i tried to solve it with ChatGPT, but that was unsuccessful, but it directed me to the following logs. Often was the Caddyfile mentioned, but i don’t know how to access it, since:

it generates an in-memory “Caddyfile”

reverse-proxy:

{"level":"info","ts":1707577570.219483,"logger":"docker-proxy","msg":"Running caddy proxy server"}
{"level":"info","ts":1707577570.2218099,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1707577570.2220664,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1707577570.2220752,"logger":"docker-proxy","msg":"Running caddy proxy controller"}
{"level":"info","ts":1707577570.2233665,"logger":"docker-proxy","msg":"Start","CaddyfilePath":"","EnvFile":"","LabelPrefix":"caddy","PollingInterval":30,"ProxyServiceTasks":true,"ProcessCaddyfile":true,"ScanStoppedContainers":false,"IngressNetworks":"[nextcloud_network]","DockerSockets":[""],"DockerCertsPath":[""],"DockerAPIsVersion":[""]}
{"level":"info","ts":1707577570.2248712,"logger":"docker-proxy","msg":"Connecting to docker events","DockerSocket":""}
{"level":"info","ts":1707577570.2252162,"logger":"docker-proxy","msg":"IngressNetworksMap","ingres":"map[c5393474a4c8edba72c06cab1db7bfc9279176cc398cf75a649d6be986bf322f:true nextcloud_network:true]"}
{"level":"info","ts":1707577570.2364483,"logger":"docker-proxy","msg":"Swarm is available","new":false}
{"level":"info","ts":1707577570.2396436,"logger":"docker-proxy","msg":"New Caddyfile","caddyfile":"# Empty caddyfile"}
{"level":"warn","ts":1707577570.2399669,"logger":"docker-proxy","msg":"Caddyfile to json warning","warn":"[Caddyfile:1: Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies]"}
{"level":"info","ts":1707577570.2399783,"logger":"docker-proxy","msg":"New Config JSON","json":"{}"}
{"level":"info","ts":1707577570.2400258,"logger":"docker-proxy","msg":"Sending configuration to","server":"localhost"}
{"level":"info","ts":1707577570.2408218,"logger":"admin.api","msg":"received request","method":"POST","host":"localhost:2019","uri":"/load","remote_ip":"127.0.0.1","remote_port":"48264","headers":{"Accept-Encoding":["gzip"],"Content-Length":["41"],"Content-Type":["application/json"],"User-Agent":["Go-http-client/1.1"]}}
{"level":"info","ts":1707577570.2409077,"msg":"config is unchanged"}
{"level":"info","ts":1707577570.2409143,"logger":"admin.api","msg":"load complete"}
{"level":"info","ts":1707577570.2410192,"logger":"docker-proxy","msg":"Successfully configured","server":"localhost"}
{"level":"info","ts":1707577570.6779194,"logger":"docker-proxy","msg":"New Caddyfile","caddyfile":"nextcloud.domain.de {\n\theader /* {\n\t\tStrict-Transport-Security max-age=15552000;\n\t}\n\treverse_proxy 172.19.0.7\n\trewrite /.well-known/acme-challenge/ /remote.php/dav\n\trewrite /.well-known/caldav /remote.php/dav\n\trewrite /.well-known/carddav /remote.php/dav\n\trewrite /.well-known/nodeinfo /index.php/.well-known/nodeinfo\n\trewrite /.well-known/webfinger /index.php/.well-known/webfinger\n}\n"}
{"level":"info","ts":1707577570.6817713,"logger":"docker-proxy","msg":"New Config JSON","json":"{\"apps\":{\"http\":{\"servers\":{\"srv0\":{\"listen\":[\":443\"],\"routes\":[{\"match\":[{\"host\":[\"nextcloud.domain.de\"]}],\"handle\":[{\"handler\":\"subroute\",\"routes\":[{\"handle\":[{\"handler\":\"headers\",\"response\":{\"set\":{\"Strict-Transport-Security\":[\"max-age=15552000;\"]}}}],\"match\":[{\"path\":[\"/*\"]}]},{\"group\":\"group0\",\"handle\":[{\"handler\":\"rewrite\",\"uri\":\"/remote.php/dav\"}],\"match\":[{\"path\":[\"/.well-known/acme-challenge/\"]}]},{\"group\":\"group0\",\"handle\":[{\"handler\":\"rewrite\",\"uri\":\"/index.php/.well-known/webfinger\"}],\"match\":[{\"path\":[\"/.well-known/webfinger\"]}]},{\"group\":\"group0\",\"handle\":[{\"handler\":\"rewrite\",\"uri\":\"/index.php/.well-known/nodeinfo\"}],\"match\":[{\"path\":[\"/.well-known/nodeinfo\"]}]},{\"group\":\"group0\",\"handle\":[{\"handler\":\"rewrite\",\"uri\":\"/remote.php/dav\"}],\"match\":[{\"path\":[\"/.well-known/carddav\"]}]},{\"group\":\"group0\",\"handle\":[{\"handler\":\"rewrite\",\"uri\":\"/remote.php/dav\"}],\"match\":[{\"path\":[\"/.well-known/caldav\"]}]},{\"handle\":[{\"handler\":\"reverse_proxy\",\"upstreams\":[{\"dial\":\"172.19.0.7:80\"}]}]}]}],\"terminal\":true}]}}}}}"}
{"level":"info","ts":1707577570.6818514,"logger":"docker-proxy","msg":"Sending configuration to","server":"localhost"}
{"level":"info","ts":1707577570.6822155,"logger":"admin.api","msg":"received request","method":"POST","host":"localhost:2019","uri":"/load","remote_ip":"127.0.0.1","remote_port":"48264","headers":{"Accept-Encoding":["gzip"],"Content-Length":["1073"],"Content-Type":["application/json"],"User-Agent":["Go-http-client/1.1"]}}
{"level":"info","ts":1707577570.6835005,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1707577570.683787,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1707577570.6838162,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1707577570.68386,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0008bc900"}
{"level":"info","ts":1707577570.685509,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1707577570.6861784,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1707577570.6862957,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1707577570.6863084,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["nextcloud.domain.de"]}
{"level":"info","ts":1707577570.6875813,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1707577570.6876369,"logger":"admin.api","msg":"load complete"}
{"level":"info","ts":1707577570.6878622,"logger":"docker-proxy","msg":"Successfully configured","server":"localhost"}
{"level":"warn","ts":1707577570.6878984,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"3b206458-607a-4634-9425-21a316386329","try_again":1707663970.687895,"try_again_in":86399.999999252}
{"level":"info","ts":1707577570.6879976,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1707577570.691727,"logger":"admin","msg":"stopped previous server","address":"localhost:2019"}

