The Basics
- Nextcloud Server version (e.g., 29.x.x):
Trying to install the version prior to the Autumn 2025 update
- Operating system and version (e.g., Ubuntu 24.04):
Linux Mint Wilma
- Web server and version (e.g, Apache 2.4.25):
The default that comes with AIO
- Reverse proxy and version _(e.g. nginx 1.27.2)
Caddy
- PHP version (e.g, 8.3):
The default that comes with AIO
- Is this the first time you’ve seen this error? (Yes / No):
Yes
- When did this problem seem to first start?
A few days ago
- Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
AIO
- Are you using CloudfIare, mod_security, or similar? (Yes / No)
No
Summary of the issue you are facing:
I am having trouble getting the steps in the AIO local instance documentation to work. I’ve been keeping a detailed record of my setup actions so far; my hope is that, once I get this issue resolved, these records could be used to help update that documentation (which I think is a bit light on details at times for newcomers to networking like myself).
A few relevant background details:
-
Because I don’t have a static IP, I’m making use of a DDNS domain that I set up via my TP-Link Deco router’s app.
-
I’m using a public domain that I set up via GoDaddy.
-
I was able to successfully use a public domain and a DDNS domain to create a public-facing version of AIO; however, I would now like to try to set up an alternative version of AIO that can only be accessed on my local network and via WireGuard.
-
There are some other guides to creating an AIO instance that can only be accessed remotely via a VPN; however, I’d like to first try to get the official guide on GitHub to work.
-
Various domain names and addresses have been changed for privacy purposes.
Here are the steps I’ve done so far:
-
Set up myddns.tplinkdns.com as my DDNS domain via the Deco TP-Link app.
-
In order to connect my mydomain.com domain: Added a nextcloud.mydomain.com subdomain entry within Godaddy’s DNS page with the following info:
-
Type: CNAME [not A!]
-
Name: nextcloud
-
Data: myddns.tplinkdns.com. (The period at the end is an intentional part of the entry.)
-
TTL: 1/2 hour (this could probably vary)
-
-
Installed Caddy via the ‘Debian, Ubuntu, Raspbian’ steps found at Install — Caddy Documentation [Note: I did not install it as its own Docker container.]
-
Within the caddyfile (located at /etc/caddy/Caddyfile), I commented out/deleted all existing lines, then added the following:
https://nextcloud.mydomain.com:443 {
reverse_proxy localhost:11000 # Adjust to match APACHE_PORT and APACHE_IP_BINDING. See all-in-one/reverse-proxy.md at main · nextcloud/all-in-one · GitHub}
I did not choose the ‘Limit the access to the Apache container’ step, since I don’t think I directly use localhost to connect to AIO. (See Part 3 within the Reverse Proxy documentation.)
-
I then launched Caddy by entering caddy run in my command line. (See Reverse proxy quick-start — Caddy Documentation )
-
Using my TP-Link Deco app, I also opened Port 80, but not 443, at this point (as advised by the NextCloud local instance documentation). I chose my server’s private IP address (192.168.40.68) as the Client IP address, and 80 as both the internal and external ports.
-
My next step was to configure dnsmasq. (Note: I was planning to use the pi-hole community container, but I didn’t know how to access the community containers page until I verified my domain, and I wasn’t able to verify my domain without a DNS service like pi-hole–so I instead used dnsmasq. (I could have also installed pi-hole ‘manually’, of course, but dnsmasq seemed simpler while still being a good fit for my needs.)
I already had dnsmasq on Linux (it sounds like it comes pre-installed). My main documentation for configuring it was Ernold’s excellent documentation at Need help to configure internal access - #6 by ernolf , though I also referenced the guides at https://www.howtogeek.com/devops/how-to-run-your-own-dns-server-on-your-local-network/ (which I found via NextCloud’s own documentation) and https://computingforgeeks.com/install-and-configure-dnsmasq-on-ubuntu /
[Most of the following steps came directly from @Ernolf’s documentation, but I’m reposting them here for convenience’s sake.]
-
First, I added the following lines to the bottom of /etc/systemd/resolved.conf :
DNS=8.8.8.8
DNSStubListener=no
(My understanding is that the second line can help prevent Port 53 conflicts between systemd-resolved and dnsmasq.)
-
Second, I deleted the existing /etc/resolv.conf file, created a new copy, and added the following text to it:
nameserver 127.0.0.1
-
Next, within /etc/default/dnsmasq, I uncommented IGNORE_RESOLVCONF=yes . In addition, I added:
ENABLED=1
The CONFIG_DIR entry that Ernold specified was already present, so I didn’t need to update that. In addition, I kept DNSMASQ_OPTS uncommented in order to continue using the existing /etc/dnsmasq.conf file (though I made several updates to that file).
