Nextcloud AIO leads to SSL_ERROR_INTERNAL_ERROR_ALERT because it cannot get an SSL-certificate

heebj · January 14, 2024, 9:44pm

NC AIO Version 7.9.1
Nextcloud version: 27.1.5
Operating system and version: Debian Bookworm 12.4 on a Raspberry PI 4
Docker version: 24.0.7, build afdd53b

I am using the Raspberry at home behind a Fritzbox where I have configured the correct port forwardings for ports 80, 443, 8443 and 3478.

I started AIO with Portainer on a Raspberry Pi 4 with the docker compose file as described in How to run AIO with Portainer?

The master container is started as expected and I can access the AIO interface where I can start the containers. However when the containers are started and I click Open your Nextcloud an SSL_ERROR_INTERNAL_ERROR_ALERT is shown in the newly opened browser window.

The output of the nextcloud-aio-apache container:

Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
{"level":"info","ts":1705262085.1781132,"msg":"using provided configuration","config_file":"/tmp/Caddyfile","config_adapter":""}
[Sun Jan 14 20:54:45.185915 2024] [mpm_event:notice] [pid 55:tid 548303765600] AH00489: Apache/2.4.58 (Unix) configured -- resuming normal operations
[Sun Jan 14 20:54:45.186950 2024] [core:notice] [pid 55:tid 548303765600] AH00094: Command line: '/usr/local/apache2/bin/httpd -D FOREGROUND'
{"level":"info","ts":1705262085.1943767,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
{"level":"info","ts":1705262085.1973145,"msg":"[INFO][FileStorage:/mnt/data/caddy] Lock for 'issue_cert_cloud.example.com' is stale (created: 2024-01-14 10:51:14.266180964 +0100 CET, last update: 2024-01-14 20:51:18.094138448 +0100 CET); removing then retrying: /mnt/data/caddy/locks/issue_cert_cloud.example.com.lock"}
{"level":"error","ts":1705262087.8968914,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"cloud.example.com","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"2a02:1210:924b:e501:f384:6214:ff87:d521: Error getting validation data","instance":"","subproblems":[]}}
{"level":"error","ts":1705262087.8969796,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"cloud.example.com","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"2a02:1210:924b:e501:f384:6214:ff87:d521: Error getting validation data","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1515044196/236694897746","attempt":1,"max_attempts":3}
{"level":"error","ts":1705262087.8970492,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"cloud.example.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - 2a02:1210:924b:e501:f384:6214:ff87:d521: Error getting validation data"}
{"level":"error","ts":1705262087.897116,"logger":"tls.obtain","msg":"will retry","error":"[cloud.example.com] Obtain: [cloud.example.com] solving challenge: cloud.example.com: [cloud.example.com] authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - 2a02:1210:924b:e501:f384:6214:ff87:d521: Error getting validation data (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":2.695595616,"max_duration":2592000}
{"level":"error","ts":1705262150.541864,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"cloud.example.com","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"2a02:1210:924b:e501:f384:6214:ff87:d521: Error getting validation data","instance":"","subproblems":[]}}
{"level":"error","ts":1705262150.5420423,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"cloud.example.com","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"2a02:1210:924b:e501:f384:6214:ff87:d521: Error getting validation data","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/132305814/13678144064","attempt":1,"max_attempts":3}
{"level":"error","ts":1705262150.5421727,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"cloud.example.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - 2a02:1210:924b:e501:f384:6214:ff87:d521: Error getting validation data"}
{"level":"error","ts":1705262150.5423129,"logger":"tls.obtain","msg":"will retry","error":"[cloud.example.com] Obtain: [cloud.example.com] solving challenge: cloud.example.com: [cloud.example.com] authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - 2a02:1210:924b:e501:f384:6214:ff87:d521: Error getting validation data (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":2,"retrying_in":120,"elapsed":65.340790862,"max_duration":2592000}

I have also seen this document which describes a similar issue, however I did not find a solution.

Can you help me to solve this issue? Thanks!

wwe · January 15, 2024, 3:28pm

Hi, see What can I do when Nextcloud is not reachable via my domain or if I get SSL_ERROR_INTERNAL_ERROR_ALERT or ERR_SSL_PROTOCOL_ERROR when opening my Nextcloud domain? · nextcloud/all-in-one · Discussion #2105 · GitHub

heebj · January 15, 2024, 5:22pm

@wwe thanks for your quick answer!

I did read your linked article which describes a similar issue, however I did not find a solution. In my opinion none of the proposed solutions seems to apply exactly to my problem…

heebj · January 20, 2024, 5:01pm

@wwe I read again through your linked document and realized that my domain was a CNAME record to the myfritz dyndns domain which contains an A and an AAAA record. After adding the A (but not the AAAA) record directly to my domains, Nextcloud AIO was able to successfully get a certificate. So far so good!

Unfortunately my internet provider does not assign me a fixed IP address and I am thus dependant on a DynDNS service. However I want my own domain to my Nextcloud instance and the only (cheap) solution I see right now is a CNAME entry… Do you have an idea how I can still use Nextcloud AIO with this setup?

Thanks in advance for any hints!

wwe · January 20, 2024, 5:43pm

pont your domain DNS cloud.mydomain.tld as CNAME record to DynDNS A record…

heebj · January 21, 2024, 8:30pm

My DNS record for cloud.mydomain.tld was always a CNAME record to my DynDNS domain but that seems exactly to be the problem…

wwe · January 22, 2024, 1:19pm

I’m using CNAME and letsencrypt… but I’m using http challenge… and I remember I had issues when I tried to implement TLS challenge… maybe CNAME was the reason… I have to double check…