ERROR: Could not generate /etc/apache2/sites-available/nextcloud.conf from template nextcloud.conf.sh. Rolling back

citizenserious · October 11, 2021, 6:43pm

Hi folks,

after running letsencrypt in “ncp-config” I can no longer access my instance neither external nor locally, not even the nextcloudpi panel. I only have SSH access

What I did:

run letsencrypt
rebooted because the certificate did not work (when trying to connect there is no certificate)

###output of letsencrypt:###


Running letsencrypt
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Running deploy-hook command: /etc/letsencrypt/renewal-hooks/deploy/ncp
Error output from ncp:
Cannot load Zend OPcache - it was already loaded
Cannot load Zend OPcache - it was already loaded

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/ncp-nextcloud/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/ncp-nextcloud/privkey.pem
   Your cert will expire on 2022-01-09. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Cannot load Zend OPcache - it was already loaded
Cannot load Zend OPcache - it was already loaded
INFO: Letsencrypt domain is **my.domain.removed.com**
Cannot load Zend OPcache - it was already loaded
INFO: Metrics enabled: no
**ERROR: Could not generate /etc/apache2/sites-available/nextcloud.conf from template nextcloud.conf.sh**. Rolling back...
WARN: my.domain.removed.com will not be included in trusted domains for Nextcloud (maximum reached). It will still be included in the SSL certificate
Cannot load Zend OPcache - it was already loaded
Cannot load Zend OPcache - it was already loaded
System config value trusted_domains => 3 set to string **my.domain.removed.com**
Cannot load Zend OPcache - it was already loaded
System config value overwrite.cli.url set to string https://**my.domain.removed.com**/
Cannot load Zend OPcache - it was already loaded
Done. Press any key...

###/etc/apache2/sites-enabled/ncp.conf:###

Listen 4443
<VirtualHost _default_:4443>
  DocumentRoot /var/www/ncp-web
  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/**my.domain.removed.com**/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/**my.domain.removed.com**/privkey.pem
  <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
  </IfModule>

  # 2 days to avoid very big backups requests to timeout
  TimeOut 172800

  <IfModule mod_authnz_external.c>
    DefineExternalAuth pwauth pipe /usr/sbin/pwauth
  </IfModule>

</VirtualHost>
<Directory /var/www/ncp-web/>

  AuthType Basic
  AuthName "ncp-web login"
  AuthBasicProvider external
  AuthExternal pwauth

  SetEnvIf Request_URI "^" noauth
  SetEnvIf Request_URI "^index\.php$" !noauth
  SetEnvIf Request_URI "^/$" !noauth
  SetEnvIf Request_URI "^/wizard/index.php$" !noauth
  SetEnvIf Request_URI "^/wizard/$" !noauth

  <RequireAll>

   <RequireAny>
      Require host localhost
      Require local
      Require ip 192.168
      Require ip 172
      Require ip 10
      Require ip fe80::/10
      Require ip fd00::/8
   </RequireAny>

   <RequireAny>
      Require env noauth

###/etc/apache2/sites-available/nextcloud.conf###

### DO NOT EDIT! THIS FILE HAS BEEN AUTOMATICALLY GENERATED. CHANGES WILL BE OVERWRITTEN ###

<IfModule mod_ssl.c>
  <VirtualHost _default_:443>
    DocumentRoot /var/www/nextcloud
    CustomLog /var/log/apache2/nc-access.log combined
    ErrorLog  /var/log/apache2/nc-error.log
    SSLEngine on
    SSLProxyEngine on
    SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

    # For notify_push app in NC21
    ProxyPass /push/ws ws://127.0.0.1:7867/ws
    ProxyPass /push/ http://127.0.0.1:7867/
    ProxyPassReverse /push/ http://127.0.0.1:7867/
  </VirtualHost>

  <Directory /var/www/nextcloud/>
    Options +FollowSymlinks
    AllowOverride All
    <IfModule mod_dav.c>
      Dav off
    </IfModule>
    LimitRequestBody 0
    SSLRenegBufferSize 10486000
  </Directory>
  <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
  </IfModule>
</IfModule>

###ncp-report: (when not having access and with the settings shown above, before I tried anything)

NextCloudPi version  v1.40.4
NextCloudPi image    NextCloudPi_11-27-20
distribution         Debian GNU/Linux 10 \n \l
automount            yes
USB devices          sda sdb
datadir              /media/data/ncdata
data in SD           no
data filesystem      btrfs
data disk usage      139G/477G
rootfs usage         5.0G/118G
swapfile             /var/swap
dbdir                /var/lib/mysql
Nextcloud check      ok
Nextcloud version    22.2.0.2
HTTPD service        down
PHP service          up
MariaDB service      up
Redis service        up
HPB service          down
Postfix service      up
internet check       ok
port check 80        closed
port check 443       closed

Server version: Apache/2.4.38 (Debian)
PHP 7.3.29-1~deb10u1
Zend Engine v3.3.29, with Zend OPcache v7.3.29-1~deb10u1

What I tried (to fix this):

I noticed that there is a difference between what letsencrypt says it is saving the fullchain.pem in "/etc/letsencrypt/live/ncp-nextcloud/"
and the ncp.conf file says that it is located at "/etc/letsencrypt/live/my.domain.removed.com/fullchain.pem"
So I changed the ncp.conf file to the location “/etc/letsencrypt/live/ncp-nextcloud/”
rebooted
Then I could access the server again with my local IP and get access to the NCP-Panel again. But the external access still fails due to a lag of the certificate.
4.1 ncp-report then shows:

HTTPD service	up

|port check 80|open|
|port check 443|open|

When I run letsencrypt again, the ncp.conf file resets to /etc/letsencrypt/live/my.domain.removed.com/fullchain.pem
I even did a complete new clean setup of NextcloudPi and restored my backup, same issue occurs.

I would be very happy if someone could tell me what has gone wrong here, I did not change any settings and the cloud worked fine for years. I have no more ideas.
When I searched the forum, there where some similar problems but in detail they differed, so I created this new topic.