nextcloud-app:

crond: crond (busybox 1.35.0) started, log level 8
crond: USER www-data pid   7 cmd php -f /var/www/html/cron.php
Exception: Not installed in /var/www/html/lib/base.php:283
Stack trace:
#0 /var/www/html/lib/base.php(709): OC::checkInstalled(Object(OC\SystemConfig))
#1 /var/www/html/lib/base.php(1196): OC::init()
#2 /var/www/html/cron.php(43): require_once('/var/www/html/l...')
#3 {main}
crond: USER www-data pid   8 cmd php -f /var/www/html/cron.php
Exception: Not installed in /var/www/html/lib/base.php:283
Stack trace:
#0 /var/www/html/lib/base.php(709): OC::checkInstalled(Object(OC\SystemConfig))
#1 /var/www/html/lib/base.php(1196): OC::init()
#2 /var/www/html/cron.php(43): require_once('/var/www/html/l...')
#3 {main}
crond: USER www-data pid   9 cmd php -f /var/www/html/cron.php
Exception: Not installed in /var/www/html/lib/base.php:283
Stack trace:
#0 /var/www/html/lib/base.php(709): OC::checkInstalled(Object(OC\SystemConfig))
#1 /var/www/html/lib/base.php(1196): OC::init()
#2 /var/www/html/cron.php(43): require_once('/var/www/html/l...')
#3 {main}
crond: USER www-data pid  10 cmd php -f /var/www/html/cron.php
Exception: Not installed in /var/www/html/lib/base.php:283
Stack trace:
#0 /var/www/html/lib/base.php(709): OC::checkInstalled(Object(OC\SystemConfig))
#1 /var/www/html/lib/base.php(1196): OC::init()
#2 /var/www/html/cron.php(43): require_once('/var/www/html/l...')
#3 {main}
crond: USER www-data pid  11 cmd php -f /var/www/html/cron.php
Exception: Not installed in /var/www/html/lib/base.php:283
Stack trace:
#0 /var/www/html/lib/base.php(709): OC::checkInstalled(Object(OC\SystemConfig))
#1 /var/www/html/lib/base.php(1196): OC::init()
#2 /var/www/html/cron.php(43): require_once('/var/www/html/l...')
#3 {main}
crond: USER www-data pid  12 cmd php -f /var/www/html/cron.php
Exception: Not installed in /var/www/html/lib/base.php:283
Stack trace:
#0 /var/www/html/lib/base.php(709): OC::checkInstalled(Object(OC\SystemConfig))
#1 /var/www/html/lib/base.php(1196): OC::init()
#2 /var/www/html/cron.php(43): require_once('/var/www/html/l...')
#3 {main}
crond: USER www-data pid  13 cmd php -f /var/www/html/cron.php
Exception: Not installed in /var/www/html/lib/base.php:283
Stack trace:
#0 /var/www/html/lib/base.php(709): OC::checkInstalled(Object(OC\SystemConfig))
#1 /var/www/html/lib/base.php(1196): OC::init()
#2 /var/www/html/cron.php(43): require_once('/var/www/html/l...')
#3 {main}
crond: USER www-data pid  14 cmd php -f /var/www/html/cron.php
Exception: Not installed in /var/www/html/lib/base.php:283
Stack trace:
#0 /var/www/html/lib/base.php(709): OC::checkInstalled(Object(OC\SystemConfig))
#1 /var/www/html/lib/base.php(1196): OC::init()
#2 /var/www/html/cron.php(43): require_once('/var/www/html/l...')
#3 {main}
crond: USER www-data pid  15 cmd php -f /var/www/html/cron.php
Exception: Not installed in /var/www/html/lib/base.php:283
Stack trace:
#0 /var/www/html/lib/base.php(709): OC::checkInstalled(Object(OC\SystemConfig))
#1 /var/www/html/lib/base.php(1196): OC::init()
#2 /var/www/html/cron.php(43): require_once('/var/www/html/l...')
#3 {main}
crond: USER www-data pid  16 cmd php -f /var/www/html/cron.php
Exception: Not installed in /var/www/html/lib/base.php:283
Stack trace:
#0 /var/www/html/lib/base.php(709): OC::checkInstalled(Object(OC\SystemConfig))
#1 /var/www/html/lib/base.php(1196): OC::init()
#2 /var/www/html/cron.php(43): require_once('/var/www/html/l...')
#3 {main}
crond: USER www-data pid  17 cmd php -f /var/www/html/cron.php
Exception: Not installed in /var/www/html/lib/base.php:283
Stack trace:
#0 /var/www/html/lib/base.php(709): OC::checkInstalled(Object(OC\SystemConfig))
#1 /var/www/html/lib/base.php(1196): OC::init()
#2 /var/www/html/cron.php(43): require_once('/var/www/html/l...')
#3 {main}
crond: USER www-data pid  18 cmd php -f /var/www/html/cron.php
Exception: Not installed in /var/www/html/lib/base.php:283
Stack trace:
#0 /var/www/html/lib/base.php(709): OC::checkInstalled(Object(OC\SystemConfig))
#1 /var/www/html/lib/base.php(1196): OC::init()
#2 /var/www/html/cron.php(43): require_once('/var/www/html/l...')
#3 {main}
crond: USER www-data pid  19 cmd php -f /var/www/html/cron.php
Exception: Not installed in /var/www/html/lib/base.php:283
Stack trace:
#0 /var/www/html/lib/base.php(709): OC::checkInstalled(Object(OC\SystemConfig))
#1 /var/www/html/lib/base.php(1196): OC::init()
#2 /var/www/html/cron.php(43): require_once('/var/www/html/l...')
#3 {main}
crond: USER www-data pid  20 cmd php -f /var/www/html/cron.php
Exception: Not installed in /var/www/html/lib/base.php:283
Stack trace:
#0 /var/www/html/lib/base.php(709): OC::checkInstalled(Object(OC\SystemConfig))
#1 /var/www/html/lib/base.php(1196): OC::init()
#2 /var/www/html/cron.php(43): require_once('/var/www/html/l...')
#3 {main}

