Migration from NextCloudPi to Docker -- Certificate Error?

Hi,

I’ve been using NextCloudPi for months and decided to migrate to a docker installation. I’ve managed to get the insecure version working, and can make it available at localhost:8080 as stated in the main github readme.

Previously I had rented a subdomain at freedns.afraid.org and was able to access my NextCloudPi server through the rented subdomain. At some point this required both opening a port on my home router (80 and 443) and telling my router to send this traffic to the Raspberry Pi. I managed certificates through NextCloudPi console using sudo ncp-config → Networking → letsencrypt.

Attempting to replace the NextCloudPi available outside LAN with a docker deployment, I started with the github nginx-reverse-proxy example. I have created a modified docker-compose.yml. VIRTUAL_HOST and LETSENCRYPT_HOST are my rented subdomain. LETSENCRYPT_EMAIL is my email address.

Since I am no longer accessing my NextCloudPi through the rented subdomain, I first deleted the NAT port forwarding of 80 and 443. I then reopened my NAT ports 80 and 443, this time pointing to my docker host machine’s local IP.

  • On my first attempt, sudo docker-compose up -d and navigating to my rented subdomain resulted in a generic nginx 503: service is temporarily unavailable.
  • Using sudo docker-compose up and looking at the logs, I realized that letsencrypt-companion wanted the certificate volume to be writable, and made that change.
  • This resulted in ERR_CERT_AUTHORITY_INVALID, cannot visit this site because it uses HSTS. A previous fix of this problem had been to run ncp-config and renew the certificate.

I believe I need to fix my certificates, which I unintentionally broke. I may simply need to wait for letsencrypt to refresh the certificates. If not, I may need to fix the certificate error somehow. How do I do that?

docker-compose.yml
version: '3.9'

services:
  db:
    image: mariadb:10.6
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --innodb-file-per-table=1 --skip-innodb-read-only-compressed
    restart: always
    volumes: 
      - './db:/var/lib/mysql'
    environment:
      - MYSQL_ROOT_PASSWORD=REDACTED
      - MARIADB_AUTO_UPGRADE=1
    env_file:
      - db.env #MYSQL_PASSWORD, MYSQL_DATABASE, MYSQL_USER
  
  app:
    image: nextcloud:apache
    restart: always
    volumes:
      - './nextcloud:/var/www/html'
      - './data:/var/www/html/data'
    environment:
      - VIRTUAL_HOST=REDACTED
      - LETSENCRYPT_HOST=REDACTED
      - LETSENCRYPT_EMAIL=REDACTED
      - MYSQL_HOST=db
    env_file:
      - db.env #MYSQL_PASSWORD, MYSQL_DATABASE, MYSQL_USER
    depends_on:
      - db
    networks:
      - proxy-tier
      - default
  
  proxy:
    build: ./proxy
    restart: always
    ports:
      - 80:80
      - 443:443
    labels:
      com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
    volumes:
      - './certs:/etc/nginx/certs:ro'
      - './vhost.d:/etc/nginx/vhost.d'
      - './html:/usr/share/nginx/html'
      - '/var/run/docker.sock:/tmp/docker.sock:ro'
    networks:
      - proxy-tier
  
  letsencrypt-companion:
    image: nginxproxy/acme-companion
    restart: always
    volumes:
      - './certs:/etc/nginx/certs'
      - './acme:/etc/acme.sh'
      - './vhost.d:/etc/nginx/vhost.d'
      - './html:/usr/share/nginx/html'
      - '/var/run/docker.sock:/var/run/docker.sock:ro'
    networks:
      - proxy-tier
    depends_on:
      - proxy

networks:
  proxy-tier:

volumes:
  nextcloud:
  db:
  data:
  acme:
  vhost.d:
  html:

Hello,

I am very interrested in the progression of your migration because I own a rpi too and was on arm version of piOs ans did an upgrade to nc 25.

i am trying to migrate to a 64 bits version of PI OS and to use docker for my nex installation.
Is’nt it a problem to use apache for nextcloud and nginx for let’s uncrypt ?

I am not of good help here but I will follow some tutorials to use docker compose and if I can figure out how to make it work I will post my answer here.

Good luck,

Hi Keyskeeper.

I believe the migration error from NCP to Docker was completely due to certificate issues. The docker github has instructions for doing the migration – I had forgotten my database password, and so I will need to transfer the files a different way. I also reformatted much of the user authentication.

Unfortunately, the certificate error remains, if only because I can’t understand what goes in the VIRTUAL_HOST and LETSENCRYPT_HOST environment variables. As another tip, LetsEncrypt requests using their staging environment for testing and debugging. I’m still figuring out what the output of the acme-companion docker container should be – when I run it, the directory under the default certificates is still empty.