Thanks a lot for the help (:

nachoparker · October 11, 2021, 6:59pm

hi,

Can you run sudo ncp-update devel and then try to run letsencrypt again? Let’s see if that fixes things for you

mkorsch · October 11, 2021, 7:44pm

Hi, i have exactly the same issue. I just ran ncp-update devel but error still persists…

ERROR: Could not generate /etc/apache2/sites-available/nextcloud.conf from template nextcloud.conf.sh. Rolling back…

any other idea?

citizenserious · October 11, 2021, 8:26pm

Hi @nachoparker, thanks a lot for helping (:

I also did run sudo ncp-update devel it stays on v1.40.6 and when I run letsencrypt again, unfortunately nothing changes to the issue stated.

nachoparker · October 11, 2021, 8:52pm

ok, please try again (update devel and then letsencrypt) and share the output from LE. I added some debugging to dig in.

citizenserious · October 11, 2021, 9:43pm

Unfortunately I seem to have hit the rate limit. Hopes this provides some useful information anyway. Do you also need the letsencrypt.log?

Running letsencrypt
+ [[ yes != \y\e\s ]]
+ local DOMAIN_LOWERCASE=my.domain.removed.com
+ local OTHER_DOMAINS_ARRAY
+ [[ my.domain.removed.com == '' ]]
+ local 'IFS_BK=
'
+ IFS=',
'
+ OTHER_DOMAINS_ARRAY=(${OTHER_DOMAIN})
+ IFS='
'
+ local domain_string=
+ for domain in $DOMAIN "${OTHER_DOMAINS_ARRAY[@]}"
+ [[ my.domain.removed.com != '' ]]
+ [[ '' == '' ]]
+ domain_string+=my.domain.removed.com
+ /usr/bin/letsencrypt certonly -n --force-renew --no-self-upgrade --webroot -w /var/www/nextcloud --hsts --agree-tos -m user_removed@mail.com -d my.domain.removed.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: my.domain.removed.com: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /var/log/letsencrypt for more details.
+ rm -rf /var/www/nextcloud/.well-known
+ return 1
Done. Press any key...

nachoparker · October 11, 2021, 9:46pm

thanks for that. Unfortunately the interesting part is what comes afterwards. Maybe @mkorsch can help with his output, since you’ll have to wait to try again.

nachoparker · October 12, 2021, 7:01pm

related letsencrypt makes nextcloud not accessible after nc-restore & nc-import-config · Issue #1358 · nextcloud/nextcloudpi · GitHub

mkorsch · October 12, 2021, 7:10pm

This is the output I get after sudo ncp-update devel and running letsencryp via ncp-config:

Running letsencrypt
+ [[ yes != \y\e\s ]]
+ local DOMAIN_LOWERCASE=cloud.my-domain.com
+ local OTHER_DOMAINS_ARRAY
+ [[ cloud.my-domain.com == '' ]]
+ local 'IFS_BK=
'
+ IFS=',
'
+ OTHER_DOMAINS_ARRAY=(${OTHER_DOMAIN})
+ IFS='
'
+ local domain_string=
+ for domain in $DOMAIN "${OTHER_DOMAINS_ARRAY[@]}"
+ [[ cloud.my-domain.com != '' ]]
+ [[ '' == '' ]]
+ domain_string+=cloud.my-domain.com
+ for domain in $DOMAIN "${OTHER_DOMAINS_ARRAY[@]}"
+ [[ cloud1.my-domain.com != '' ]]
+ [[ cloud.my-domain.com == '' ]]
+ domain_string+=,cloud1.my-domain.com
+ /usr/bin/letsencrypt certonly -n --force-renew --no-self-upgrade --webroot -w /var/www/nextcloud --hsts --agree-tos -m mail@my-domain.com -d cloud.my-domain.com,cloud1.my-domain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Running deploy-hook command: /etc/letsencrypt/renewal-hooks/deploy/ncp
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/ncp-nextcloud/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/ncp-nextcloud/privkey.pem
   Your cert will expire on 2022-01-10. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

+ cat
+ chmod 755 /etc/cron.weekly/letsencrypt-ncp
+ mkdir -p /etc/letsencrypt/renewal-hooks/deploy
+ cat
+ chmod +x /etc/letsencrypt/renewal-hooks/deploy/ncp
+ install_template nextcloud.conf.sh /etc/apache2/sites-available/nextcloud.conf
+ local template=nextcloud.conf.sh
+ local target=/etc/apache2/sites-available/nextcloud.conf
++ mktemp
+ local bkp=/tmp/tmp.3Omg98mNCn
+ [[ -f /etc/apache2/sites-available/nextcloud.conf ]]
+ cp -a /etc/apache2/sites-available/nextcloud.conf /tmp/tmp.3Omg98mNCn
+ [[ '' == \-\-\d\e\f\a\u\l\t\s ]]
+ bash /usr/local/etc/ncp-templates/nextcloud.conf.sh
INFO: Letsencrypt domain is cloud.my-domain.com
INFO: Metrics enabled: yes
+ [[ '' == \-\-\a\l\l\o\w\-\f\a\l\l\b\a\c\k ]]
+ echo 'ERROR: Could not generate /etc/apache2/sites-available/nextcloud.conf from template nextcloud.conf.sh. Rolling back...'
ERROR: Could not generate /etc/apache2/sites-available/nextcloud.conf from template nextcloud.conf.sh. Rolling back...
+ mv /tmp/tmp.3Omg98mNCn /etc/apache2/sites-available/nextcloud.conf
+ return 1
+ sed -i 's|SSLCertificateFile.*|SSLCertificateFile /etc/letsencrypt/live/cloud.my-domain.com/fullchain.pem|' /etc/apache2/sites-available/ncp.conf
+ sed -i 's|SSLCertificateKeyFile.*|SSLCertificateKeyFile /etc/letsencrypt/live/cloud.my-domain.com/privkey.pem|' /etc/apache2/sites-available/ncp.conf
+ local domain_index=22
+ for dom in $DOMAIN "${OTHER_DOMAINS_ARRAY[@]}"
+ [[ cloud.my-domain.com != '' ]]
+ [[ 22 -lt 20 ]]
+ echo 'WARN: cloud.my-domain.com will not be included in trusted domains for Nextcloud (maximum reached).' 'It will still be included in the SSL certificate'
WARN: cloud.my-domain.com will not be included in trusted domains for Nextcloud (maximum reached). It will still be included in the SSL certificate
+ continue
+ for dom in $DOMAIN "${OTHER_DOMAINS_ARRAY[@]}"
+ [[ cloud1.my-domain.com != '' ]]
+ [[ 22 -lt 20 ]]
+ echo 'WARN: cloud1.my-domain.com will not be included in trusted domains for Nextcloud (maximum reached).' 'It will still be included in the SSL certificate'
WARN: cloud1.my-domain.com will not be included in trusted domains for Nextcloud (maximum reached). It will still be included in the SSL certificate
+ continue
+ set-nc-domain cloud.my-domain.com
+ local domain=cloud.my-domain.com
++ sed 's|http.\?://||;s|\(/.*\)||'
+ domain=cloud.my-domain.com
+ ping -c1 -w1 -q cloud.my-domain.com
+ [[ cloud.my-domain.com == '' ]]
+ is_an_ip cloud.my-domain.com
+ local ip_or_domain=cloud.my-domain.com
+ grep -oPq '\d{1,3}(.\d{1,3}){3}'
+ local proto
++ ncc config:system:get overwriteprotocol
+ proto=https
+ [[ https == '' ]]
+ local url=https://cloud.my-domain.com
+ [[ '' == \-\-\n\o\-\t\r\u\s\t\e\d\-\d\o\m\a\i\n ]]
+ ncc config:system:set trusted_domains 3 --value=cloud.my-domain.com
System config value trusted_domains => 3 set to string cloud.my-domain.com
+ ncc config:system:set overwrite.cli.url --value=https://cloud.my-domain.com/
System config value overwrite.cli.url set to string https://cloud.my-domain.com/
+ is_ncp_activated
+ a2query -s ncp-activation -q
+ is_app_enabled notify_push
+ local app=notify_push
+ ncc app:list
+ sed '0,/Disabled/!d'
+ grep -q notify_push
+ ncc config:system:set trusted_proxies 11 --value=127.0.0.1
System config value trusted_proxies => 11 set to string 127.0.0.1
+ ncc config:system:set trusted_proxies 12 --value=::1
System config value trusted_proxies => 12 set to string ::1
+ ncc config:system:set trusted_proxies 13 --value=cloud.my-domain.com
System config value trusted_proxies => 13 set to string cloud.my-domain.com
++ dig +short cloud.my-domain.com
+ ncc config:system:set trusted_proxies 14 --value=87.79.70.203
System config value trusted_proxies => 14 set to string 87.79.70.203
+ sleep 5
+ ncc notify_push:setup https://cloud.my-domain.com/push
✓ redis is configured
✓ push server is receiving redis messages
✓ push server can load mount info from database
✓ push server can connect to the Nextcloud server
✓ push server is a trusted proxy
✓ push server is running the same version as the app
  configuration saved
+ rm -rf /var/www/nextcloud/.well-known
+ bash -c 'sleep 2 && service apache2 reload'
+ is_docker
+ [[ -f /.dockerenv ]]
+ [[ '' == 1 ]]
+ return 0
Done. Press any key...