I also suspect the pihole and DNS to be a problem, but i just can’t figure it out myself. I would appreciate any help and will provide more information, if possible. Thank you already for reading.

wwe · February 11, 2024, 8:13pm

hi @thed welcome to the community

please post the config files as well.

I’m not familiar with caddy and Nextcloud Docker Nginx variant but there are few things worth deeper investigation:

the nextcloud-app log you posted only shows crond log lines - likely it is from cron container. check the logs from nginx and nextcloud containers… look for “nextcloud.log” application log file in data directory as well ( volume nextcloud_data: according to the guide)
caddy logs shows clean start for me. it loads some config, enables the domain and TLS cert management, but nothing indicates it accuires the certificate and there is no traffic to nextcloud.domain.de maybe you need to enable/configure access logs to see it

I would start checking caddy if it successfuly got the TLS cert and if yes what happens with incoming requests for nextcloud.domain.de - does it forward the requests to the right container adn what is the result…

thed · February 11, 2024, 9:38pm

Thank you for the reply.
Here the docker-compose.yaml:

version: "3.8"
services:

  caddy:
    image: lucaslorentz/caddy-docker-proxy:ci-alpine
    container_name: reverse-proxy
    ports:
      - 80:80
      - 443:443
    environment:
      - CADDY_INGRESS_NETWORKS=nextcloud_network
    networks:
      - nextcloud_network
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - caddy_data:/data
    restart: unless-stopped

  web:
    image: nginx:alpine
    container_name: nextcloud-web
    networks:
      - nextcloud_network
    links:
      - nextcloud
    labels:
      caddy: nextcloud.domain.de
      caddy.reverse_proxy: "{{upstreams}}"
      caddy.header: /*
      caddy.header.Strict-Transport-Security: '"max-age=15552000;"'
      caddy.rewrite_0: /.well-known/carddav /remote.php/dav
      caddy.rewrite_1: /.well-known/caldav /remote.php/dav
      caddy.rewrite_2: /.well-known/webfinger /index.php/.well-known/webfinger
      caddy.rewrite_3: /.well-known/nodeinfo /index.php/.well-known/nodeinfo
      caddy.rewrite_4: /.well-known/acme-challenge/ /remote.php/dav
    volumes:
      - nextcloud_data:/var/www/html:z,ro
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
    restart: unless-stopped

  db:
    image: mariadb:10.11
    container_name: mariadb-database
    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
    networks:
      - nextcloud_network
    volumes:
      - db_data:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD
      - MYSQL_USER
      - MYSQL_PASSWORD
      - MYSQL_DATABASE
    restart: unless-stopped

  redis:
    image: redis:alpine
    container_name: redis-dbcache
    networks:
      - nextcloud_network
    restart: unless-stopped

  nextcloud:
    image: nextcloud:stable-fpm
    container_name: nextcloud-app
    networks:
      - nextcloud_network
    volumes:
      - nextcloud_data:/var/www/html:z
      - ./php-fpm-www.conf:/usr/local/etc/php-fpm.d/www.conf:ro
    environment:
      - MYSQL_USER
      - MYSQL_PASSWORD
      - MYSQL_DATABASE
      - MYSQL_HOST
      - REDIS_HOST
      - OVERWRITEPROTOCOL
      - OVERWRITEHOST
      - TRUSTED_PROXIES
      - APACHE_DISABLE_REWRITE_IP
    restart: unless-stopped
    depends_on:
      - caddy
      - db
      - redis

  cron:
    image: nextcloud:stable-fpm
    container_name: nextcloud-cron
    networks:
      - nextcloud_network
    volumes:
      - nextcloud_data:/var/www/html:z
    entrypoint: /cron.sh
    restart: unless-stopped
    depends_on:
      - db
      - redis

networks:
  nextcloud_network:
    external: true

volumes:
  caddy_data: {}
  db_data: {}
  nextcloud_data: {}

Here the .env file, with replaced passwords:

