[First time n00b]: Domain validation issue

First time Nextcloud user and docker newbie here.

I followed the instructions for the official AIO docker image install on a fairly vanilla Ubuntu 22.04 LTS install on a Dell T320 and ran into domain validation and subsequent access issues.

My Setup

  1. Symmetric GB Fiber internet with static IP
  2. Public DNS A-record for nextcloud.. set to this static IP
  3. Port forwarding for TCP+UDP in ISP Router to my Security Gateway (which is the only device plugged into the ISP Router)
  4. Ubiquiti Security Gateway Pro 4 with Port forwarding rule for port 443 TCP/UDP to Dell T320 server, which has static IP 192.168.3.18
  5. Public port scan confirms that this port is now open
  6. nslookup nextcloud.. resolves accurately and returns my public static IP properly

The only other things that runs on this server is a minecraft instance and I used the exact same method for port fortwarding inside the ISP router and the Security appliance that worked like a charme for Minecraft.

The Basics

  • Nextcloud Server version (e.g., 29.x.x): Nextcloud Hub 9 (30.0.4-30.0.4.1)
  • Operating system and version (e.g., Ubuntu 24.04): Ubuntu 22.04.5 LTS"
  • Web server and version (e.g, Apache 2.4.25): Apache/2.4.62
  • Reverse proxy and version _(e.g. nginx 1.27.2): not sure
  • PHP version (e.g, 8.3): 8.3.14
  • Is this the first time you’ve seen this error? (Yes / No): Yes
  • When did this problem seem to first start?: During the AIO install process / domain validation
  • Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.): AIO
  • Are you using CloudfIare, mod_security, or similar? (Yes / No): Not that I know of

Summary of the issue you are facing:

  1. Error “The domain is not reachable on Port 443 from within this container” during domain validation of new AIO instance install
  2. Ability to use my smartphone (not connected to wifi) to log into web interface of NC if AIO installed with SKIP_DOMAIN_VALIDATION=true
  3. Inability to use my Windows PC to log into web interface of NC (even if I use a VPN to access the Public IP)
  4. Inability to access the web interface of NC via https://192.168.3.18/

I assume it MUST be a network error, but the very same method worked for minecraft (and - with an older version of the OS before I wiped it again - with other software such as Splunk). So I know that the server itself can be reached, ports are open, etc.

It may be some issue with Docker, but I am new to Docker and I just followed the instructions given in the official documentation.

Steps to replicate it (hint: details matter!):

  1. Install Ubuntu 22.04 LTS server on bare metal server Dell T320, pretty much with default settings. Very basic install.

  2. apt-get update / upgrade of course

  3. Set timezone to UTC

  4. add common ports such as 22, 80, 443 etc. to ALLOW list of ufw

  5. but deactivate ufw for the purposes of this install

  6. Install Docker as per Ubuntu | Docker Docs

  7. Follow GitHub - nextcloud/all-in-one: 📦 The official Nextcloud installation method. Provides easy deployment and maintenance with most features included in this one Nextcloud instance.

  8. This includes running that command from step 3 in GitHub - nextcloud/all-in-one: 📦 The official Nextcloud installation method. Provides easy deployment and maintenance with most features included in this one Nextcloud instance.

  9. Use a Chrome browser to open 192.168.3.18:8080

  10. copy the pass phrase and go to next page

  11. Enter passphrase to log in

  12. Enter nextcloud.. as new AIO instance name

  13. Click “Submit”

  14. Observe the error message [The domain is not reachable on Port 443 from within this container]

I then removed the two NC containers (docker stop , docker rm ) and issued the installation command again, but this time with SKIP_DOMAIN_VALIDATION:

sudo docker run
–init
–sig-proxy=false
–name nextcloud-aio-mastercontainer
–restart always
–publish 80:80
–publish 8080:8080
–publish 8443:8443
–volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config
–volume /var/run/docker.sock:/var/run/docker.sock:ro
-e SKIP_DOMAIN_VALIDATION=true
nextcloud/all-in-one:latest

Now I can use my smart phone (not connected to Wifi) to access the web interface of NC as admin.
BUT I can not use my Windows PC, not even if I use a VPN.

I also created local DNS records pointing nextcloud.. to 192.168.3.18 and my public IP respectively. I use pihole for that purpose and pointed the Security Appliance to pihole as primary DNS server for the purpose of that test. No change to the issue.