Thanks a lot for your support!

nachoparker · October 12, 2021, 7:32pm

Ok, thanks that’s very useful.

Can you please run sudo ncp-update devel again and retry?

mkorsch · October 12, 2021, 7:41pm

Sure, here’s the output after another update:

Running letsencrypt
+ [[ yes != \y\e\s ]]
+ local DOMAIN_LOWERCASE=cloud.my-domain.com
+ local OTHER_DOMAINS_ARRAY
+ [[ cloud.my-domain.com == '' ]]
+ local 'IFS_BK=
'
+ IFS=',
'
+ OTHER_DOMAINS_ARRAY=(${OTHER_DOMAIN})
+ IFS='
'
+ local domain_string=
+ for domain in $DOMAIN "${OTHER_DOMAINS_ARRAY[@]}"
+ [[ cloud.my-domain.com != '' ]]
+ [[ '' == '' ]]
+ domain_string+=cloud.my-domain.com
+ for domain in $DOMAIN "${OTHER_DOMAINS_ARRAY[@]}"
+ [[ cloud1.my-domain.com != '' ]]
+ [[ cloud.my-domain.com == '' ]]
+ domain_string+=,cloud1.my-domain.com
+ /usr/bin/letsencrypt certonly -n --force-renew --no-self-upgrade --webroot -w /var/www/nextcloud --hsts --agree-tos -m mail@my-domain.com -d cloud.my-domain.com,cloud1.my-domain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Running deploy-hook command: /etc/letsencrypt/renewal-hooks/deploy/ncp
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/ncp-nextcloud/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/ncp-nextcloud/privkey.pem
   Your cert will expire on 2022-01-10. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

+ cat
+ chmod 755 /etc/cron.weekly/letsencrypt-ncp
+ mkdir -p /etc/letsencrypt/renewal-hooks/deploy
+ cat
+ chmod +x /etc/letsencrypt/renewal-hooks/deploy/ncp
+ install_template nextcloud.conf.sh /etc/apache2/sites-available/nextcloud.conf
+ local template=nextcloud.conf.sh
+ local target=/etc/apache2/sites-available/nextcloud.conf
++ mktemp
+ local bkp=/tmp/tmp.WkXkFZiUW2
+ [[ -f /etc/apache2/sites-available/nextcloud.conf ]]
+ cp -a /etc/apache2/sites-available/nextcloud.conf /tmp/tmp.WkXkFZiUW2
+ [[ '' == \-\-\d\e\f\a\u\l\t\s ]]
+ bash /usr/local/etc/ncp-templates/nextcloud.conf.sh
INFO: Letsencrypt domain is cloud.my-domain.com
INFO: Metrics enabled: yes
+ [[ '' == \-\-\a\l\l\o\w\-\f\a\l\l\b\a\c\k ]]
+ echo 'ERROR: Could not generate /etc/apache2/sites-available/nextcloud.conf from template nextcloud.conf.sh. Rolling back...'
ERROR: Could not generate /etc/apache2/sites-available/nextcloud.conf from template nextcloud.conf.sh. Rolling back...
+ mv /tmp/tmp.WkXkFZiUW2 /etc/apache2/sites-available/nextcloud.conf
+ return 1
+ sed -i 's|SSLCertificateFile.*|SSLCertificateFile /etc/letsencrypt/live/cloud.my-domain.com/fullchain.pem|' /etc/apache2/sites-available/ncp.conf
+ sed -i 's|SSLCertificateKeyFile.*|SSLCertificateKeyFile /etc/letsencrypt/live/cloud.my-domain.com/privkey.pem|' /etc/apache2/sites-available/ncp.conf
+ local domain_index=22
+ for dom in $DOMAIN "${OTHER_DOMAINS_ARRAY[@]}"
+ [[ cloud.my-domain.com != '' ]]
+ [[ 22 -lt 20 ]]
+ echo 'WARN: cloud.my-domain.com will not be included in trusted domains for Nextcloud (maximum reached).' 'It will still be included in the SSL certificate'
WARN: cloud.my-domain.com will not be included in trusted domains for Nextcloud (maximum reached). It will still be included in the SSL certificate
+ continue
+ for dom in $DOMAIN "${OTHER_DOMAINS_ARRAY[@]}"
+ [[ cloud1.my-domain.com != '' ]]
+ [[ 22 -lt 20 ]]
+ echo 'WARN: cloud1.my-domain.com will not be included in trusted domains for Nextcloud (maximum reached).' 'It will still be included in the SSL certificate'
WARN: cloud1.my-domain.com will not be included in trusted domains for Nextcloud (maximum reached). It will still be included in the SSL certificate
+ continue
+ set-nc-domain cloud.my-domain.com
+ local domain=cloud.my-domain.com
++ sed 's|http.\?://||;s|\(/.*\)||'
+ domain=cloud.my-domain.com
+ ping -c1 -w1 -q cloud.my-domain.com
+ [[ cloud.my-domain.com == '' ]]
+ is_an_ip cloud.my-domain.com
+ local ip_or_domain=cloud.my-domain.com
+ grep -oPq '\d{1,3}(.\d{1,3}){3}'
+ local proto
++ ncc config:system:get overwriteprotocol
+ proto=https
+ [[ https == '' ]]
+ local url=https://cloud.my-domain.com
+ [[ '' == \-\-\n\o\-\t\r\u\s\t\e\d\-\d\o\m\a\i\n ]]
+ ncc config:system:set trusted_domains 3 --value=cloud.my-domain.com
System config value trusted_domains => 3 set to string cloud.my-domain.com
+ ncc config:system:set overwrite.cli.url --value=https://cloud.my-domain.com/
System config value overwrite.cli.url set to string https://cloud.my-domain.com/
+ is_ncp_activated
+ a2query -s ncp-activation -q
+ is_app_enabled notify_push
+ local app=notify_push
+ ncc app:list
+ sed '0,/Disabled/!d'
+ grep -q notify_push
+ ncc config:system:set trusted_proxies 11 --value=127.0.0.1
System config value trusted_proxies => 11 set to string 127.0.0.1
+ ncc config:system:set trusted_proxies 12 --value=::1
System config value trusted_proxies => 12 set to string ::1
+ ncc config:system:set trusted_proxies 13 --value=cloud.my-domain.com
System config value trusted_proxies => 13 set to string cloud.my-domain.com
++ dig +short cloud.my-domain.com
+ ncc config:system:set trusted_proxies 14 --value=87.79.70.203
System config value trusted_proxies => 14 set to string 87.79.70.203
+ sleep 5
+ ncc notify_push:setup https://cloud.my-domain.com/push
✓ redis is configured
✓ push server is receiving redis messages
✓ push server can load mount info from database
✓ push server can connect to the Nextcloud server
✓ push server is a trusted proxy
✓ push server is running the same version as the app
  configuration saved
+ rm -rf /var/www/nextcloud/.well-known
+ bash -c 'sleep 2 && service apache2 reload'
+ is_docker
+ [[ -f /.dockerenv ]]
+ [[ '' == 1 ]]
+ return 0
Done. Press any key...

nachoparker · October 12, 2021, 7:45pm

oh gosh, so sorry, made the changes but didn’t push them. Please try again

mkorsch · October 13, 2021, 6:45am

Sure, here you go:

Running letsencrypt
+ [[ yes != \y\e\s ]]
+ local DOMAIN_LOWERCASE=cloud.my-domain.com
+ local OTHER_DOMAINS_ARRAY
+ [[ cloud.my-domain.com == '' ]]
+ local 'IFS_BK=
'
+ IFS=',
'
+ OTHER_DOMAINS_ARRAY=(${OTHER_DOMAIN})
+ IFS='
'
+ local domain_string=
+ for domain in $DOMAIN "${OTHER_DOMAINS_ARRAY[@]}"
+ [[ cloud.my-domain.com != '' ]]
+ [[ '' == '' ]]
+ domain_string+=cloud.my-domain.com
+ for domain in $DOMAIN "${OTHER_DOMAINS_ARRAY[@]}"
+ [[ cloud1.my-domain.com != '' ]]
+ [[ cloud.my-domain.com == '' ]]
+ domain_string+=,cloud1.my-domain.com
+ /usr/bin/letsencrypt certonly -n --force-renew --no-self-upgrade --webroot -w /var/www/nextcloud --hsts --agree-tos -m mail@my-domain.com -d cloud.my-domain.com,cloud1.my-domain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Running deploy-hook command: /etc/letsencrypt/renewal-hooks/deploy/ncp
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/ncp-nextcloud/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/ncp-nextcloud/privkey.pem
   Your cert will expire on 2022-01-11. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

