Sorry, no idea what the problem could be thenā¦
I can only point towards all-in-one/reverse-proxy.md at main Ā· nextcloud/all-in-one Ā· GitHub
I keep getting the same error when trying to setup Nextcloud AIO at home on a Proxmox VM behind a pfSense Firewall.
I setup NAT for ports 80, 443, 8080 and 8443 and verified that all are working correctly and are reachable from outside before starting the AIO docker containers.
The AIO interface is reachable just fine, but when I enter a DNS name of which I know that it should be working (because I tested it with the 4 mentioned ports) and click submit, I also get āDomain does not point to this server or reverse proxy not configured correctly.ā
Also setting up a Caddy Reverse Proxy on the Proxmox VM (with the different ports for the container) doesnāt seem to help ā¦
Is it related to the NAT? Any clues why it doesnāt work?
Yes, sure. Canāt figure out what could be wrong. Testing it on a Hetzner box works just charmingly well, but there is no NAT in between (and I definetly want to have this onprem) ā¦ so could NAT be a reason?
May it help if I configure a reverse proxy on my pfSense to get rid of the NAT?
Maybe to clarify one very basic thing: my understanding is that in my pfSense scenario, if I NAT all required ports to the right internal IP (and carefully confirmed that all of those NAT rules + DNS are working and routing packets where they are supposed to go), I shouldnāt even need a reverse proxy, right?
Or am I missing something?
The reverse proxy is not needed if you have port 443 availableā¦
But if you already run a service in the same network that uses this port, you will need a reverse proxyā¦
Hi Szaimen, many thanks for your reply and confirmation!
So I would assume this should work ā¦ here is what I did:
Launching HTTP Server on my onprem Proxmox Box Port 80 to verify NAT:
$ echo works > test.txt
$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
On an external Hetzner Box (to test the connection from the outside world through my NAT)
$ curl <my.dyndns.domain>:80/test.txt
works
Seeing the incoming request on python3 http.server:
$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
116.xxx.xxx.xxx - - [13/May/2022 16:26:16] "GET /test.txt HTTP/1.1" 200 ā
=> Same result for port 443 and 8443, so all ports work.
Yet when I follow the default AIO install guide (from GitHub - nextcloud/all-in-one: Nextcloud AIO stands for Nextcloud All In One and provides easy deployment and maintenance with most features included in this one Nextcloud instance.) until I can access the AIO Interface, type <my.dyndns.domain> into the āNew AIO instanceā field and hit submit, it fails and I receive the following error:
Ports are there, DNS is working. What else could be missing here?
How can I further troubleshoot?
Are you trying to run AIO behind a reverse proxy or ānativelyā?
natively, no reverse Proxy. Just NAT rules for the ports 80/443 and 8443.
Okay, then opening port 443 in your firewall/router and pointing to the VM that is running AIO should indeed work if you configured these things and the domain correctlyā¦
Can you post the logs of the mastercontainer here (from right after you try to enter your domain)?
sudo docker logs nextcloud-aio-mastercontainer
Hm thought so ā¦ any advise on where to check why it doesnāt work? is there a helpful logfile inside any container which could show how the check is done and why it fails?
FYI I also already tried setting up a caddy reverse-proxy on the VM (following instructions of all-in-one/reverse-proxy.md at main Ā· nextcloud/all-in-one Ā· GitHub), but the result was exactly the same error.
yes, maybe the mastercontainer logs. See above.
Maybe, can you also run sudo docker ps?
These are all thw checks that are done. It fails at the last one.
https://github.com/nextcloud/all-in-one/blob/f07f1e1deb06c64bfe77a46a89ed71992151c889/php/src/Data/ConfigurationManager.php#L191-L235
Could have multiple reasons why it does not work dor youā¦
Many thanks!! Thatās very helpfull! Iāll need to dust of my php-skills a bit but Iām quite determined to make it work! Iām running a manual installed bare-metal-no-containers-installation of nextcloud since probably >5 years and maintaining it becomes a pain. No office, no Talk but still lots of errors+warnings and time-intensive fixing ā¦ so having this all in containers running out of the box and maintained by someone else is very promising 
Iāll come back once I found out but it might take a while ā¦ already have plans for the weekend
Meanwhile here are the logs you asked for:
On Startup:
# docker run -it \
--name nextcloud-aio-mastercontainer \
--restart always \
-p 80:80 \
-p 8080:8080 \
-p 8443:8443 \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
nextcloud/all-in-one:latest
Unable to find image 'nextcloud/all-in-one:latest' locally
latest: Pulling from nextcloud/all-in-one
1fe172e4850f: Pull complete
012a3732d045: Pull complete
43092314d50d: Pull complete
[...]
f767f4a835ed: Pull complete
Digest: sha256:691dee1c23545d5eb79d6d146334676a37d13d3d57b8c2d0556122d709010144
Status: Downloaded newer image for nextcloud/all-in-one:latest
Trying to fix docker.sock permissions internally...
Creating docker group internally with id 999
Generating a RSA private key
.......................................................................................................................................++++
..................................................................++++
writing new private key to './ssl.key'
-----
Initial startup of Nextcloud All In One complete!
