NextCloud-AIO problem installed behind a reverse proxy and separate server

Hi all
First of all, sorry for my bad english and for being a newby.
I have this network topology: An edge server, with public IP, Ubuntu Server 22.04LTS, which acts as reverse proxy (NGINX), and firewall using NFTables.
I create a subnet, from other of its ethernet port, with addresses in the range of 192.168.100.X. The edge server has the static 192.168.100.1 IP address.
On a second server, on same subnet, with static IP 192.168.100.201, I installed NextCloud-AIO, with Docker Compose, and followed all installation steps indicated on Reverse Proxy Documentation, and other discussions I could get.
I also registered two sub domains, from mydomain.com, with names administracion.mydomain.com and oficina.mydomain.com.
I have opened port 80 and 443 from edge server.
From the cloud, entering administracion.mydomain.com, I have access to NextCloud front page.
Every time I click on “Open your Nextcloud” button, the brower open a new tab with same front page.
Apache log indicate me, some problem with certificates or unauthorized access, so I got certificates for mydomain.com and for each sub domain, installed on edge server.
Here are my configurations files:

NGINX configuration file

Redirect HTTP to HTTPS for Nextcloud Subdomains

server {

if ($host = oficina.mydomain.com) {
    return 301 https://$host$request_uri;
} # managed by Certbot

if ($host = administracion.mydomain.com) {
    return 301 https://$host$request_uri;
} # managed by Certbot

listen 80;
listen [::]:80;
server_name administracion.mydomain.com oficina.mydomain.com;

location / {
    return 301 https://$host$request_uri;
}

}

Nextcloud Administration Subdomain

server {

server_name administracion.mydomain.com;
server_tokens off;

ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

listen 443 ssl;
listen [::]:443 ssl;

location / {
    proxy_pass https://192.168.100.201:11000$request_uri;

    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_set_header X-Forwarded-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Accept-Encoding "";
    proxy_set_header Host $host;
}

client_body_buffer_size 512k;
proxy_read_timeout 86400s;
client_max_body_size 0;

# Websocket

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection $connection_upgrade;

}

On second server, my docker compose yaml file is:

version: ‘3.8’

services:

nextcloud-aio-mastercontainer:
image: nextcloud/all-in-one:latest
init: true
restart: always
container_name: nextcloud-aio-mastercontainer
volumes:
- nextcloud_aio_mastercontainer:/mnt/docker-aio-config
- /mnt/nextcloud_data:/mnt/ncdata
- /var/run/docker.sock:/var/run/docker.sock:ro
ports:
- 11000:8080
environment:
- APACHE_IP_BINDING=0.0.0.0
- APACHE_PORT:11000
- NEXTCLOUD_DATADIR=/mnt/nextcloud_data
- NEXTCLOUD_MARIADB_HOST=mariadb
- NEXTCLOUD_MARIADB_PASSWORD=XXXXXXXX
- NEXTCLOUD_MARIADB_USER=nextcloud
- NEXTCLOUD_MARIADB_DATABASE=nextcloud
- NEXTCLOUD_AIO_DISABLE_TLS=true
- SKIP_DOMAIN_VALIDATION=true
depends_on:
- mariadb

mariadb:
image: mariadb:10.5
restart: always
container_name: nextcloud-aio-mariadb
environment:
- MYSQL_ROOT_PASSWORD=XXXXXXXX
- MYSQL_PASSWORD=XXXXXXXX
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
volumes:
- mariadb:/var/lib/mysql

redis:
image: redis:6.0
restart: always
container_name: nextcloud-aio-redis
volumes:
- redis:/data

volumes:
nextcloud_aio_mastercontainer:
name: nextcloud_aio_mastercontainer
mariadb:
redis:

And the Apache log file is:

2024-09-20T19:57:55.717114411Z {“level”:“error”,“ts”:1726862275.7165232,“logger”:“tls.issuance.acme.acme_client”,“msg”:“challenge failed”,“identifier”:“administracion.mydomain.com”,“challenge_type”:“tls-alpn-01”,“problem”:{“type”:“urn:ietf:params:acme:error:unauthorized”,“title”:“”,“detail”:“Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge”,“instance”:“”,“subproblems”:}}
2024-09-20T19:57:55.717186457Z {“level”:“error”,“ts”:1726862275.716595,“logger”:“tls.issuance.acme.acme_client”,“msg”:“validating authorization”,“identifier”:“administracion.mydomain.com”,“problem”:{“type”:“urn:ietf:params:acme:error:unauthorized”,“title”:“”,“detail”:“Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge”,“instance”:“”,“subproblems”:},“order”:“https://acme-staging-v02.api.letsencrypt.org/acme/order/161048233/19257450303",“attempt”:1,"max_attempts”:3}
2024-09-20T19:57:55.717224556Z {“level”:“error”,“ts”:1726862275.7166448,“logger”:“tls.obtain”,“msg”:“could not get certificate from issuer”,“identifier”:“administracion.mydomain.com”,“issuer”:“acme-v02.api.letsencrypt.org-directory”,“error”:“HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge”}
2024-09-20T19:57:55.717242697Z {“level”:“error”,“ts”:1726862275.716726,“logger”:“tls.obtain”,“msg”:“will retry”,“error”:“[administracion.mydomain.com] Obtain: [administracion.mydomain.com] solving challenge: administracion.mydomain.com: [administracion.mydomain.com] authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge (ca=https://acme-staging-v02.api.letsencrypt.org/directory)”,“attempt”:26,“retrying_in”:21600,“elapsed”:86459.619984339,“max_duration”:2592000}