+ cat
+ chmod 755 /etc/cron.weekly/letsencrypt-ncp
+ mkdir -p /etc/letsencrypt/renewal-hooks/deploy
+ cat
+ chmod +x /etc/letsencrypt/renewal-hooks/deploy/ncp
+ install_template nextcloud.conf.sh /etc/apache2/sites-available/nextcloud.conf
+ local template=nextcloud.conf.sh
+ local target=/etc/apache2/sites-available/nextcloud.conf
++ mktemp
+ local bkp=/tmp/tmp.MlNsa1USp4
+ [[ -f /etc/apache2/sites-available/nextcloud.conf ]]
+ cp -a /etc/apache2/sites-available/nextcloud.conf /tmp/tmp.MlNsa1USp4
+ [[ '' == \-\-\d\e\f\a\u\l\t\s ]]
+ bash /usr/local/etc/ncp-templates/nextcloud.conf.sh
INFO: Letsencrypt domain is cloud.my-domain.com
INFO: Metrics enabled: yes
+ [[ '' == \-\-\a\l\l\o\w\-\f\a\l\l\b\a\c\k ]]
+ rm /tmp/tmp.MlNsa1USp4
+ sed -i 's|SSLCertificateFile.*|SSLCertificateFile /etc/letsencrypt/live/cloud.my-domain.com/fullchain.pem|' /etc/apache2/sites-available/ncp.conf
+ sed -i 's|SSLCertificateKeyFile.*|SSLCertificateKeyFile /etc/letsencrypt/live/cloud.my-domain.com/privkey.pem|' /etc/apache2/sites-available/ncp.conf
+ local domain_index=22
+ for dom in $DOMAIN "${OTHER_DOMAINS_ARRAY[@]}"
+ [[ cloud.my-domain.com != '' ]]
+ [[ 22 -lt 20 ]]
+ echo 'WARN: cloud.my-domain.com will not be included in trusted domains for Nextcloud (maximum reached).' 'It will still be included in the SSL certificate'
WARN: cloud.my-domain.com will not be included in trusted domains for Nextcloud (maximum reached). It will still be included in the SSL certificate
+ continue
+ for dom in $DOMAIN "${OTHER_DOMAINS_ARRAY[@]}"
+ [[ cloud1.my-domain.com != '' ]]
+ [[ 22 -lt 20 ]]
+ echo 'WARN: cloud1.my-domain.com will not be included in trusted domains for Nextcloud (maximum reached).' 'It will still be included in the SSL certificate'
WARN: cloud1.my-domain.com will not be included in trusted domains for Nextcloud (maximum reached). It will still be included in the SSL certificate
+ continue
+ set-nc-domain cloud.my-domain.com
+ local domain=cloud.my-domain.com
++ sed 's|http.\?://||;s|\(/.*\)||'
+ domain=cloud.my-domain.com
+ ping -c1 -w1 -q cloud.my-domain.com
+ [[ cloud.my-domain.com == '' ]]
+ is_an_ip cloud.my-domain.com
+ local ip_or_domain=cloud.my-domain.com
+ grep -oPq '\d{1,3}(.\d{1,3}){3}'
+ local proto
++ ncc config:system:get overwriteprotocol
+ proto=https
+ [[ https == '' ]]
+ local url=https://cloud.my-domain.com
+ [[ '' == \-\-\n\o\-\t\r\u\s\t\e\d\-\d\o\m\a\i\n ]]
+ ncc config:system:set trusted_domains 3 --value=cloud.my-domain.com
System config value trusted_domains => 3 set to string cloud.my-domain.com
+ ncc config:system:set overwrite.cli.url --value=https://cloud.my-domain.com/
System config value overwrite.cli.url set to string https://cloud.my-domain.com/
+ is_ncp_activated
+ a2query -s ncp-activation -q
+ is_app_enabled notify_push
+ local app=notify_push
+ ncc app:list
+ sed '0,/Disabled/!d'
+ grep -q notify_push
+ ncc config:system:set trusted_proxies 11 --value=127.0.0.1
System config value trusted_proxies => 11 set to string 127.0.0.1
+ ncc config:system:set trusted_proxies 12 --value=::1
System config value trusted_proxies => 12 set to string ::1
+ ncc config:system:set trusted_proxies 13 --value=cloud.my-domain.com
System config value trusted_proxies => 13 set to string cloud.my-domain.com
++ dig +short cloud.my-domain.com
+ ncc config:system:set trusted_proxies 14 --value=87.79.70.203
System config value trusted_proxies => 14 set to string 87.79.70.203
+ sleep 5
+ ncc notify_push:setup https://cloud.my-domain.com/push
✓ redis is configured
✓ push server is receiving redis messages
✓ push server can load mount info from database
✓ push server can connect to the Nextcloud server
✓ push server is a trusted proxy
✓ push server is running the same version as the app
  configuration saved
+ apachectl -k graceful
AH00526: Syntax error on line 11 of /etc/apache2/sites-enabled/nextcloud.conf:
SSLCertificateFile: file '/fullchain.pem' does not exist or is empty
Action '-k graceful' failed.
The Apache error log may have more information.
+ rm -rf /var/www/nextcloud/.well-known
+ is_docker
+ [[ -f /.dockerenv ]]
+ [[ '' == 1 ]]
+ return 0
Done. Press any key...

The template error is not present anymore. But now it seems like we have an error in /etc/apache2/sites-enabled/nextcloud.conf. This is the content of my nextcloud.conf after running letsencrypt:

### DO NOT EDIT! THIS FILE HAS BEEN AUTOMATICALLY GENERATED. CHANGES WILL BE OVERWRITTEN ###

<IfModule mod_ssl.c>
  <VirtualHost _default_:443>
    DocumentRoot /var/www/nextcloud
    ServerName cloud.my-domain.com
    CustomLog /var/log/apache2/nc-access.log combined
    ErrorLog  /var/log/apache2/nc-error.log
    SSLEngine on
    SSLProxyEngine on
    SSLCertificateFile      /fullchain.pem
    SSLCertificateKeyFile /privkey.pem

    # For notify_push app in NC21
    ProxyPass /push/ws ws://127.0.0.1:7867/ws
    ProxyPass /push/ http://127.0.0.1:7867/
    ProxyPassReverse /push/ http://127.0.0.1:7867/

    <Location /metrics/system>
      ProxyPass http://localhost:9100/metrics

      Order deny,allow
      Allow from all
      AuthType Basic
      AuthName "Metrics"
      AuthUserFile /usr/local/etc/metrics.htpasswd
      <RequireAll>
        <RequireAny>
          Require host localhost
          Require valid-user
        </RequireAny>
      </RequireAll>

    </Location>
  </VirtualHost>

  <Directory /var/www/nextcloud/>
    Options +FollowSymlinks
    AllowOverride All
    <IfModule mod_dav.c>
      Dav off
    </IfModule>
    LimitRequestBody 0
    SSLRenegBufferSize 10486000
  </Directory>
  <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
  </IfModule>
</IfModule>

Maybe the path to the certificate files is not properly resolved?

After manually changing lines 11 and 12 from SSLCertificateFile /fullchain.pem
to SSLCertificateFile /etc/letsencrypt/live/ncp-nextcloud/fullchain.pem it works again and I can access my instance with a valid SSL certificate. But as manual changes get overwritten in this file we may need another tweak in the template.

citizenserious · October 13, 2021, 5:26pm

Hey @mkorsch
Nice! That’s perfect as a workaround for now (:
I changed the Line 10 and 11 of nextcloud.conf from

    SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

to

    SSLCertificateFile /etc/letsencrypt/live/ncp-nextcloud/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/ncp-nextcloud/privkey.pem

I also changed the ncp.conf to the same location.

It works for now with this workaround! Thanks a lot.

nachoparker · October 14, 2021, 5:09pm

thanks @mkorsch, we are making progress. You ran into a different bug. Can you please run sudo ncp-update and try again? the path should be correct this time around

mkorsch · October 14, 2021, 6:22pm

I updated to NCP version 1.41.0 using sudo ncp-update (without devel).