MYSQL_ROOT_PASSWORD="passroot"
MYSQL_USER=nextcloud
MYSQL_PASSWORD="passnc"
MYSQL_DATABASE=nextcloud
MYSQL_HOST=db
REDIS_HOST=redis
OVERWRITEPROTOCOL=https
TRUSTED_PROXIES=caddy
APACHE_DISABLE_REWRITE_IP=1
OVERWRITEHOST=nextcloud.domain.de

And the nginx.conf, as in the tutorial:

worker_processes auto;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;
    server_tokens   off;
    keepalive_timeout  65;
    #gzip  on;

    upstream php-handler {
        server nextcloud:9000;
    }

    server {
        listen 80;
        client_max_body_size 512M;
        fastcgi_buffers 64 4K;

        gzip on;
        gzip_vary on;
        gzip_comp_level 4;
        gzip_min_length 256;
        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

        add_header Referrer-Policy                      "no-referrer"       always;
        add_header X-Content-Type-Options               "nosniff"           always;
        add_header X-Download-Options                   "noopen"            always;
        add_header X-Frame-Options                      "SAMEORIGIN"        always;
        add_header X-Permitted-Cross-Domain-Policies    "none"              always;
        add_header X-Robots-Tag                         "noindex, nofollow" always;
        add_header X-XSS-Protection                     "1; mode=block"     always;

        fastcgi_hide_header X-Powered-By;
        root /var/www/html;
        index index.php index.html /index.php$request_uri;

        location = / {
            if ( $http_user_agent ~ ^DavClnt ) {
                return 302 /remote.php/webdav/$is_args$args;
            }
        }

        location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
        }

        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }

        location ~ \.php(?:$|/) {
            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;

            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
            set $path_info $fastcgi_path_info;
            try_files $fastcgi_script_name =404;

            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $path_info;
            #fastcgi_param HTTPS on;

            fastcgi_param modHeadersAvailable true;
            fastcgi_param front_controller_active true;
            fastcgi_pass php-handler;

            fastcgi_intercept_errors on;
            fastcgi_request_buffering off;
        }

        location ~ \.(?:css|js|svg|gif)$ {
            try_files $uri /index.php$request_uri;
            expires 6M;
            access_log off;
        }

        location ~ \.woff2?$ {
            try_files $uri /index.php$request_uri;
            expires 7d;
            access_log off;
        }

        location /remote {
            return 301 /remote.php$request_uri;
        }

        location / {
            try_files $uri $uri/ /index.php$request_uri;
        }
    }
}

And the php-fpm-www.conf as in the tutorial:

user = www-data
group = www-data
pm = dynamic
pm.max_children = 281
pm.start_servers = 140
pm.min_spare_servers = 93
pm.max_spare_servers = 187

These are all the configuration files the service should need as from the tutorial.

Now the nginx:alpine log (nextcloud-web) with my public ip adress replaced with "public_ipv4:

