How to get around "access through untrusted domain" error

I set up NextCloud in a Docker container running on unRAID. Got it all up and running perfectly fine, but I’m running into the “access through untrusted domain” error. I think this is an SSL issue so I followed the reverse proxy guide by SpaceInvader One but have run into a problem with remote access that I do not think I can fix. Hopefully someone here can prove me wrong.

I can not set up the SSL cert/reverse proxy. My ISP blocks port 80 inbound.

From what I understand, that is how you prevent the whole “access through untrusted domain” thing.

Is there a method of generating the SSL cert that doesn’t rely on port 80? Am I doing something else wrong? (At 15:14 in the above video, that’s similar to the error I get.) Is there a way to bypass the whole “untrusted domain” thing entirely? Is there another way to generate a cert that works for this? I’m just looking for a way to get this to work as, without remote access, NextCloud is pretty useless.

I’m open to any ideas. Thank you all.

It is not 100% clear to me what you mean by speaking about the access through untrusted domain error. Are you sure that it is shown in the web browser because the certificate cannot be validated or because you haven’t set the trusted_domains parameter of Nextcloud?

If you meant the following message, you should read e.g. this posting: Nextcloud useless due to "untrusted domain" error

Concerning "Is there a method of generating the SSL cert that doesn’t rely on port 80? " you are also speaking in miracles. Do you want to generate a Let’s Encrypt certificate or what do you mean?
If you’re speaking about Let’s Encrypt, it might be of interest for you that, beside http-01 (80/tcp) the protocol tls-alpn-01 (443/tcp) is also supported. See https://medium.com/@decrocksam/deploying-lets-encrypt-certificates-using-tls-alpn-01-https-18b9b1e05edf for more details.

Thank you for the info.

I have no problem adding trusted domains but, what domains do I add as trusted to allow access from the Internet? I can already access it via LAN…I can’t access it from the Internet. That first link you provided seems to be a guy having troubles accessing it from his own network. I can already do that.

Yes, I think I need to generate a Let’s Encrypt certificate, or some certificate, so that I can access my server from the Internet. I can’t create certs though as my ISP blocks inbound port 80 and I think they block inbound 443 as well.

In the video I linked above, the error that he shows at 15:14 is what is happening to me. After some research, and calling my ISP, I found out that inbound port 80 is blocked and I think that’s what is keeping it from connecting as it should.

I just need to know how to get around the “access through untrusted domain” error.

Maybe I just need to add the duckdns URL I’m using to connect…I want to give that a shot, but I can’t for the LIFE OF ME find the config.php file!! Anyone have a path to it?

Found it. The path in a Docker container is /config/www/nextcloud/config

Added my URL and all is right with the world. Thank you!

What do you mean you added your URL ??

I am haveing the same problem , it did work for a bit , but stopped

https://docs.nextcloud.com/server/18/admin_manual/installation/installation_wizard.html#trusted-domains-label

https://docs.nextcloud.com/server/18/admin_manual/configuration_server/occ_command.html#config-commands

You can use OCC instead of manually editing the config file. The config file is located in the config folder under the Nextcloud web root.

Not working for me, and I am new to linux (coming from different background, trying to learn something), so if you need some other data, you may have to give little guidance to follow.

I am stuck at this screen:

Here is my php file:

<?php $CONFIG = array ( 'memcache.local' => '\OC\Memcache\APCu', 'datadirectory' => '/data', ); 'trusted_proxies' => ['letsencrypt'], 'overwrite.cli.url' => 'https://docs.MYDOMAIN.COM/', 'overwritehost' => 'docs.MYDOMAIN.COM', 'overwriteprotocol' => 'https', 'trusted_domains' => array ( 0 => 'docs.MYDOMAIN.COM', 1 => '192.168.1.187', ), ?>

It works with my regular internal ip which is 192.168.1.187:4141. Using docs.MYDOMAIN.COM brings me to this blue screen where it askes me to edit config.php.

As you can see, I have it in there. just not working.

My install:

Used regular Nextcloud install with mariadb database using create container
Using ngnix-proxy-manager docker. (Other domain I have forwarded and they work normally.)

here is log of nextcloud domain when I use my domain:

 -1 }">172.17.0.1 - - [26/Jul/2020:01:51:56 +0000] "GET / HTTP/1.1" 400 4895 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36 Edg/84.0.522.40"
 -1 }">
172.17.0.1 - - [26/Jul/2020:01:51:56 +0000] "GET /core/img/background.png?v=2 HTTP/1.1" 304 145 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36 Edg/84.0.522.40"
 -1 }">
172.17.0.1 - - [26/Jul/2020:01:51:56 +0000] "GET /core/js/oc.js?v=4f01b758 HTTP/1.1" 400 5006 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36 Edg/84.0.522.40"
 -1 }">
172.17.0.1 - - [26/Jul/2020:01:51:56 +0000] "GET /js/core/merged-template-prepend.js?v=4f01b758-11 HTTP/1.1" 400 5006 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36 Edg/84.0.522.40"
 -1 }">
172.17.0.1 - - [26/Jul/2020:01:51:56 +0000] "GET /core/img/manifest.json HTTP/1.1" 304 143 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36 Edg/84.0.522.40"
 -1 }">
172.17.0.1 - - [26/Jul/2020:01:51:56 +0000] "GET /cron.php HTTP/1.1" 400 4601 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36 Edg/84.0.522.40"

172.17.0.1 that’s my docker installs bridge network IPV4 IPAM Gateway.

  • If you want to use a Let’s Encrypt certificate you usually need to open port 80/tcp to get the initial verification done which uses http-01 as verification protocol. After a first certificate has successfully been created it would be possible to switch to the tls-alpn-01 protocol which uses port 443/tcp for the verification process, but you need an alpn-listener to use it. A third way would by to use dns-01 as verification protocol, which requires full access to your personal domain record so that you can add a TXT record with the provided verification challenge. In this case you wouldn’t need to open inbound port 80/tcp att all.

  • The trusted domain setting has nothing do with a certificate. It only verifies the domain(s) or IP(s) which are used to reach the server (not the addresses from where you’re accessing the server!). In your configuration snippet you’re using a domain name with uppercase letters, but domain names are always converted to lowercase, so you should modify the entry accordingly.

  • Please see my initial explanation about the available options.

Any one can take a look before I give up? Thanks.

1 Like