In order to test the latest Nextcloud compatibility with OIDC/SAML identity provider, on Debian 12.7 x64:
OpenID - Wikipedia
Security Assertion Markup Language - Wikipedia
it is very easy to install Nextcloud AIO (all-in-one) Docker container:
Download and install Nextcloud
GitHub - nextcloud/all-in-one: 📦 The official Nextcloud installation method. Provides easy deployment and maintenance with most features included in this one Nextcloud instance.
For this test, done locally within VMWare Workstation Pro 17.6 environment, Nextcloud AIO does not have an externally accessible public IP address, and therefore is not accessible using public DNS name.
When a DNS name (using internal DNS server) resolves into private IP address, such as 192.168.7.54, the Nextcloud AIO initial setup complains that a public IP address is needed.
By adding SKIP_DOMAIN_VALIDATION, one can enter into Nextcloud AIO initial setup wizard the internal DNS domain name (that ends with .test - Wikipedia) that resolves into private IP address.
https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-to-skip-the-domain-validation
sudo docker run
–init
–sig-proxy=false
–name nextcloud-aio-mastercontainer
–restart always
–publish 80:80
–publish 8080:8080
–publish 8443:8443
-e SKIP_DOMAIN_VALIDATION=true
–volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config
–volume /var/run/docker.sock:/var/run/docker.sock:ro
nextcloud/all-in-one:latest
The wizard seems to end successfully. But then, when accessing the Nextcloud AIO, there is an error:
An error occurred during a connection to 192.168.7.54. Peer reports it experienced an internal error.
Error code: SSL_ERROR_INTERNAL_ERROR_ALERT
There is a discussion about the error:
sudo docker logs nextcloud-aio-apache command reveals that Nextcloud AIO is automatically trying to get a public SSL certificate for a private .TEST domain, and fails:
{“level”:“error”,“ts”:1729632641.8616588,“logger”:“tls.obtain”,“msg”:“will retry”,“error”:“[NEXTCLOUDSRV.INTERNALDOMAIN.TEST] Obtain: [NEXTCLOUDSRV.INTERNALDOMAIN.TEST] creating new order: attempt 1: https://acme-staging-v02.api.letsencrypt.org/acme/new-order: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid identifiers requested :: Cannot issue for "NEXTCLOUDSRV.INTERNALDOMAIN.TEST": Domain name does not end with a valid public suffix (TLD) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)”,“attempt”:5,“retrying_in”:600,“elapsed”:608.062301611,“max_duration”:2592000}
{“level”:“error”,“ts”:1729633256.2977216,“logger”:“tls.obtain”,“msg”:“could not get certificate from issuer”,“identifier”:“NEXTCLOUDSRV.INTERNALDOMAIN.TEST”,“issuer”:“acme-v02.api.letsencrypt.org-directory”,“error”:“HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid identifiers requested :: Cannot issue for "NEXTCLOUDSRV.INTERNALDOMAIN.TEST": Domain name does not end with a valid public suffix (TLD)”}
I have an internal test SSL certificate (*.pfx) issued for NEXTCLOUDSRV.INTERNALDOMAIN.TEST by the internal test Certification Authority that has been included in the trusted root of the Debian 12.7 installation.
Could you please advise:
(1) Is it at all possible to quickly “fix” this by making docker-based Nextcloud AIO use my test SSL certificate issued for NEXTCLOUDSRV.INTERNALDOMAIN.TEST, some self-signed cert, or using IP address? How?
The same way that port 8080 “works always”:
“8080/TCP: Mastercontainer Interface with self-signed certificate (works always, also if only access via IP-address is possible, e.g. https://ip.address.of.this.server:8080/”
https://github.com/nextcloud/all-in-one?tab=readme-ov-file#explanation-of-used-ports
(2) Alternatively, is it possible to switch off the requirement for SSL and test Nextcloud AIO locally using unencrypted HTTP (now it automatically redirects to HTTPS)?
In fact, HTTP may be even better than HTTPS for this test, because I will be able to see OIDC tokens and SAML assertions in Wireshark.
(3) Nextcloud being open-source, most likely the scenarios (1) and (2) are possible in some way. However, for this test it may be easier to install just Nextcloud itself (not All-in-One). What would be the simplest, most straightforward route, given the end-goal to test Nextcloud with existing OIDC/SAML identity provider (that is, the successful user authentication with Nextcloud using OIDC/SAML is the end of the case)?
The recommendation
https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-can-i-access-nextcloud-locally
seem to imply that Nextcloud AIO can be made accessible locally only AFTER it had been accessible publicly during initial configuration (to get SSL certificate for public DNS name that resolves into public IP address that I don’t have for this short test).
Thank you.