/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-local-resolvers.envsh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
172.19.0.3 - - [10/Feb/2024:20:46:44 +0000] "GET /.git/config HTTP/1.1" 404 146 "-" "SEC-SGHX820/1.0 NetFront/3.2 Profile/MIDP-2.0 Configuration/CLDC-1.1" "193.32.162.87"
172.19.0.3 - - [10/Feb/2024:22:51:47 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [10/Feb/2024:22:51:47 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [10/Feb/2024:22:51:47 +0000] "GET / HTTP/1.1" 200 1684 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36" "147.135.244.204"
172.19.0.3 - - [10/Feb/2024:22:52:02 +0000] "GET /apps/theming/img/background/kamil-porembinski-clouds.jpg HTTP/1.1" 200 190294 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36" "147.135.244.204"
172.19.0.3 - - [11/Feb/2024:01:32:56 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:01:32:56 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:01:32:56 +0000] "GET / HTTP/1.1" 200 1685 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)" "162.142.125.11"
172.19.0.3 - - [11/Feb/2024:01:32:57 +0000] "GET /core/img/favicon.ico HTTP/1.1" 200 732 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)" "162.142.125.11"
172.19.0.3 - - [11/Feb/2024:01:32:58 +0000] "GET /core/img/favicon-touch.png HTTP/1.1" 200 2553 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)" "162.142.125.11"
172.19.0.3 - - [11/Feb/2024:01:32:58 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:01:32:58 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:01:32:58 +0000] "GET /favicon.ico HTTP/1.1" 200 1684 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)" "162.142.125.11"
172.19.0.3 - - [11/Feb/2024:02:03:38 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:02:03:38 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:02:03:38 +0000] "GET / HTTP/1.1" 200 1684 "-" "Mozilla/5.0 (X11; Linux i686; rv:109.0) Gecko/20100101 Firefox/120.0" "104.166.80.213"
172.19.0.3 - - [11/Feb/2024:02:14:27 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:02:14:27 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:02:14:27 +0000] "GET / HTTP/1.1" 200 1681 "-" "Go-http-client/1.1" "45.56.105.229"
172.19.0.3 - - [11/Feb/2024:03:38:07 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:03:38:07 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:03:38:07 +0000] "GET / HTTP/1.1" 200 1681 "-" "Mozilla/5.0 (X11; Linux i686; rv:109.0) Gecko/20100101 Firefox/120.0" "104.166.80.102"
172.19.0.3 - - [11/Feb/2024:03:38:08 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:03:38:08 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:03:38:08 +0000] "GET / HTTP/1.1" 200 1684 "-" "Mozilla/5.0 (X11; Linux i686; rv:109.0) Gecko/20100101 Firefox/120.0" "104.166.80.102"
172.19.0.3 - - [11/Feb/2024:03:38:10 +0000] "GET /apps/theming/img/background/kamil-porembinski-clouds.jpg HTTP/1.1" 200 190294 "-" "Mozilla/5.0 (X11; Linux i686; rv:109.0) Gecko/20100101 Firefox/120.0" "104.166.80.102"
172.19.0.3 - - [11/Feb/2024:03:38:13 +0000] "GET /core/img/favicon-touch.png HTTP/1.1" 200 2553 "-" "Mozilla/5.0 (X11; Linux i686; rv:109.0) Gecko/20100101 Firefox/120.0" "104.166.80.102"
172.19.0.3 - - [11/Feb/2024:03:38:13 +0000] "GET /core/img/favicon.ico HTTP/1.1" 200 732 "-" "Mozilla/5.0 (X11; Linux i686; rv:109.0) Gecko/20100101 Firefox/120.0" "104.166.80.102"
172.19.0.3 - - [11/Feb/2024:06:38:17 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:06:38:17 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:06:38:17 +0000] "GET / HTTP/1.1" 200 1683 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)" "199.45.155.17"
172.19.0.3 - - [11/Feb/2024:06:38:20 +0000] "GET /core/img/favicon.ico HTTP/1.1" 200 732 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)" "199.45.155.17"
172.19.0.3 - - [11/Feb/2024:06:38:21 +0000] "GET /core/img/favicon-touch.png HTTP/1.1" 200 2553 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)" "199.45.155.17"
172.19.0.3 - - [11/Feb/2024:06:38:23 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:06:38:23 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:06:38:23 +0000] "GET /favicon.ico HTTP/1.1" 200 1684 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)" "199.45.155.17"
172.19.0.3 - - [11/Feb/2024:07:02:37 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:07:02:37 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:07:02:37 +0000] "GET / HTTP/1.1" 200 1686 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" "159.89.52.185"
172.19.0.3 - - [11/Feb/2024:16:59:53 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:16:59:53 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:16:59:53 +0000] "GET / HTTP/1.1" 200 1691 "-" "Mozilla/5.0 (compatible; InternetMeasurement/1.0; +https://internet-measurement.com/)" "87.236.176.157"
172.19.0.3 - - [11/Feb/2024:16:59:54 +0000] "GET /core/img/favicon.ico HTTP/1.1" 200 732 "-" "Mozilla/5.0 (compatible; InternetMeasurement/1.0; +https://internet-measurement.com/)" "87.236.176.13"
172.19.0.3 - - [11/Feb/2024:16:59:54 +0000] "GET /core/img/favicon-touch.png HTTP/1.1" 200 2553 "-" "Mozilla/5.0 (compatible; InternetMeasurement/1.0; +https://internet-measurement.com/)" "87.236.176.195"
172.19.0.3 - - [11/Feb/2024:18:17:43 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:18:17:43 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:18:17:43 +0000] "GET / HTTP/1.1" 200 1682 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36" "176.53.219.93"
172.19.0.3 - - [11/Feb/2024:18:17:48 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:18:17:48 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:18:17:48 +0000] "GET / HTTP/1.1" 200 1686 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36" "176.53.217.129"
172.19.0.3 - - [11/Feb/2024:18:17:49 +0000] "GET /core/img/favicon.ico HTTP/1.1" 200 732 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36" "176.53.218.171"
172.19.0.3 - - [11/Feb/2024:18:17:50 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:18:17:50 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:18:17:50 +0000] "GET /favicon.ico HTTP/1.1" 200 1683 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36" "176.53.217.129"
172.19.0.3 - - [11/Feb/2024:18:17:51 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:18:17:51 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:18:17:51 +0000] "GET /favicon.ico HTTP/1.1" 200 1688 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36" "176.53.218.171"
172.19.0.3 - - [11/Feb/2024:18:17:52 +0000] "GET /core/img/favicon-touch.png HTTP/1.1" 200 2553 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36" "89.104.100.30"
172.19.0.3 - - [11/Feb/2024:18:46:05 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:18:46:06 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:18:46:06 +0000] "GET / HTTP/1.1" 200 1683 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.7.0" "104.238.38.31"
172.19.0.3 - - [11/Feb/2024:18:56:08 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:18:56:08 +0000] "GET /data/htaccesstest.txt HTTP/1.1" 404 146 "-" "Nextcloud Server Crawler" "public_ipv4"
172.19.0.3 - - [11/Feb/2024:18:56:08 +0000] "GET / HTTP/1.1" 200 1682 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/116.0.5845.140 Safari/537.36" "35.203.242.192"
172.19.0.3 - - [11/Feb/2024:18:56:10 +0000] "GET /apps/theming/img/background/kamil-porembinski-clouds.jpg HTTP/1.1" 200 190294 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/116.0.5845.140 Safari/537.36" "35.203.242.192"