You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
E.g. https://internal.ip.of.this.server:8080
If your server has port 80 and 8443 open and you point a domain to your server, you can get a valid certificate automatially by opening the Nextcloud AIO Interface via:
https://your-domain-that-points-to-this-server.tld:8443
2022-05-13 18:16:19,740 CRIT Supervisor is running as root. Privileges were not dropped because no user is specified in the config file. If you intend to run as root, you can set user=root in the config file to avoid this message.
{"level":"info","ts":1652465780.7693746,"msg":"using provided configuration","config_file":"/Caddyfile","config_adapter":""}
{"level":"warn","ts":1652465780.770563,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/Caddyfile","line":2}
{"level":"info","ts":1652465780.7714348,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"warn","ts":1652465780.7715368,"logger":"http","msg":"automatic HTTP->HTTPS redirects are disabled","server_name":"srv0"}
{"level":"info","ts":1652465780.7717903,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0004231f0"}
{"level":"warn","ts":1652465780.7721066,"logger":"tls","msg":"YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place","docs":"https://caddyserver.com/docs/automatic-https#on-demand-tls"}
{"level":"info","ts":1652465780.772456,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/mnt/docker-aio-config/caddy/"}
{"level":"info","ts":1652465780.7725778,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"error","ts":1652465780.7725816,"msg":"unable to create folder for config autosave","dir":"/var/www/.config/caddy","error":"mkdir /var/www/.config: permission denied"}
{"level":"info","ts":1652465780.7728271,"msg":"serving initial configuration"}
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
[Fri May 13 18:16:20.781539 2022] [ssl:warn] [pid 102] AH01906: 172.17.0.2:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri May 13 18:16:20.781578 2022] [ssl:warn] [pid 102] AH01909: 172.17.0.2:8080:0 server certificate does NOT include an ID which matches the server name
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
[Fri May 13 18:16:20.797877 2022] [ssl:warn] [pid 102] AH01906: 172.17.0.2:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri May 13 18:16:20.797890 2022] [ssl:warn] [pid 102] AH01909: 172.17.0.2:8080:0 server certificate does NOT include an ID which matches the server name
[Fri May 13 18:16:20.799836 2022] [mpm_prefork:notice] [pid 102] AH00163: Apache/2.4.53 (Debian) PHP/8.0.18 OpenSSL/1.1.1n configured -- resuming normal operations
[Fri May 13 18:16:20.799855 2022] [core:notice] [pid 102] AH00094: Command line: 'apache2 -D FOREGROUND'
docker ps
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS
NAMES
c516d14cf22b nextcloud/aio-domaincheck:latest "/start.sh" About a minute ago Up About a minute 0.0.0.0:443->443/tcp, :::443->443/tcp
nextcloud-aio-domaincheck
66a17512c127 nextcloud/all-in-one:latest "start.sh /usr/bin/sā¦" 2 minutes ago Up 2 minutes 0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:8080->8080/tcp, :::8080->8080/tcp, 0.0.0.0:8443->8443/tcp, :::8443->8443/tcp nextcloud-aio-mastercontainer
On each Verification of the DNS Name
172.17.0.2:8000 localhost - - [13/May/2022:18:18:49 +0000] "POST /api/configuration HTTP/1.1" 422 437 "https://<Proxmox VM internal LAN IP>:8080/containers" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36"
localhost - - [13/May/2022:18:18:49 +0000] "POST /api/configuration HTTP/1.1" 422 437 "https://<Proxmox VM internal LAN IP>:8080/containers" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36"
172.17.0.2:8080 <Client hostname> - - [13/May/2022:18:18:49 +0000] "POST /api/configuration HTTP/1.1" 422 970 "https://<Proxmox VM internal LAN IP>:8080/containers" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36"
<Client hostname> - - [13/May/2022:18:18:49 +0000] "POST /api/configuration HTTP/1.1" 422 970 "https://<Proxmox VM internal LAN IP>:8080/containers" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36"
This looks all good! I still suspect an issue with your firewall/port-forwarding/dns-configā¦
You could eg try if port 443 is open for your domainā¦
I see now what the problem may be. you need to run the Vm in Bridged Mode and not in NAT mode to be able to address the Vm directly and not the host. Then you need to open port 443 in your router for this VM
Hm not sure what leads you to this conclusion, but that is not the case. The VM is bridged and has an LAN IP which I can reach from my other devices and also the firewall can route packets to (else the test from the external Hetzner Server wouldnāt have worked)
Interfaces on the VM:
IPv4 address for br-c4dcc41a6d34: 172.18.0.1 <- docker related
IPv4 address for docker0: 172.17.0.1 <- docker related
IPv4 address for ens18: 192.168.xxx.xxx <- bridged LAN interface
Still many thanks for your input though! Highly appreciated!
Okay, so you opened port 443 for this ip-address 192.168.xxx.xxx in your router?
And the domain does really point to your server?
Then maybe the VM has the firewall avtive?
Yes to the first 2 questions, but no the firewall. Thatās why I donāt understand it aswell.
The curl test from an external IP to a Service on the VM is an End-To-End test which proofs that from āinfrastructure perspectiveā all components are working as they should. DNS, NAT, Firewall ā¦ else I wouldnāt be able to retrieve the dummy test.txt with my external Hetzner Server from my Proxmox VM behind the NAT ā¦ In theory all I did afterwards is to exchange this dummy python http server against whatever docker is spawning ā¦ so I really wonder where the problem is and am keen on analyzing the code (tomorrow evening probably 
)
Thanks for your input so far!