False self-signed certificate error with reverse proxy for AIO

I am trying to set up Nextcloud AIO and have run into some SSL issues when trying to run it behind a reverse proxy. I will try to provide as much info as I can, and please let me know if I have missed something. I have replaced some info/addresses with placeholders.

Basic info:

• Running on a Synology NAS DS920+
• Reverse proxy is Nginx Proxy Manager in a Docker container, because…
• …ports 80 and 443 cannot be used due to the NAS already using them
• No certificate files have been intentionally placed on the NAS or Docker containers, as my understanding is that NPM handles this

~
ERROR

Here is the error from the Nextcloud AIO setup page:

Domain does not point to this server or the reverse proxy is not configured correctly. See the mastercontainer logs for more details. ('sudo docker logs -f nextcloud-aio-mastercontainer')

and the detailed error in the log…

[Tue Oct 25 16:48:48.740562 2022] [php:notice] [pid 165] [client 127.0.0.1:44796] The response of the connection attempt to "https://<sub.domain.tld>:443" was: , referer: https://<local-ip>:7380/containers
[Tue Oct 25 16:48:48.740600 2022] [php:notice] [pid 165] [client 127.0.0.1:44796] The error message was: SSL certificate problem: self signed certificate, referer: https://<local-ip>:7380/containers
[Tue Oct 25 16:48:48.740594 2022] [php:notice] [pid 165] [client 127.0.0.1:44796] Expected was: <hash>, referer: https://<local-ip>:7380/containers

where:

• sub.domain.tld is the FQDN I have registered
• local-ip is the local IP address of the NAS
• hash is the expected response from the Apache server within the AIO, if I understand correctly

~

This error displays at the AIO setup page, when trying to submit my domain, shown below:

image528×578 25.5 KB

~
DOCKER SETUP

Here is my docker-compose file for the AIO:

version: "3.8"

volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer
services:
  nextcloud:
    image: nextcloud/all-in-one:latest
    restart: unless-stopped
    container_name: nextcloud-aio-mastercontainer
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    ports:
      - 7380:8080
    environment:
      - APACHE_PORT=11000
      - APACHE_DISABLE_REWRITE_IP=1
      - NEXTCLOUD_TRUSTED_DOMAINS=<sub.domain.tld> <local-ip> # Your domain name + proxy host IP
      - TRUSTED_PROXIES=<local-ip> # proxy host IP

~

My docker-compose file for the reverse proxy:

version: '3'
services:
  app:
    image: 'jc21/nginx-proxy-manager:latest'
    container_name: nginx-proxy-manager
    restart: unless-stopped
    ports:
      - '6780:80' 
      - '6781:81'
      - '28443:443'
    environment:
      DB_MYSQL_HOST: ~
      DB_MYSQL_PORT: ~
      DB_MYSQL_USER: ~
      DB_MYSQL_PASSWORD: ~
      DB_MYSQL_NAME: ~
    volumes:
      ~
    depends_on:
      - db
  db:
    image: 'jc21/mariadb-aria:latest'
    container_name: npmdb
    restart: unless-stopped
    environment:
      MYSQL_ROOT_PASSWORD: ~
      MYSQL_DATABASE: ~
      MYSQL_USER: ~
      MYSQL_PASSWORD: ~
      MYSQL_TCP_PORT: ~
      MYSQL_UNIX_PORT: ~
    volumes:
      ~

~

The AIO setup page states that port 80 and 443 of my server should be open. Because the AIO will be run behind the reverse proxy, I will be opening the mapped ports for 80 (6780) and 443 (28443) on my router like so:

…continues

DOMAIN SETUP

Here is my domain (and subdomain) registered for Nextcloud:

image749×236 7.13 KB

~

DDNS setup:

The DDNS hostname points to the remote IP of my NAS…

…continues

DDNS setup on NAS:

image790×168 4.27 KB

…continues

Reverse proxy pointing subdomain to local ip and Apache port:

image919×204 9.17 KB

and the SSL certificate that NPM generated for the proxy:

image960×205 9.43 KB

NOTES

I have an instance of the regular Nextcloud Docker image running properly behind the reverse proxy, fully accessible remotely via HTTPS. (I shut down this instance before starting with the AIO setup).

With all the above info, I feel like everything in the chain should be set up properly:

• Domain pointing to DDNS
• DDNS pointing to server IP
• Reverse proxy handling ports 80/443, and passes domain onto local ip and port with a valid SSL certifiate

I have confirmed that both my subdomain and DDNS hostname ultimately point to my NAS’ external IP. From another machine on the same network on my NAS, the certificate seems fine:

image538×526 34.8 KB

…and opening my sub.domain.tld in Firefox shows the correct certificate:

which also renders the expected hash response from the AIO Apache server on the page.

…continues

Though, if I try to curl from within the AIO mastercontainer, I get the original error:

image757×358 11.9 KB

I am not sure why the certificate is lost here, I assume NPM will always handle it. I hope I have provided enough info, and if not, please let me know and I will be happy to do so. Also sorry for breaking up the post, this forum only lets new accounts include 2 images per post…

Hi, if you are completely sure that you configured everything correctly and the domain validation still fails, you can simply skip it. See GitHub - nextcloud/all-in-one: Nextcloud AIO stands for Nextcloud All In One and provides easy deployment and maintenance with most features included in this one Nextcloud instance.

Thank you for your response! I did see it was possible to disable the domain validation. I will certainly go that route if I find no solution here, but I figured I would pick the minds of those more experienced with this sort of thing first