And i think i misread the name due to column break, the first i sent was the nextcloud-cron, this is the nextcloud-app:

Configuring Redis as session handler
=> Searching for scripts (*.sh) to run, located in the folder: /docker-entrypoint-hooks.d/before-starting
[10-Feb-2024 15:06:10] NOTICE: fpm is running, pid 1
[10-Feb-2024 15:06:10] NOTICE: ready to handle connections
172.19.0.7 -  10/Feb/2024:22:51:47 +0000 "GET /index.php" 200
172.19.0.7 -  11/Feb/2024:01:32:56 +0000 "GET /index.php" 200
172.19.0.7 -  11/Feb/2024:01:32:58 +0000 "GET /index.php" 200
172.19.0.7 -  11/Feb/2024:02:03:37 +0000 "GET /index.php" 200
172.19.0.7 -  11/Feb/2024:02:14:26 +0000 "GET /index.php" 200
172.19.0.7 -  11/Feb/2024:03:38:07 +0000 "GET /index.php" 200
172.19.0.7 -  11/Feb/2024:03:38:08 +0000 "GET /index.php" 200
172.19.0.7 -  11/Feb/2024:06:38:17 +0000 "GET /index.php" 200
172.19.0.7 -  11/Feb/2024:06:38:23 +0000 "GET /index.php" 200
172.19.0.7 -  11/Feb/2024:07:02:36 +0000 "GET /index.php" 200
172.19.0.7 -  11/Feb/2024:16:59:53 +0000 "GET /index.php" 200
172.19.0.7 -  11/Feb/2024:18:17:42 +0000 "GET /index.php" 200
172.19.0.7 -  11/Feb/2024:18:17:48 +0000 "GET /index.php" 200
172.19.0.7 -  11/Feb/2024:18:17:50 +0000 "GET /index.php" 200
172.19.0.7 -  11/Feb/2024:18:17:51 +0000 "GET /index.php" 200
172.19.0.7 -  11/Feb/2024:18:46:05 +0000 "GET /index.php" 200
172.19.0.7 -  11/Feb/2024:18:56:08 +0000 "GET /index.php" 200

As stated in the first docker ps results, these are the running container names from the config:
nextcloud-web, nextcloud-app, nextcloud-cron, reverse-proxy, mariadb-databa, redis-dbcache

Since i ran it over docker compose, i don’t know where any files are stored, other than the configs.

How do i further check the certificate of caddy?

wwe · February 12, 2024, 12:56pm

please familiarize yourself with technologies you use. otherwise you will fail to complete important steps e.g. backup with clear results!

see Volumes | Docker Docs

same as above. I see one can supply ACME provider as Docker label but seems there is some default caddy-docker-proxy/examples/standalone.yaml at master · lucaslorentz/caddy-docker-proxy · GitHub. Likely you find an answer here: Automatic HTTPS — Caddy Documentation

thed · February 14, 2024, 10:29pm

Ok, this is what i have now additionally, but i still have no clue, where the problem is.
checking firewall ports “iptables -L -n” shows:

		Chain DOCKER (3 references)
			target     prot opt source               destination         
			ACCEPT     6    --  0.0.0.0/0            172.18.0.2           tcp dpt:80
			ACCEPT     17   --  0.0.0.0/0            172.18.0.2           udp dpt:67
			ACCEPT     6    --  0.0.0.0/0            172.18.0.2           tcp dpt:53
			ACCEPT     6    --  0.0.0.0/0            172.19.0.2           tcp dpt:443
			ACCEPT     17   --  0.0.0.0/0            172.18.0.2           udp dpt:53
			ACCEPT     6    --  0.0.0.0/0            172.19.0.2           tcp dpt:80

and “docker network inspect nextcloud_network” (with shortened additions at the end):

	"Name": "nextcloud_network",
        "Id": "c5393474a4c8edba72c06cab1db7bfc9279176cc398cf75a649d6be986bf322f",
        "Created": "2024-02-08T10:37:35.437443497+01:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "172.19.0.0/16",
                    "Gateway": "172.19.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "70c2271e6c30940706b332d074e6ce392ad34774686b66d6e444d524aeb56123": {
                "Name": "reverse-proxy",
                "EndpointID": "48924f081ce35e15a84767e980fe012a381371b1cda5cf1b7db8fbec886cb88c",
                "MacAddress": "02:42:ac:13:00:02",
                "IPv4Address": "172.19.0.2/16",
                "IPv6Address": ""
            },
            "bafdc2f8b9c949e30983dbed7834c335f6a81c6f89c90fe21d69f47759080675": {
                "Name": "nextcloud-web",
                "EndpointID": "4b229ea1ecdcaedf1f3b7af49c7cd37e9897eb03e7139c6b30fe4d5342b4a6c2",
                "MacAddress": "02:42:ac:13:00:06",
                "IPv4Address": "172.19.0.6/16",
                "IPv6Address": ""
            },
			//nextcloud-cron(172.19.0.4/16), nextcloud-app(172.19.0.3/16), redis-dbcache (172.19.0.5/16), mariadb-database (172.19.0.7/16)