Running letsencrypt produced following output:

Running letsencrypt
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Running deploy-hook command: /etc/letsencrypt/renewal-hooks/deploy/ncp
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/ncp-nextcloud/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/ncp-nextcloud/privkey.pem
   Your cert will expire on 2022-01-12. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

INFO: Letsencrypt domain is cloud.my-domain.com
INFO: Metrics enabled: yes
WARN: cloud.my-domain.com will not be included in trusted domains for Nextcloud (maximum reached). It will still be included in the SSL certificate
WARN: cloud1.my-domain.com will not be included in trusted domains for Nextcloud (maximum reached). It will still be included in the SSL certificate
System config value trusted_domains => 3 set to string cloud.my-domain.com
System config value overwrite.cli.url set to string https://cloud.my-domain.com/
System config value trusted_proxies => 11 set to string 127.0.0.1
System config value trusted_proxies => 12 set to string ::1
System config value trusted_proxies => 13 set to string cloud.my-domain.com
System config value trusted_proxies => 14 set to string 87.79.70.203
✓ redis is configured
✓ push server is receiving redis messages
✓ push server can load mount info from database
✓ push server can connect to the Nextcloud server
✓ push server is a trusted proxy
✓ push server is running the same version as the app
  configuration saved
AH00526: Syntax error on line 11 of /etc/apache2/sites-enabled/nextcloud.conf:
SSLCertificateFile: file '/fullchain.pem' does not exist or is empty
Action '-k graceful' failed.
The Apache error log may have more information.
Done. Press any key...

My nextcloud.conf seems to be still not correct:

    SSLProxyEngine on
    SSLCertificateFile      /fullchain.pem
    SSLCertificateKeyFile /privkey.pem

Did you push your changes?

nachoparker · October 14, 2021, 6:33pm

I did, let’s see, let’s debug this. Please share the output from

sudo su
ncp-update devel
source /usr/local/etc/library.sh
set -x
source /usr/local/etc/ncp-templates/nextcloud.conf.sh
set +x

mkorsch · October 14, 2021, 6:52pm

Here’s the output:

