Docker NextcloudPi reuse Traefik SSL certificate

ncpi
ncp

#1

Hi, I use NextcloudPi docker image with traefik as reverse proxy.
I set traefik up and it stores the certificates in the acme.json file https://docs.traefik.io/user-guide/docker-and-lets-encrypt/.

Now I wonder how to deal with NextcloudPi’s own letsencrypt integration.
How can I disable it so port 443 is not needed?


Do I have to copy the certs out of acme.json into /etc/letsencrypt/ ?


#2

Welcome adnion,
I had a similar situation: I dont know Traefik, but maybe this will work for you too…
I had already run letsencrypt certbot on a debian machine.
I then used this to start my x86 Docker container:

docker run -d -p 4443:4443 -p 443:443 -p 80:80 -v ncdata:/data --name nextcloudpi ownyourbits/nextcloudpi-x86 $sub.domain.tld

I then used

docker exec -it nextcloudpi ncp-config

to run nc-letsencrypt (which failed, as expected, because port 80/443 are not available, I used DNS to validate. But it ensured that inside the docker the PATH to /etc/letsencrypt/live gets created)
I then copied the existing folder holding the cert and key with:

sudo cp -avr /etc/letsencrypt/archive/sub.domain.tld /var/lib/docker/volumes/ncdata/_data/etc/letsencrypt/live/

Edit NC’s apache config to change the name/location of cert and key files:

sudo nano /var/lib/docker/volumes/ncdata/_data/etc/apache2/sites-available/nextcloud.conf

and reload Apache2:

docker exec -it nextcloudpi bash
service apache2 reload


#3

You can also disable HTTPS if you are going to use a reverse proxy with SSL (nc-httpsonly option)


#4

@OliverV
Those are good instructions. Thanks. But it means that you have to copy the certs manually each time they become invalid.

@nachoparker
nc-httpsonly is already disabled. Simply forwarding https to http in traefik doesn’t work for me.

I had no problems in 2018 and I wonder what changed. I only updated some nextcloud apps. The SSL certs are still valid.


#5

I used traefik-certdumper to share the certs with nextcloudpi and it works.
The problem is that port 443 is still needed by apache to do OCSP stapling which was introduced in nextcloudpi
with version [v0.46.15].
Did the change make the wiki tutorial ‘How-to-get-certificate-with-Letsencrypt-using-DNS-to-verify-domain’ useless?

I set “SSLUseStapling off” in /etc/apache2/conf-enabled/http2.conf
only to discover another error in the apache2 logs.
Instead of

ssl_stapling_init_cert: can't retrieve issuer certificate!
Unable to configure certificate example.com:443:0 for stapling

now I get

Failed to read FastCGI header
Error dispatching request to :CUSTOM_PORT:

#6

Still works for me, but I do have to renew it manually every 90 days tho. If you create symbolic links, as does letsencrypt, no need to copy them over, just reload webserver.

NCP is v0.67.11 presently, do you have nc-autoupdate enabled?

Did you ask/consult Traefic forum/docs?


#7

Hi OliverV,

good to know it still works for you with default setting OCSP enabled.
Of course I use the latest NCP version with nc-autoupdate enabled.
I didn’t ask Traefik forums because the same configuration works for other services.
NextcloudPi did work too but something changed.

I just tried ncp-restore with a backup from 2018.12 and it worked!
Restoring my current backup also restores the problems:

login not possible (login window shows up after a few minutes, but login times out)
proxy_fcgi:error The timeout specified has expired. Error dispatching request to :PORT:
Do you have an advice how to further debug this?

Edit: I decided to use my backup instead. Thank you very much for your suggestions.