The last part of NextCloud log said:

2024-09-19T19:56:53.472878785Z [19-Sep-2024 19:56:53] NOTICE: fpm is running, pid 496
2024-09-19T19:56:53.472902470Z [19-Sep-2024 19:56:53] NOTICE: ready to handle connections
2024-09-19T19:57:08.377787909Z Activating Collabora config…
2024-09-19T19:57:08.772779201Z ✓ Reset callback url autodetect
2024-09-19T19:57:08.772829597Z Checking configuration
2024-09-19T19:57:08.772842930Z 🛈 Configured WOPI URL: https://administracion.mydomain.com
2024-09-19T19:57:08.772852575Z 🛈 Configured public WOPI URL: https://administracion.mydomain.com
2024-09-19T19:57:08.772861517Z 🛈 Configured callback URL:
2024-09-19T19:57:08.772870437Z
2024-09-19T19:57:08.861132814Z Failed to fetch discovery endpoint from https://administracion.mydomain.com
2024-09-19T19:57:08.861172906Z cURL error 60: SSL: no alternative certificate subject name matches target hostname ‘administracion.mydomain.com’ (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://administracion.mydomain.com/hosting/discovery

I tested many other configurations, but I couldn’t get it working.
Please, can you indicate me what I’m doing wrong or what I have to follow trying?
Thank you in advance for you support and let me know if you need more information.

1 Like

This seems to be your issue. It must be - APACHE_PORT=11000

1 Like

Thank you for your prompt response and support.
I feel stupid for not seeing this error.
After fixing it, I tried to restart everything again and got the message “Failed to Talk to Server”.
I then decided to do a complete reset according to “How to properly reset the instance?”. It kept giving the previous error.
Reset everything again, removing now the -env SKIP_DOMAIN_VALIDATION=true on my docker-compose.yml.
Now, it seems nextcloud-aio-domaincheck is not running, as logs file shows.

Initial startup of Nextcloud All-in-One complete!
You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
E.g. https://internal.ip.of.this.server:8080
:warning: Important: do always use an ip-address if you access this port and not a domain as HSTS might block access to it later!

If your server has port 80 and 8443 open and you point a domain to your server, you can get a valid certificate automatically by opening the Nextcloud AIO Interface via:
https://your-domain-that-points-to-this-server.tld:8443

{"level":"info","ts":1727137517.7235353,"msg":"using config from file","file":"/Caddyfile"}
{"level":"info","ts":1727137517.7277732,"msg":"adapted config to JSON","adapter":"caddyfile"}
[Tue Sep 24 00:25:17.732328 2024] [mpm_event:notice] [pid 188:tid 188] AH00489: Apache/2.4.62 (Unix) OpenSSL/3.3.2 configured -- resuming normal operations
[Tue Sep 24 00:25:17.732361 2024] [core:notice] [pid 188:tid 188] AH00094: Command line: 'httpd -D FOREGROUND'
[24-Sep-2024 00:25:17] NOTICE: fpm is running, pid 194
[24-Sep-2024 00:25:17] NOTICE: ready to handle connections
NOTICE: PHP message: Could not start domaincheck container: Could not start container nextcloud-aio-domaincheck: Server error: `POST http://127.0.0.1/v1.41/containers/nextcloud-aio-domaincheck/start` resulted in a `500 Internal Server Error` response:
{"message":"driver failed programming external connectivity on endpoint nextcloud-aio-domaincheck (51f9be99223672a90da55 (truncated...)
NOTICE: PHP message: Could not start domaincheck container: Could not start container nextcloud-aio-domaincheck: Server error: `POST http://127.0.0.1/v1.41/containers/nextcloud-aio-domaincheck/start` resulted in a `500 Internal Server Error` response:
{"message":"driver failed programming external connectivity on endpoint nextcloud-aio-domaincheck (8eebb8f79fe05df6f6e11 (truncated...)

I fully reset all again and did a server reboot (it is a development server for testing purposes, so I don’t have problem to stop it), but it didn’t work.

Please, could you give me some tips to follow?
Regards

Here is an additonal mistake.

You need to change - 11000:8080 to - 8080:8080. Then it should be able to start the domainchwck container if you open port 8080.

Hi Simon, after change, nothing works anymore, so I decided to start all over again with a clean set up.
On other side, I was looking why I made the mistake on APACHE_PORT: 11000 env, and I found I followed your docker compose example at https://github.com/nextcloud/all-in-one/blob/main/compose.yaml, there you put the : instead of =.
I don’t know if you have to be change it to avoid confusion.
So, I will install all again and if I have some problems, I will come back to bother you again, please bear with me, I am a little bit stupid sometimes
Thank you

1 Like

I’m also using this compose file and it works fine.