Log entries

Using my smart phone to log into the admin interface of NC, I was able to generate the following report:

Server configuration detail

Operating system: Linux 5.15.0-127-generic #137-Ubuntu SMP Fri Nov 8 15:21:01 UTC 2024 x86_64

Webserver: Apache/2.4.62 (Unix) (fpm-fcgi)

Database: pgsql PostgreSQL 16.6 on x86_64-pc-linux-musl, compiled by gcc (Alpine 14.2.0) 14.2.0, 64-bit

PHP version: 8.3.14

Modules loaded: Core, date, libxml, openssl, pcre, sqlite3, zlib, ctype, curl, dom, fileinfo, filter, hash, iconv, json, mbstring, SPL, session, PDO, pdo_sqlite, bz2, posix, random, readline, Reflection, standard, SimpleXML, tokenizer, xml, xmlreader, xmlwriter, mysqlnd, cgi-fcgi, apcu, bcmath, Phar, exif, ftp, gd, gmp, igbinary, imagick, imap, intl, ldap, memcached, pcntl, pdo_pgsql, pgsql, redis, smbclient, sodium, sysvsem, zip, libsmbclient, Zend OPcache

Nextcloud version: 30.0.4 - 30.0.4.1

Updated from an older Nextcloud/ownCloud or fresh install:

Where did you install Nextcloud from: unknown

Signing status

List of activated apps
Enabled:
 - activity: 3.0.0
 - admin_audit: 1.20.0
 - app_api: 4.0.3
 - bruteforcesettings: 3.0.0
 - calendar: 5.0.8
 - circles: 30.0.0
 - cloud_federation_api: 1.13.0
 - comments: 1.20.1
 - contacts: 6.1.2
 - contactsinteraction: 1.11.0
 - dashboard: 7.10.0
 - dav: 1.31.1
 - deck: 1.14.2
 - federatedfilesharing: 1.20.0
 - federation: 1.20.0
 - files: 2.2.0
 - files_downloadlimit: 3.0.0
 - files_pdfviewer: 3.0.0
 - files_reminders: 1.3.0
 - files_sharing: 1.22.0
 - files_trashbin: 1.20.1
 - files_versions: 1.23.0
 - firstrunwizard: 3.0.0
 - logreader: 3.0.0
 - lookup_server_connector: 1.18.0
 - nextcloud-aio: 0.7.0
 - nextcloud_announcements: 2.0.0
 - notes: 4.11.0
 - notifications: 3.0.0
 - notify_push: 0.7.0
 - oauth2: 1.18.1
 - password_policy: 2.0.0
 - photos: 3.0.2
 - privacy: 2.0.0
 - provisioning_api: 1.20.0
 - recommendations: 3.0.0
 - related_resources: 1.5.0
 - richdocuments: 8.5.3
 - serverinfo: 2.0.0
 - settings: 1.13.0
 - sharebymail: 1.20.0
 - spreed: 20.1.1
 - support: 2.0.0
 - survey_client: 2.0.0
 - systemtags: 1.20.0
 - tasks: 0.16.1
 - text: 4.1.0
 - theming: 2.5.0
 - twofactor_backupcodes: 1.19.0
 - twofactor_totp: 12.0.0-dev
 - user_status: 1.10.0
 - viewer: 3.0.0
 - weather_status: 1.10.0
 - webhook_listeners: 1.1.0-dev
 - workflowengine: 2.12.0
Disabled:
 - encryption
 - files_external
 - suspicious_login
 - twofactor_nextcloud_notification
 - user_ldap
Configuration (config/config.php)
{
    "one-click-instance": true,
    "one-click-instance.user-limit": 100,
    "memcache.local": "\\OC\\Memcache\\APCu",
    "apps_paths": [
        {
            "path": "\/var\/www\/html\/apps",
            "url": "\/apps",
            "writable": false
        },
        {
            "path": "\/var\/www\/html\/custom_apps",
            "url": "\/custom_apps",
            "writable": true
        }
    ],
    "check_data_directory_permissions": false,
    "memcache.distributed": "\\OC\\Memcache\\Redis",
    "memcache.locking": "\\OC\\Memcache\\Redis",
    "redis": {
        "host": "***REMOVED SENSITIVE VALUE***",
        "password": "***REMOVED SENSITIVE VALUE***",
        "port": 6379
    },
    "overwritehost": "nextcloud.qunnect.ca",
    "overwriteprotocol": "https",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "localhost",
        "nextcloud.qunnect.ca"
    ],
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "dbtype": "pgsql",
    "version": "30.0.4.1",
    "overwrite.cli.url": "https:\/\/nextcloud.qunnect.ca\/",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbport": "",
    "dbtableprefix": "oc_",
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true,
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "maintenance": false,
    "loglevel": 2,
    "log_type": "file",
    "logfile": "\/var\/www\/html\/data\/nextcloud.log",
    "log_rotate_size": 10485760,
    "log.condition": {
        "apps": [
            "admin_audit"
        ]
    },
    "preview_max_x": 2048,
    "preview_max_y": 2048,
    "jpeg_quality": 60,
    "enabledPreviewProviders": {
        "1": "OC\\Preview\\Image",
        "2": "OC\\Preview\\MarkDown",
        "3": "OC\\Preview\\MP3",
        "4": "OC\\Preview\\TXT",
        "5": "OC\\Preview\\OpenDocument",
        "6": "OC\\Preview\\Movie",
        "7": "OC\\Preview\\Krita",
        "0": "OC\\Preview\\Imaginary",
        "23": "OC\\Preview\\ImaginaryPDF"
    },
    "enable_previews": true,
    "upgrade.disable-web": true,
    "mail_smtpmode": "smtp",
    "trashbin_retention_obligation": "auto, 30",
    "versions_retention_obligation": "auto, 30",
    "activity_expire_days": 30,
    "simpleSignUpLink.shown": false,
    "share_folder": "\/Shared",
    "one-click-instance.link": "https:\/\/nextcloud.com\/all-in-one\/",
    "upgrade.cli-upgrade-link": "https:\/\/github.com\/nextcloud\/all-in-one\/discussions\/2726",
    "updatedirectory": "\/nc-updater",
    "maintenance_window_start": 100,
    "allow_local_remote_servers": true,
    "davstorage.request_timeout": 3600,
    "documentation_url.server_logs": "https:\/\/github.com\/nextcloud\/all-in-one\/discussions\/5425",
    "htaccess.RewriteBase": "\/",
    "dbpersistent": false,
    "auth.bruteforce.protection.enabled": true,
    "ratelimit.protection.enabled": true,
    "files_external_allow_create_new_local": false,
    "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
    "preview_imaginary_url": "***REMOVED SENSITIVE VALUE***",
    "preview_imaginary_key": "***REMOVED SENSITIVE VALUE***",
    "DOMAIN": "nextcloud.qunnect.ca"
}