pi@nextcloudpi:~ $ sudo su
root@nextcloudpi:/home/pi# ncp-update devel
INFO: updating to development branch 'devel'
Downloading updates
Performing updates
No such app enabled: updatenotification
Running nc-notify-updates
update web notifications enabled
NextCloudPi updated to version v1.41.0
root@nextcloudpi:/home/pi# source /usr/local/etc/library.sh
root@nextcloudpi:/home/pi# set -x
root@nextcloudpi:/home/pi# source /usr/local/etc/ncp-templates/nextcloud.conf.sh
+ source /usr/local/etc/ncp-templates/nextcloud.conf.sh
++ set -e
++ source /usr/local/etc/library.sh
+++ export NCPCFG=/usr/local/etc/ncp.cfg
+++ NCPCFG=/usr/local/etc/ncp.cfg
+++ export CFGDIR=/usr/local/etc/ncp-config.d
+++ CFGDIR=/usr/local/etc/ncp-config.d
+++ export BINDIR=/usr/local/bin/ncp
+++ BINDIR=/usr/local/bin/ncp
+++ export NCDIR=/var/www/nextcloud
+++ NCDIR=/var/www/nextcloud
+++ TRUSTED_DOMAINS=([ip]=1 [dnsmasq]=2 [nc_domain]=3 [nextcloudpi-local]=5 [docker_overwrite]=6 [nextcloudpi]=7 [nextcloudpi-lan]=8 [public_ip]=11 [letsencrypt_1]=12 [letsencrypt_2]=13 [trusted_domain_1]=20 [trusted_domain_1]=21 [trusted_domain_1]=22)
+++ export TRUSTED_DOMAINS
+++ command -v jq
+++ [[ -f /usr/local/etc/ncp.cfg ]]
++++ jq -r .nextcloud_version
+++ NCLATESTVER=21.0.4
++++ jq -r .php_version
+++ PHPVER=7.3
++++ jq -r .release
+++ RELEASE=buster
+++ command -v ncc
++++ ncc status
++++ grep version:
++++ awk '{ print $3 }'
+++ NCVER=21.0.4.1
++ [[ '' != \-\-\d\e\f\a\u\l\t\s ]]
++ [[ ! -f /.docker-image ]]
++ [[ '' != \-\-\d\e\f\a\u\l\t\s ]]
+++ [[ -f /.ncp-image ]]
+++ source /usr/local/bin/ncp/NETWORKING/letsencrypt.sh
++++ ncdir=/var/www/nextcloud
++++ nc_vhostcfg=/etc/apache2/sites-available/nextcloud.conf
++++ vhostcfg2=/etc/apache2/sites-available/ncp.conf
++++ letsencrypt=/usr/bin/letsencrypt
+++ tmpl_letsencrypt_domain
+++ . /usr/local/etc/library.sh
++++ export NCPCFG=/usr/local/etc/ncp.cfg
++++ NCPCFG=/usr/local/etc/ncp.cfg
++++ export CFGDIR=/usr/local/etc/ncp-config.d
++++ CFGDIR=/usr/local/etc/ncp-config.d
++++ export BINDIR=/usr/local/bin/ncp
++++ BINDIR=/usr/local/bin/ncp
++++ export NCDIR=/var/www/nextcloud
++++ NCDIR=/var/www/nextcloud
++++ TRUSTED_DOMAINS=([ip]=1 [dnsmasq]=2 [nc_domain]=3 [nextcloudpi-local]=5 [docker_overwrite]=6 [nextcloudpi]=7 [nextcloudpi-lan]=8 [public_ip]=11 [letsencrypt_1]=12 [letsencrypt_2]=13 [trusted_domain_1]=20 [trusted_domain_1]=21 [trusted_domain_1]=22)
++++ export TRUSTED_DOMAINS
++++ command -v jq
++++ [[ -f /usr/local/etc/ncp.cfg ]]
+++++ jq -r .nextcloud_version
++++ NCLATESTVER=21.0.4
+++++ jq -r .php_version
++++ PHPVER=7.3
+++++ jq -r .release
++++ RELEASE=buster
++++ command -v ncc
+++++ ncc status
+++++ grep version:
+++++ awk '{ print $3 }'
++++ NCVER=21.0.4.1
+++ is_active_app letsencrypt
+++ local ncp_app=letsencrypt
+++ local bin_dir=.
+++ local script=./letsencrypt.sh
+++ local cfg_file=/usr/local/etc/ncp-config.d/letsencrypt.cfg
+++ [[ -f ./letsencrypt.sh ]]
++++ find /usr/local/bin/ncp -name letsencrypt.sh
++++ head -1
+++ local script=/usr/local/bin/ncp/NETWORKING/letsencrypt.sh
+++ [[ -f /usr/local/bin/ncp/NETWORKING/letsencrypt.sh ]]
+++ unset is_active
+++ source /usr/local/bin/ncp/NETWORKING/letsencrypt.sh
++++ ncdir=/var/www/nextcloud
++++ nc_vhostcfg=/etc/apache2/sites-available/nextcloud.conf
++++ vhostcfg2=/etc/apache2/sites-available/ncp.conf
++++ letsencrypt=/usr/bin/letsencrypt
++++ type -t is_active
+++ [[ function == function ]]
+++ [[ -f /usr/local/etc/ncp-config.d/letsencrypt.cfg ]]
++++ cat /usr/local/etc/ncp-config.d/letsencrypt.cfg
+++ local 'cfg={
  "id": "letsencrypt",
  "name": "Let'\''s Encrypt, Automatic signed SSL certificates",
  "title": "letsencrypt",
  "description": "Automatic signed SSL certificates. Let’s Encrypt is a free, automated, and open Certificate Authority.",
  "info": "Internet access is required for this configuration to complete\nBoth ports 80 and 443 need to be accessible from the internet\n\nYour certificate will be automatically renewed every month",
  "infotitle": "Warning",
  "params": [
    {
      "id": "ACTIVE",
      "name": "Active",
      "value": "yes",
      "type": "bool"
    },
    {
      "id": "DOMAIN",
      "name": "Domain",
      "value": "cloud.my-domain.com",
      "suggest": "mycloud.ownyourbits.com"
    },
    {
      "id": "OTHER_DOMAIN",
      "name": "Additional domain",
      "value": "cloud1.my-domain.com",
      "suggest": "optional.cloud.ownyourbits.com"
    },
    {
      "id": "EMAIL",
      "name": "Email",
      "value": "mail@my-domain.com",
      "suggest": "mycloud@ownyourbits.com"
    }
  ]
}'
++++ jq '.params | length'
+++ local len=4
+++ (( i = 0  ))
+++ (( i < len  ))
++++ jq -r '.params[0].id'
+++ local var=ACTIVE
++++ jq -r '.params[0].value'
+++ local val=yes
+++ eval ACTIVE=yes
++++ ACTIVE=yes
+++ (( i++  ))
+++ (( i < len  ))
++++ jq -r '.params[1].id'
+++ local var=DOMAIN
++++ jq -r '.params[1].value'
+++ local val=cloud.my-domain.com
+++ eval DOMAIN=cloud.my-domain.com
++++ DOMAIN=cloud.my-domain.com
+++ (( i++  ))
+++ (( i < len  ))
++++ jq -r '.params[2].id'
+++ local var=OTHER_DOMAIN
++++ jq -r '.params[2].value'
+++ local val=cloud1.my-domain.com
+++ eval OTHER_DOMAIN=cloud1.my-domain.com
++++ OTHER_DOMAIN=cloud1.my-domain.com
+++ (( i++  ))
+++ (( i < len  ))
++++ jq -r '.params[3].id'
+++ local var=EMAIL
++++ jq -r '.params[3].value'
+++ local val=mail@my-domain.com
+++ eval EMAIL=mail@my-domain.com
++++ EMAIL=mail@my-domain.com
+++ (( i++  ))
+++ (( i < len  ))
+++ is_active
+++ [[ yes == \y\e\s ]]
++++ find /etc/letsencrypt/live/ -maxdepth 0 -empty
++++ wc -l
+++ [[ 0 == 0 ]]
+++ return 0
+++ find_app_param letsencrypt DOMAIN
+++ local script=letsencrypt
+++ local param_id=DOMAIN
++++ basename letsencrypt .sh
+++ local ncp_app=letsencrypt
+++ local cfg_file=/usr/local/etc/ncp-config.d/letsencrypt.cfg
++++ find_app_param_num letsencrypt DOMAIN
++++ local script=letsencrypt
++++ local param_id=DOMAIN
+++++ basename letsencrypt .sh
++++ local ncp_app=letsencrypt
++++ local cfg_file=/usr/local/etc/ncp-config.d/letsencrypt.cfg
++++ [[ -f /usr/local/etc/ncp-config.d/letsencrypt.cfg ]]
+++++ cat /usr/local/etc/ncp-config.d/letsencrypt.cfg
++++ local 'cfg={
  "id": "letsencrypt",
  "name": "Let'\''s Encrypt, Automatic signed SSL certificates",
  "title": "letsencrypt",
  "description": "Automatic signed SSL certificates. Let’s Encrypt is a free, automated, and open Certificate Authority.",
  "info": "Internet access is required for this configuration to complete\nBoth ports 80 and 443 need to be accessible from the internet\n\nYour certificate will be automatically renewed every month",
  "infotitle": "Warning",
  "params": [
    {
      "id": "ACTIVE",
      "name": "Active",
      "value": "yes",
      "type": "bool"
    },
    {
      "id": "DOMAIN",
      "name": "Domain",
      "value": "cloud.my-domain.com",
      "suggest": "mycloud.ownyourbits.com"
    },
    {
      "id": "OTHER_DOMAIN",
      "name": "Additional domain",
      "value": "cloud1.my-domain.com",
      "suggest": "optional.cloud.ownyourbits.com"
    },
    {
      "id": "EMAIL",
      "name": "Email",
      "value": "mail@my-domain.com",
      "suggest": "mycloud@ownyourbits.com"
    }
  ]
}'
+++++ jq '.params | length'
++++ local len=4
++++ (( i = 0  ))
++++ (( i < len  ))
+++++ jq -r '.params[0].id'
++++ local p_id=ACTIVE
++++ [[ DOMAIN == \A\C\T\I\V\E ]]
++++ (( i++  ))
++++ (( i < len  ))
+++++ jq -r '.params[1].id'
++++ local p_id=DOMAIN
++++ [[ DOMAIN == \D\O\M\A\I\N ]]
++++ echo 1
++++ return 0
+++ local p_num=1
+++ jq -r '.params[1].value'
++ LETSENCRYPT_DOMAIN=cloud.my-domain.com
++ [[ -z cloud.my-domain.com ]]
++ echo 'INFO: Letsencrypt domain is cloud.my-domain.com'
INFO: Letsencrypt domain is cloud.my-domain.com
++ [[ -f /.ncp-image ]]
++ [[ '' != \-\-\d\e\f\a\u\l\t\s ]]
++ [[ -f /usr/local/bin/ncp/SYSTEM/metrics.sh ]]
+++ source /usr/local/bin/ncp/SYSTEM/metrics.sh
+++ tmpl_metrics_enabled
+++ . /usr/local/etc/library.sh
++++ export NCPCFG=/usr/local/etc/ncp.cfg
++++ NCPCFG=/usr/local/etc/ncp.cfg
++++ export CFGDIR=/usr/local/etc/ncp-config.d
++++ CFGDIR=/usr/local/etc/ncp-config.d
++++ export BINDIR=/usr/local/bin/ncp
++++ BINDIR=/usr/local/bin/ncp
++++ export NCDIR=/var/www/nextcloud
++++ NCDIR=/var/www/nextcloud
++++ TRUSTED_DOMAINS=([ip]=1 [dnsmasq]=2 [nc_domain]=3 [nextcloudpi-local]=5 [docker_overwrite]=6 [nextcloudpi]=7 [nextcloudpi-lan]=8 [public_ip]=11 [letsencrypt_1]=12 [letsencrypt_2]=13 [trusted_domain_1]=20 [trusted_domain_1]=21 [trusted_domain_1]=22)
++++ export TRUSTED_DOMAINS
++++ command -v jq
++++ [[ -f /usr/local/etc/ncp.cfg ]]
+++++ jq -r .nextcloud_version
++++ NCLATESTVER=21.0.4
+++++ jq -r .php_version
++++ PHPVER=7.3
+++++ jq -r .release
++++ RELEASE=buster
++++ command -v ncc
+++++ ncc status
+++++ grep version:
+++++ awk '{ print $3 }'
++++ NCVER=21.0.4.1
++++ find_app_param metrics.sh ACTIVE
++++ local script=metrics.sh
++++ local param_id=ACTIVE
+++++ basename metrics.sh .sh
++++ local ncp_app=metrics
++++ local cfg_file=/usr/local/etc/ncp-config.d/metrics.cfg
+++++ find_app_param_num metrics.sh ACTIVE
+++++ local script=metrics.sh
+++++ local param_id=ACTIVE
++++++ basename metrics.sh .sh
+++++ local ncp_app=metrics
+++++ local cfg_file=/usr/local/etc/ncp-config.d/metrics.cfg
+++++ [[ -f /usr/local/etc/ncp-config.d/metrics.cfg ]]
++++++ cat /usr/local/etc/ncp-config.d/metrics.cfg
+++++ local 'cfg={
  "id": "metrics",
  "name": "System Metrics, that can be collected by an external server",
  "title": "System Metrics",
  "description": "Prometheus (https://prometheus.io) compatible metrics for things like, CPU/memory/disk usage etc.",
  "info": "In order to use these metrics, you will need to setup at least an external Prometheus instance. You can find a quick and easy way to start at https://github.com/theCalcaholic/ncp-monitoring-dashboard",
  "infotitle": "External service required",
  "params": [
    {
      "id": "ACTIVE",
      "name": "Active",
      "value": "yes",
      "type": "bool"
    },
    {
      "id": "USER",
      "name": "Metrics User",
      "value": "monitoring-user",
      "suggest": "metrics"
    },
    {
      "id": "PASSWORD",
      "name": "Metrics Password",
      "value": "",
      "type": "password"
    }
  ]
}'
++++++ jq '.params | length'
+++++ local len=3
+++++ (( i = 0  ))
+++++ (( i < len  ))
++++++ jq -r '.params[0].id'
+++++ local p_id=ACTIVE
+++++ [[ ACTIVE == \A\C\T\I\V\E ]]
+++++ echo 0
+++++ return 0
++++ local p_num=0
++++ jq -r '.params[0].value'
+++ local param_active=yes
+++ [[ yes == yes ]]
+++ echo yes
++ METRICS_IS_ENABLED=yes
++ echo 'INFO: Metrics enabled: yes'
INFO: Metrics enabled: yes
++ echo '### DO NOT EDIT! THIS FILE HAS BEEN AUTOMATICALLY GENERATED. CHANGES WILL BE OVERWRITTEN ###'
### DO NOT EDIT! THIS FILE HAS BEEN AUTOMATICALLY GENERATED. CHANGES WILL BE OVERWRITTEN ###
++ echo ''