further “docker logs reverse-proxy” successfully upstreams to nextcloud-

web:
		{"level":"info","ts":1707913915.985307,"logger":"docker-proxy","msg":"New Config JSON","json":"{\"apps\":{\"http\":{\"servers\":{\"srv0\":{\"listen\":[\":443\"],\"routes\":[{\"match\":[{\"host\":[\"nextcloud.domain.de\"]}],\"handle\":[{\"handler\":\"subroute\",\"routes\":[{\"handle\":[{\"handler\":\"headers\",\"response\":{\"set\":{\"Strict-Transport-Security\":[\"max-age=15552000;\"]}}}],\"match\":[{\"path\":[\"/*\"]}]},{\"group\":\"group0\",\"handle\":[{\"handler\":\"rewrite\",\"uri\":\"/remote.php/dav\"}],\"match\":[{\"path\":[\"/.well-known/acme-challenge/\"]}]},{\"group\":\"group0\",\"handle\":[{\"handler\":\"rewrite\",\"uri\":\"/index.php/.well-known/webfinger\"}],\"match\":[{\"path\":[\"/.well-known/webfinger\"]}]},{\"group\":\"group0\",\"handle\":[{\"handler\":\"rewrite\",\"uri\":\"/index.php/.well-known/nodeinfo\"}],\"match\":[{\"path\":[\"/.well-known/nodeinfo\"]}]},{\"group\":\"group0\",\"handle\":[{\"handler\":\"rewrite\",\"uri\":\"/remote.php/dav\"}],\"match\":[{\"path\":[\"/.well-known/carddav\"]}]},{\"group\":\"group0\",\"handle\":[{\"handler\":\"rewrite\",\"uri\":\"/remote.php/dav\"}],\"match\":[{\"path\":[\"/.well-known/caldav\"]}]},{\"handle\":[{\"handler\":\"reverse_proxy\",\"upstreams\":[{\"dial\":\"172.19.0.6:80\"}]}]}]}],\"terminal\":true}]}}}}}"}

inspecting the certificate “/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/nextcloud.domain.de # openssl x509 -in nextcloud.domain.de.crt -text -noout” results in a valid output:

		Certificate:
			Data:
				Version: 3 (0x2)
				Serial Number:
					"placeholder"
				Signature Algorithm: sha256WithRSAEncryption
				Issuer: C = US, O = Let's Encrypt, CN = R3
				Validity
					Not Before: Feb  9 23:21:24 2024 GMT
					Not After : May  9 23:21:23 2024 GMT
				Subject: CN = nextcloud.domain.de
				Subject Public Key Info:
					Public Key Algorithm: id-ecPublicKey
						Public-Key: (256 bit)
						pub:
							pub:key:placeholder
						ASN1 OID: prime256v1
						NIST CURVE: P-256
				X509v3 extensions:
					X509v3 Key Usage: critical
						Digital Signature
					X509v3 Extended Key Usage: 
						TLS Web Server Authentication, TLS Web Client Authentication
					X509v3 Basic Constraints: critical
						CA:FALSE
					X509v3 Subject Key Identifier: 
						03:58:89:04:8C:2B:83:E5:1D:13:A8:4B:61:0C:67:A7:87:0C:FD:37
					X509v3 Authority Key Identifier: 
						14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
					Authority Information Access: 
						OCSP - URI:http://r3.o.lencr.org
						CA Issuers - URI:http://r3.i.lencr.org/
					X509v3 Subject Alternative Name: 
						DNS:nextcloud.domain.de
					X509v3 Certificate Policies: 
						Policy: 2.23.140.1.2.1
					CT Precertificate SCTs: 
						Signed Certificate Timestamp:
							Version   : v1 (0x0)
							Log ID    : 48:B0:E3:6B:DA:A6:47:34:0F:E5:6A:02:FA:9D:30:EB:
										1C:52:01:CB:56:DD:2C:81:D9:BB:BF:AB:39:D8:84:73
							Timestamp : Feb 10 00:21:24.743 2024 GMT
							Extensions: none
							Signature : ecdsa-with-SHA256
										30:45:02:21:00:B0:9F:6B:03:E2:55:34:71:E0:3E:B3:
										D9:BD:3A:10:96:D2:57:D9:76:24:F6:2C:69:98:49:1F:
										D2:FF:0C:BD:7B:02:20:48:03:E2:37:1E:95:59:E4:71:
										42:30:89:36:F1:2D:35:30:6B:75:E9:07:96:DE:87:4F:
										4E:97:A9:F1:97:AC:C1
						Signed Certificate Timestamp:
							Version   : v1 (0x0)
							Log ID    : 3B:53:77:75:3E:2D:B9:80:4E:8B:30:5B:06:FE:40:3B:
										67:D8:4F:C3:F4:C7:BD:00:0D:2D:72:6F:E1:FA:D4:17
							Timestamp : Feb 10 00:21:25.217 2024 GMT
							Extensions: none
							Signature : ecdsa-with-SHA256
										30:45:02:20:44:ED:6A:C5:7D:88:4B:8E:B1:0C:7C:0C:
										CD:F1:B0:6D:F8:9E:A1:66:4A:7D:98:10:5B:6B:88:14:
										AE:1D:64:87:02:21:00:E3:08:A0:3D:CC:BD:89:E8:17:
										DF:B2:59:0A:B6:24:D0:8F:AB:02:9A:47:D3:EA:08:8C:
										6C:1B:D6:E2:E2:68:89
			Signature Algorithm: sha256WithRSAEncryption
			Signature Value:
				23:5e:28:45:19:2d:a4:80:f0:41:27:9a:9e:ab:3e:e7:04:b0:
				4d:7c:9d:f3:12:2f:d1:9a:6e:d6:72:27:68:a6:56:d1:0d:36:
				3a:11:37:64:90:43:88:ab:d8:23:ad:fb:55:c0:5b:b9:d1:80:
				4c:d2:a6:1d:79:2a:d9:5e:6c:33:74:12:ad:3a:9c:dd:e1:b8:
				68:fc:21:d6:78:ac:6a:ca:44:e5:da:6b:a6:8d:95:7a:cb:02:
				58:11:c6:88:88:ae:49:83:c6:ff:c6:e3:e9:f2:e7:85:d0:57:
				4c:53:65:64:96:ca:e2:90:be:79:fc:5c:33:1d:1e:df:3b:ce:
				03:3a:f3:3e:9e:a4:a5:8f:3a:c6:ab:0d:ce:34:68:1b:cc:ed:
				a2:c3:60:b2:8f:f8:a1:b9:30:8d:50:7c:8f:b2:0b:0f:59:1b:
				44:ca:8f:f7:8f:b7:94:3d:ea:e5:b3:ad:f7:c9:2c:68:11:9b:
				3a:a9:85:e7:29:c3:3a:a1:7f:ff:d1:9d:6d:c8:83:89:1d:95:
				4f:1c:cf:9b:4b:b8:e1:4d:1f:2e:32:92:57:aa:70:d5:5d:94:
				44:ce:1b:bb:24:80:65:30:07:e5:98:77:d5:04:0d:93:93:2a:
				86:89:65:68:a9:49:88:cd:7f:9c:f1:7c:d0:c0:74:28:e4:d6:
				91:34:0e:34
	Then i tried to check https connection of docker network "tcpdump -i br-c5393474a4c8 -n port 443", which shows a LAN connection attempt to the servers ipv4, that is indeed forwarded to the docker network.
		dropped privs to tcpdump
		tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
		listening on br-c5393474a4c8, link-type EN10MB (Ethernet), snapshot length 262144 bytes
		14:44:07.589334 IP 192.168.178.98.49206 > 172.19.0.7.https: Flags [S], seq 2485731885, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
		14:44:07.589455 IP 172.19.0.7.https > 192.168.178.98.49206: Flags [S.], seq 3586840896, ack 2485731886, win 32120, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
		14:44:07.592798 IP 192.168.178.98.49206 > 172.19.0.7.https: Flags [.], ack 1, win 1026, length 0
		14:44:07.592830 IP 192.168.178.98.49206 > 172.19.0.7.https: Flags [P.], seq 1:640, ack 1, win 1026, length 639
		14:44:07.592964 IP 172.19.0.7.https > 192.168.178.98.49206: Flags [.], ack 640, win 246, length 0
		14:44:07.594626 IP 172.19.0.7.https > 192.168.178.98.49206: Flags [P.], seq 1:8, ack 640, win 246, length 7
		14:44:07.594742 IP 172.19.0.7.https > 192.168.178.98.49206: Flags [F.], seq 8, ack 640, win 246, length 0
		14:44:07.596844 IP 192.168.178.98.49206 > 172.19.0.7.https: Flags [.], ack 9, win 1026, length 0
		14:44:07.597486 IP 192.168.178.98.49206 > 172.19.0.7.https: Flags [F.], seq 640, ack 9, win 1026, length 0
		14:44:07.597525 IP 172.19.0.7.https > 192.168.178.98.49206: Flags [.], ack 641, win 246, length 0