Cron Configuration: Array ( [backgroundjobs_mode] => cron [lastcron] => 1735508404 )

External storages: files_external is disabled

Encryption: no

User-backends:

  • OC\User\Database

Subscription:

  • No valid subscription key set

Talk configuration:

STUN servers

TURN servers

Signaling servers (mode: default):

Recording servers:

  • Recording is enabled
  • Recording consent is set to “default”
  • no recording server configured

Browser: Mozilla/5.0 (iPhone; CPU iPhone OS 18_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1.1 Mobile/15E148 Safari/604.1

Ia

1 Like

Hello,

I had a very similar issue when first installing NextCloud AIO.

The installation assumes that all of the containers are on the NextCloud created bridge networks which use the interface of the host to communicate with the rest of the world. NextCloud containers use the bridge network to communicate with each other at the back end.

When domain validation is active the domain validation container (nextcloud-aio-domaincheck) will attempt to confirm there is a service active at the hostname.domainname.com address. If it can’t domain validation will fail.

For this to work the inbound port 443 must be opened to the Linux host with Docker/NextCloud, we also had 80 open initially, to the host of the docker installation (the bridged network ingress/egress for the containers on the Linux host running docker).

Your mindcraft and Nextcloud installations should be using different forwarded ports.

Inbound TCP ports from the Internet to your Linux host @ 192.168.3.18 should initially be 443 and 80 and outbound to the internet 80, 443, 53 (DNS). After domain validation you can turn off port 80 inbound. If domain validation succeeds a Let’s Encrypt certificate should be generated.

Once the system is configured internal access may be via hostname.internaldomainname.com (192.168.3.18) where external access will be via hostname.externaldomainname.com (?). To resolve this you can attempt to use a hairpin NAT (getting the internal resources to access the internal IP via the firewall external IP for the internal server), hosts files and/or internal DNS.

1 Like

Hi @klein, I think you might be looking for this? GitHub - nextcloud/all-in-one: 📦 The official Nextcloud installation method. Provides easy deployment and maintenance with most features included in this one Nextcloud instance.

1 Like

I thought I did all that, yet the domain validation still failed.

I then used the skip domain validation parameter to get NC installed.
And it seems to work.

What I ultimately did:

  • Public DNS A-Record pointing to my static IP
  • Internal DNS A-Record pointing to my servers internal IP 192.168.3.18
  • Port forwarding for port 443 for TCP and UDP to the Security Appliance
  • Port forwarding for port 443 for TCP and UDP from Security Appliance to 192.168.3.18
  • Renaming the server to carry the hostname of the nextcloud.domain.tld I chose
  • Opening Port 443 in UFW

So… nothing really special. Did something similar with minecraft on port 25563, which worked beautifully (and has worked like a charme for years).

Now, I can access NC from within my LAN, and from outside.

Yet the domain validation still fails if I try to invoke it (e.g. by means of a fresh install). Which seems weird.

Hi, I followed the instructions on that page, yet still the domain validation process step failed