How to get around "access through untrusted domain" error

rmp5s · February 23, 2019, 5:46pm

I set up NextCloud in a Docker container running on unRAID. Got it all up and running perfectly fine, but I’m running into the “access through untrusted domain” error. I think this is an SSL issue so I followed the reverse proxy guide by SpaceInvader One but have run into a problem with remote access that I do not think I can fix. Hopefully someone here can prove me wrong.

I can not set up the SSL cert/reverse proxy. My ISP blocks port 80 inbound.

From what I understand, that is how you prevent the whole “access through untrusted domain” thing.

Is there a method of generating the SSL cert that doesn’t rely on port 80? Am I doing something else wrong? (At 15:14 in the above video, that’s similar to the error I get.) Is there a way to bypass the whole “untrusted domain” thing entirely? Is there another way to generate a cert that works for this? I’m just looking for a way to get this to work as, without remote access, NextCloud is pretty useless.

I’m open to any ideas. Thank you all.

j-ed · February 23, 2019, 6:16pm

It is not 100% clear to me what you mean by speaking about the access through untrusted domain error. Are you sure that it is shown in the web browser because the certificate cannot be validated or because you haven’t set the trusted_domains parameter of Nextcloud?

If you meant the following message, you should read e.g. this posting: Nextcloud useless due to "untrusted domain" error

Concerning "Is there a method of generating the SSL cert that doesn’t rely on port 80? " you are also speaking in miracles. Do you want to generate a Let’s Encrypt certificate or what do you mean?
If you’re speaking about Let’s Encrypt, it might be of interest for you that, beside http-01 (80/tcp) the protocol tls-alpn-01 (443/tcp) is also supported. See Deploying Let’s Encrypt certificates using tls-alpn-01 (https) | by Sam Decrock | Medium for more details.

rmp5s · February 23, 2019, 9:20pm

Thank you for the info.

I have no problem adding trusted domains but, what domains do I add as trusted to allow access from the Internet? I can already access it via LAN…I can’t access it from the Internet. That first link you provided seems to be a guy having troubles accessing it from his own network. I can already do that.

Yes, I think I need to generate a Let’s Encrypt certificate, or some certificate, so that I can access my server from the Internet. I can’t create certs though as my ISP blocks inbound port 80 and I think they block inbound 443 as well.

In the video I linked above, the error that he shows at 15:14 is what is happening to me. After some research, and calling my ISP, I found out that inbound port 80 is blocked and I think that’s what is keeping it from connecting as it should.

I just need to know how to get around the “access through untrusted domain” error.

rmp5s · February 23, 2019, 10:22pm

Maybe I just need to add the duckdns URL I’m using to connect…I want to give that a shot, but I can’t for the LIFE OF ME find the config.php file!! Anyone have a path to it?

rmp5s · February 23, 2019, 10:26pm

Found it. The path in a Docker container is /config/www/nextcloud/config

Added my URL and all is right with the world. Thank you!

Richards · April 8, 2020, 8:57pm

What do you mean you added your URL ??

I am haveing the same problem , it did work for a bit , but stopped

KarlF12 · April 9, 2020, 5:42am

https://docs.nextcloud.com/server/18/admin_manual/installation/installation_wizard.html#trusted-domains-label

https://docs.nextcloud.com/server/18/admin_manual/configuration_server/occ_command.html#config-commands

You can use OCC instead of manually editing the config file. The config file is located in the config folder under the Nextcloud web root.

nandurx · July 26, 2020, 3:17am

Not working for me, and I am new to linux (coming from different background, trying to learn something), so if you need some other data, you may have to give little guidance to follow.

I am stuck at this screen:

Here is my php file:

<?php $CONFIG = array ( 'memcache.local' => '\OC\Memcache\APCu', 'datadirectory' => '/data', ); 'trusted_proxies' => ['letsencrypt'], 'overwrite.cli.url' => 'https://docs.MYDOMAIN.COM/', 'overwritehost' => 'docs.MYDOMAIN.COM', 'overwriteprotocol' => 'https', 'trusted_domains' => array ( 0 => 'docs.MYDOMAIN.COM', 1 => '192.168.1.187', ), ?>

It works with my regular internal ip which is 192.168.1.187:4141. Using docs.MYDOMAIN.COM brings me to this blue screen where it askes me to edit config.php.

As you can see, I have it in there. just not working.