The nextcloud.log in nextcloud-app shows an exception, which i don’t know to handle:

{"reqId":"RrmfGxaSyiqMx7NpVxCF","level":3,"time":"2024-02-14T22:20:00+00:00","remoteAddr":"","user":"--","app":"cron","method":"","url":"--","message":"Exception thrown: Exception","userAgent":"--","version":"","exception":{"Exception":"Exception","Message":"Not installed","Code":0,"Trace":[{"file":"/var/www/html/lib/base.php","line":709,"function":"checkInstalled","class":"OC","type":"::","args":[["OC\\SystemConfig"]]},{"file":"/var/www/html/lib/base.php","line":1196,"function":"init","class":"OC","type":"::","args":[]},{"file":"/var/www/html/cron.php","line":43,"args":["/var/www/html/lib/base.php"],"function":"require_once"}],"File":"/var/www/html/lib/base.php","Line":283,"CustomMessage":"Exception thrown: Exception"}}

I hope here is an entry point on what to solve. I am a bit lost on what to do next. I very appreciate your efforts.

wwe · February 15, 2024, 11:53am

I wondering about this statement. sounds like your caddy acts as load balancer rather than RP. If you run an application behind reverseproxy the connection must end on the RP and new connection must go to the application. but this only happens if RP certificate matches - which nevver happens in case of tcpdump connection.

The right way to test https connection would be to run curl https://nextcloud.domain.de (or wget) which natively handles https and setup TLS connection as well. I would run this command from the host system or even better from another system… after running this command there must be some trace in caddy logs - incoming request, if the right route was used and certificate works and if and where this request was finally forwarded to.

thed · February 15, 2024, 2:52pm

Thank you very much for your help. After doing the curl command directly to my domainname from my pc, i actually got a http respond, not from the server, but from my routers GUI. From there on i could figure out that:

I had to clear the cache from my main browser, since another browser showed the router gui
refreshed my A record on name.com to my router and also added the AAAA to be safe
Most importantly i had to except my domainname on the DNS-Rebind-Protection in my router