++ cat
<IfModule mod_ssl.c>
  <VirtualHost _default_:443>
    DocumentRoot /var/www/nextcloud
++ [[ '' != \-\-\d\e\f\a\u\l\t\s ]]
++ [[ -n cloud.my-domain.com ]]
++ echo '    ServerName cloud.my-domain.com'
    ServerName cloud.my-domain.com
++ LETSENCRYPT_CERT_BASE_PATH=/etc/letsencrypt/live/cloud.my-domain.com
++ [[ -d /etc/letsencrypt/live/cloud.my-domain.com ]]
+++ find /etc/letsencrypt/live -type d -name 'cloud.my-domain.com*' -printf '%T@ %p\n'
+++ sort -n
+++ cut -f2 '-d '
+++ tail -1
++ LETSENCRYPT_CERT_BASE_PATH=
++ [[ -d '' ]]
++ cat
    CustomLog /var/log/apache2/nc-access.log combined
    ErrorLog  /var/log/apache2/nc-error.log
    SSLEngine on
    SSLProxyEngine on
    SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

    # For notify_push app in NC21
    ProxyPass /push/ws ws://127.0.0.1:7867/ws
    ProxyPass /push/ http://127.0.0.1:7867/
    ProxyPassReverse /push/ http://127.0.0.1:7867/
++ [[ '' != \-\-\d\e\f\a\u\l\t\s ]]
++ [[ yes == yes ]]
++ cat

    <Location /metrics/system>
      ProxyPass http://localhost:9100/metrics

      Order deny,allow
      Allow from all
      AuthType Basic
      AuthName "Metrics"
      AuthUserFile /usr/local/etc/metrics.htpasswd
      <RequireAll>
        <RequireAny>
          Require host localhost
          Require valid-user
        </RequireAny>
      </RequireAll>

    </Location>
++ cat
  </VirtualHost>

  <Directory /var/www/nextcloud/>
    Options +FollowSymlinks
    AllowOverride All
    <IfModule mod_dav.c>
      Dav off
    </IfModule>
    LimitRequestBody 0
    SSLRenegBufferSize 10486000
  </Directory>
  <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
  </IfModule>
</IfModule>
++ [[ -f /.ncp-image ]]
++ echo 'Apache self check:'
++ apache2ctl -t
pi@nextcloudpi:~ $ set +x
pi@nextcloudpi:~ $

Thanks a lot for your support and investigation!

nachoparker · October 14, 2021, 6:57pm

This is where things are going south

, what is the result from this command?

mkorsch · October 14, 2021, 7:11pm

There is no result… (yes, I replaced my-domain.com with my actual domain name )