-
Within /etc/dnsmasq.conf, I uncommented:
domain-needed
bogus-priv
cache-size=150 (but set 150 to 1000)I also added the following lines:
listen-address = 127.0.0.1
listen-address = 192.168.40.68server=/40.168.192.in-addr.arpa/192.168.40.68 (I’m guessing here that my subnet starts with 192.168.40. Note that 40.168.192 = 192.168.40 backwards.)
resolv-file = /run/systemd/resolve/resolv.conf [Note that, without this line, many websites couldn’t be connected to–likely because my computer was trying to locate DNS names using 127.0.0.1 in /etc/resolv.conf only. In fact, I couldn’t even successfully run my Docker AIO container!)
Note: the text of my /run/systemd/resolve/resolv.conf file (not to be confused with the /etc/resolv.conf file) is:
nameserver 8.8.8.8 nameserver 192.168.40.68 nameserver 8.8.8.8 search .[I didn’t yet add the addn-hosts lines that were found in Ernold’s guide. In addition, I didn’t add or edit an /etc/dnsmasq.addn-hosts.local file.]
-
Within /etc/hosts, I added:
192.168.40.68 nextcloud.mydomain.com
(The guide at Nextcloud AIO tutorial with caddy reverse proxy, all behind a wireguard VPN (only accessable via VPN) helped with this step, though pi-hole seems to use the opposite order for these configuration updates).
-
I then ran sudo service dnsmasq restart to restart dnsmasq, and sudo systemctl restart systemd-resolved (based on https://askubuntu.com/a/1170073/1685413) to restart systemd-resolved.
A few notes:
-
When I run sudo systemctl status dnsmasq, I do see the following error message:
“Failed to set DNS configuration: Unit dbus-org.freedesktop.resolve1.service not found. (Not sure whether or not this is an issue.)
-
In addition, the message ‘ignoring nameserver 192.168.40.68 - local interface’ appears twice. Does this mean that I might need to replace some of these private IP values with my DDNS domain (myddns.tplinkdns.com)?
-
-
Part 4 of the Local Instance guide states: “Enter the ip-address of your local dns-server in the daemon.json file for docker so that you are sure that all docker containers use the correct local dns-server.” The documentation at Configuring DNS | dockerlabs helped me find the correct path to this file; however, there was no such file on my computer.
Therefore, I simply created it (as suggested by Yeabsira Ashenafi at https://stackoverflow.com/a/71131049/13097194 and as instructed in Daemon | Docker Docs ).
I entered the following within this daemon.json file:
{ "dns" : [ "192.168.40.68", "8.8.8.8" ] }However, I’m wondering if I should enter my DDNS domain (nextcloud.mydomain.com) instead of my server’s private IP.
-
To make this dnsmasq server my router’s primary server, I went into my Deco app, selected Advanced → DHCP server, and then made my server’s local IP address (192.168.40.68) my Primary DNS. (I then chose 8.8.8.8 as my secondary DNS as advised by the How To Geek guide.)
(The guides at How to change DNS server settings on my Deco | TP-Link and How to use Pi-Hole DNS Server on TP-Link routers were helpful here.)
Note: I was not able to directly change my DNS server to 192.168.40.68 within the Deco app’s ‘DNS Address’ page; when I tried to make that local IP the primary address, I received the following message: “This IP conflicts with the LAN IP subnet. To use this DNS Server, set it at DHCP Server” (which I did following the steps shown above). Because of this issue, do I need to make any changes to my dnsmasq setup?
I also needed to reboot the router after performing these steps.
-
I then entered the command found in 2. Use this startup command within the reverse proxy documentation in order to start the NextCloud AIO container.
-
After the startup command finished executing, I went to https://192.168.40.68:8080. I got a scary-looking “Your connection is not private” message. I went ahead and selected to proceed to this address anyway.
-
After entering my passphrase, I was taken to the main NextCloud startup page. For the domain validation step, I nextcloud.mydomain.com as my domain. I then received the following message:
“The domain is not reachable on Port 443 from within this container. Have you opened port 443/tcp in your router/firewall? If yes is the problem most likely that the router or firewall forbids local access to your domain. You can work around that by setting up a local DNS-server.”
That’s where I’m currently stuck. Something within my settings clearly isn’t correct. My guess is that I’m entering my server’s private IP (192.168.40.68) when I should actually be entering my DDNS domain for my router (myddns.tplinkdns.com).
Any help with these errors would be greatly, greatly appreciated! As I mentioned before, once I get this figured out, I would be more than happy to contribute this documentation to the main local instance documentation in order to decrease the amount of troubleshooting that other NextCloud newcomers need to do.