My install:

Used regular Nextcloud install with mariadb database using create container
Using ngnix-proxy-manager docker. (Other domain I have forwarded and they work normally.)

here is log of nextcloud domain when I use my domain:

 -1 }">172.17.0.1 - - [26/Jul/2020:01:51:56 +0000] "GET / HTTP/1.1" 400 4895 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36 Edg/84.0.522.40"
 -1 }">
172.17.0.1 - - [26/Jul/2020:01:51:56 +0000] "GET /core/img/background.png?v=2 HTTP/1.1" 304 145 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36 Edg/84.0.522.40"
 -1 }">
172.17.0.1 - - [26/Jul/2020:01:51:56 +0000] "GET /core/js/oc.js?v=4f01b758 HTTP/1.1" 400 5006 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36 Edg/84.0.522.40"
 -1 }">
172.17.0.1 - - [26/Jul/2020:01:51:56 +0000] "GET /js/core/merged-template-prepend.js?v=4f01b758-11 HTTP/1.1" 400 5006 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36 Edg/84.0.522.40"
 -1 }">
172.17.0.1 - - [26/Jul/2020:01:51:56 +0000] "GET /core/img/manifest.json HTTP/1.1" 304 143 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36 Edg/84.0.522.40"
 -1 }">
172.17.0.1 - - [26/Jul/2020:01:51:56 +0000] "GET /cron.php HTTP/1.1" 400 4601 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36 Edg/84.0.522.40"

172.17.0.1 that’s my docker installs bridge network IPV4 IPAM Gateway.

j-ed · July 26, 2020, 8:33am

If you want to use a Let’s Encrypt certificate you usually need to open port 80/tcp to get the initial verification done which uses http-01 as verification protocol. After a first certificate has successfully been created it would be possible to switch to the tls-alpn-01 protocol which uses port 443/tcp for the verification process, but you need an alpn-listener to use it. A third way would by to use dns-01 as verification protocol, which requires full access to your personal domain record so that you can add a TXT record with the provided verification challenge. In this case you wouldn’t need to open inbound port 80/tcp att all.
The trusted domain setting has nothing do with a certificate. It only verifies the domain(s) or IP(s) which are used to reach the server (not the addresses from where you’re accessing the server!). In your configuration snippet you’re using a domain name with uppercase letters, but domain names are always converted to lowercase, so you should modify the entry accordingly.
Please see my initial explanation about the available options.

nandurx · July 26, 2020, 10:01pm

Any one can take a look before I give up? Thanks.

OliverV · July 28, 2020, 7:36am

Argyx · December 11, 2020, 10:06am

Hello,
I have the same problem here when trying to activate SSL: how do I configure config.php so that I can access the Nextcloud dashboard through from Internet?

OliverV · December 12, 2020, 8:59am

The answer is in the link (how to: Add a new Trusted domain) posted just above your question.

phantom · November 3, 2022, 3:11pm

For those who are having this issue:

1.Set up nextcloud
2. can access localy via server/nextcloud private IP address. Example “192.168.1.2/index.php/login”
3. set up SSL access
4. Added there domain, or public ip to trusted domains

after setting up the above, you still get a e untrusted domain error when attempting to access via public ip or domain name.

The answer to fix your problem is simple. you have port forwarding set up to access your server via the net, so the flow of the ip packet is were you need to look.

The problem is that when you port forward, you domain is no longer the ip your access the server from, its your gateway or ip of what ever is doing the port forwarding.

Teh following example with consist the simplest setup, if you bridge your modem, then that would vary from my example, but principles would be the same.

More detail Example:
domain setup:
Domain pub ip = 9.9.9.1
Domain name = something.somewhere.com

Home setup:
modem pub ip = 8.8.8.1
modem privite ip = 192.168.1.1
Dhcp server ip = 192.168.1.1
Default pub gateway ip = 8.8.8.34

port forward rules:
From any ip on port 1234(or 443) forward to 192.168.1.2 on port 443

nextcloud server ip = 192.168.1.2(is static(dhcp reserved))
nextcloud default gate way ip = 192.168.1.1(points to the way out of the network, the modem in this instance)

nextcloud trusted domain list.
192.168.1.2
something.somewhere.com <--------- this is where your problem is

The problem is your path of the packet.

The path is as follows:
“something.somewhere.com:1234” -----> modem -------> port forward rule -------> 192.168.1.2

at the port forward rule portion your source is no longer something.somewhere, your new source is 192.168.1.1

To solve this issue:
nextcloud trusted domain list.
192.168.1.2
192.168.1.1 <------------- simply add your gateway to the trusted domains
“something.somewhere.com”