Have any home users been able to setup external access to Nextcloud via https? (Using noip.com)

DadOfRCA · February 23, 2021, 12:29pm

Hi,

I’m using the Hansson IT VM for Nextcloud on Mint Linux with VirtualBox. I have a domain name registered with noip.com, and did that because I thought I could use their port 80 / 8080 redirection service to get everything running nice because Port 80 is blocked by my ISP.
However, it doesn’t seem possible to have both Port 80 Redirection and DNS Hostname (A) enabled for the domain at the same time with noip.com. If I configure my domain to DNS Hostname (A), then part of the lets encrypt section of the script works, but won’t continue because port 80 redirection isn’t enabled. If I set port 80 redirection to enabled, and remove DNS Hostname (A), then the scripts fails when looking up the domain names public IP, but will see that port forwarding is working. I’d really like to know how others have been able to access Nextcloud externally?

If this makes sense to anyone, I could use some advice on how I can get my setup configured with https external access.

bb77 · February 23, 2021, 12:49pm

Hello

DNS has nothing to do with ports. But The Let’s Encrypt client needs port 80 to be open to obtain a certificate. There are other challenge types like DNS-challenge, wich you could use to obtain a certificate without any ports open but there is manual work involved to set this up properly and I also somewhat doubt whether that makes sense at all, if you can’t use the standard ports anyways.

https://letsencrypt.org/docs/challenge-types/

Maybe other forums participants have better ideas. But I think the easiest way to deal with this is to set it up on a diffrent port with self signed certificates and just use it like that. In addition to that you could use an external reverse proxy with proper certificates, either self hosted on a vps or by using an external proxy service like cloudflare or similiar.

Hope this helps.

Reiner_Nippes · February 23, 2021, 3:16pm

if you are using a free noip account you can’t use dns-challenge. because you need to set a TXT record. and it’s not included in the free version

grafik

pick a dns registrar from the following list because they are supported by letsencrypt certbot:

configure your certbot to use this method.

if i understand the vm script of @enoch85 right it is supporting dns challenge out-of-the-box.

github.com

nextcloud/vm/blob/5189cfe08b3afae934eca1c52aca8dd6c0da6701/lib.sh#L743


    uir_hsts="--uir --hsts"
fi
a2dissite 000-default.conf
systemctl reload apache2.service
default_le="--rsa-key-size 4096 --renew-by-default --no-eff-email --agree-tos $uir_hsts --server https://acme-v02.api.letsencrypt.org/directory -d $1"
#http-01
local  standalone="certbot certonly --standalone --pre-hook \"systemctl stop apache2.service\" --post-hook \"systemctl start apache2.service\" $default_le"
#tls-alpn-01
local  tls_alpn_01="certbot certonly --preferred-challenges tls-alpn-01 $default_le"
#dns
local  dns="certbot certonly --manual --manual-public-ip-logging-ok --preferred-challenges dns $default_le"
local  methods=(standalone dns)
for f in ${methods[*]}
do
    print_text_in_color "${ICyan}" "Trying to generate certs and validate them with $f method."
    current_method=""
    eval current_method="\$$f"
    if eval "$current_method"
    then
        return 0

if you look for more registrars supported, remove certbot and change to acme.sh:

but that’s a little bit of work.

note: it seems noip.com is not supported by acme.sh. i didn’t see it in the list.

DadOfRCA · February 23, 2021, 3:44pm

Wow! Thank you for all the input and suggestions on this. I did a few things this morning before coming back to this post. Here’s what worked, but not sure if I should trust it.

I went through the VM Install as it asks questions, and automates the installation. I set my domain at noip to redirect port 80 to 8080, paid service, (Using the Linux Dynamic Update Client, so noip associates my IP with the domain).
Updated my router for port forwarding to the VM running Nextcloud, (8080 and 443).
The script recognized that port 80 was available, and continued the install script. I was getting DNS errors as the script could not resolve my domain with the public IP in my home. Then it generated a code, and told me to add a text record (_acme-challenge). So I did that, and the script continued, and configured itself.
Once done, I was only able to access the Nextcloud install by using the local ip. Back at noip, I changed the setting from “Redirect Port 80”, to “DNS Hostname (A)”.
After a few minutes, I’m now able to type in my domain name, and I’m redirected to the local Nextcloud install with https!
No errors!

Will this continue to work? I don’t know.
Will the “Lets Encrypt” auto-renew script work? I don’t know.
Will I trust this? I don’t know.
But I plan on making backups in virtual box, and running some tests.

enoch85 · February 23, 2021, 6:56pm

if i understand the vm script of @enoch85 right it is supporting dns challenge out-of-the-box.

Correct DNS validation is supported out of the box.

@DadOfRCA The “issue” with DNS validation is that you need to manually renew the cert every 3 months, else it will expire.

We are planning to fix that in an upcoming version, but as with everything - things take time. If you want to follow the proceeds, you can have a look at this: