Hi all
First of all, sorry for my bad english and for being a newby.
I have this network topology: An edge server, with public IP, Ubuntu Server 22.04LTS, which acts as reverse proxy (NGINX), and firewall using NFTables.
I create a subnet, from other of its ethernet port, with addresses in the range of 192.168.100.X. The edge server has the static 192.168.100.1 IP address.
On a second server, on same subnet, with static IP 192.168.100.201, I installed NextCloud-AIO, with Docker Compose, and followed all installation steps indicated on Reverse Proxy Documentation, and other discussions I could get.
I also registered two sub domains, from mydomain.com, with names administracion.mydomain.com and oficina.mydomain.com.
I have opened port 80 and 443 from edge server.
From the cloud, entering administracion.mydomain.com, I have access to NextCloud front page.
Every time I click on âOpen your Nextcloudâ button, the brower open a new tab with same front page.
Apache log indicate me, some problem with certificates or unauthorized access, so I got certificates for mydomain.com and for each sub domain, installed on edge server.
Here are my configurations files:
NGINX configuration file
Redirect HTTP to HTTPS for Nextcloud Subdomains
server {
if ($host = oficina.mydomain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = administracion.mydomain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name administracion.mydomain.com oficina.mydomain.com;
location / {
return 301 https://$host$request_uri;
}
}
Nextcloud Administration Subdomain
server {
server_name administracion.mydomain.com;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
listen 443 ssl;
listen [::]:443 ssl;
location / {
proxy_pass https://192.168.100.201:11000$request_uri;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
}
client_body_buffer_size 512k;
proxy_read_timeout 86400s;
client_max_body_size 0;
# Websocket
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
On second server, my docker compose yaml file is:
version: â3.8â
services:
nextcloud-aio-mastercontainer:
image: nextcloud/all-in-one:latest
init: true
restart: always
container_name: nextcloud-aio-mastercontainer
volumes:
- nextcloud_aio_mastercontainer:/mnt/docker-aio-config
- /mnt/nextcloud_data:/mnt/ncdata
- /var/run/docker.sock:/var/run/docker.sock:ro
ports:
- 11000:8080
environment:
- APACHE_IP_BINDING=0.0.0.0
- APACHE_PORT:11000
- NEXTCLOUD_DATADIR=/mnt/nextcloud_data
- NEXTCLOUD_MARIADB_HOST=mariadb
- NEXTCLOUD_MARIADB_PASSWORD=XXXXXXXX
- NEXTCLOUD_MARIADB_USER=nextcloud
- NEXTCLOUD_MARIADB_DATABASE=nextcloud
- NEXTCLOUD_AIO_DISABLE_TLS=true
- SKIP_DOMAIN_VALIDATION=true
depends_on:
- mariadb
mariadb:
image: mariadb:10.5
restart: always
container_name: nextcloud-aio-mariadb
environment:
- MYSQL_ROOT_PASSWORD=XXXXXXXX
- MYSQL_PASSWORD=XXXXXXXX
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
volumes:
- mariadb:/var/lib/mysql
redis:
image: redis:6.0
restart: always
container_name: nextcloud-aio-redis
volumes:
- redis:/data
volumes:
nextcloud_aio_mastercontainer:
name: nextcloud_aio_mastercontainer
mariadb:
redis:
And the Apache log file is:
2024-09-20T19:57:55.717114411Z {âlevelâ:âerrorâ,âtsâ:1726862275.7165232,âloggerâ:âtls.issuance.acme.acme_clientâ,âmsgâ:âchallenge failedâ,âidentifierâ:âadministracion.mydomain.comâ,âchallenge_typeâ:âtls-alpn-01â,âproblemâ:{âtypeâ:âurn:ietf:params:acme:error:unauthorizedâ,âtitleâ:ââ,âdetailâ:âCannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challengeâ,âinstanceâ:ââ,âsubproblemsâ:}}
2024-09-20T19:57:55.717186457Z {âlevelâ:âerrorâ,âtsâ:1726862275.716595,âloggerâ:âtls.issuance.acme.acme_clientâ,âmsgâ:âvalidating authorizationâ,âidentifierâ:âadministracion.mydomain.comâ,âproblemâ:{âtypeâ:âurn:ietf:params:acme:error:unauthorizedâ,âtitleâ:ââ,âdetailâ:âCannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challengeâ,âinstanceâ:ââ,âsubproblemsâ:},âorderâ:âhttps://acme-staging-v02.api.letsencrypt.org/acme/order/161048233/19257450303",âattemptâ:1,"max_attemptsâ:3}
2024-09-20T19:57:55.717224556Z {âlevelâ:âerrorâ,âtsâ:1726862275.7166448,âloggerâ:âtls.obtainâ,âmsgâ:âcould not get certificate from issuerâ,âidentifierâ:âadministracion.mydomain.comâ,âissuerâ:âacme-v02.api.letsencrypt.org-directoryâ,âerrorâ:âHTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challengeâ}
2024-09-20T19:57:55.717242697Z {âlevelâ:âerrorâ,âtsâ:1726862275.716726,âloggerâ:âtls.obtainâ,âmsgâ:âwill retryâ,âerrorâ:â[administracion.mydomain.com] Obtain: [administracion.mydomain.com] solving challenge: administracion.mydomain.com: [administracion.mydomain.com] authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge (ca=https://acme-staging-v02.api.letsencrypt.org/directory)â,âattemptâ:26,âretrying_inâ:21600,âelapsedâ:86459.619984339,âmax_durationâ:2592000}
The last part of NextCloud log said:
2024-09-19T19:56:53.472878785Z [19-Sep-2024 19:56:53] NOTICE: fpm is running, pid 496
2024-09-19T19:56:53.472902470Z [19-Sep-2024 19:56:53] NOTICE: ready to handle connections
2024-09-19T19:57:08.377787909Z Activating Collabora configâŚ
2024-09-19T19:57:08.772779201Z â Reset callback url autodetect
2024-09-19T19:57:08.772829597Z Checking configuration
2024-09-19T19:57:08.772842930Z đ Configured WOPI URL: https://administracion.mydomain.com
2024-09-19T19:57:08.772852575Z đ Configured public WOPI URL: https://administracion.mydomain.com
2024-09-19T19:57:08.772861517Z đ Configured callback URL:
2024-09-19T19:57:08.772870437Z
2024-09-19T19:57:08.861132814Z Failed to fetch discovery endpoint from https://administracion.mydomain.com
2024-09-19T19:57:08.861172906Z cURL error 60: SSL: no alternative certificate subject name matches target hostname âadministracion.mydomain.comâ (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://administracion.mydomain.com/hosting/discovery
I tested many other configurations, but I couldnât get it working.
Please, can you indicate me what Iâm doing wrong or what I have to follow trying?
Thank you in advance for you support and let me know if you need more information.