Nextcloud Snap users, please list the issues you're facing

It’s great that LDAP is supported in the SNAP install, but a huge oversight that it is not possible to specify a private root certificate.

Word to the wise: I committed a serious error in snap, and here’s what I did to come back from it.

I originally installed Nextcloud 14 from the 14/candidate channel with the command:

snap install --channel=candidate/14 nextcloud

Then I wanted to see if any security updates could be had by trying to refresh the snap manually, not understanding that these updates (called “Auto-Refreshes”) happen automatically! With snap, there is no such equivalent to “apt-get update && apt-get upgrade”.

So I stupidly ran the command:

snap refresh --stable nextcloud

…which effectively downgraded my Nextcloud 14 to 13 (and the snap command doesn’t tell you what the before-and-after versions of Nextcloud are, it just successfully completes the command, with rather poor verbosity)! I was not warned that I was effectively about to do something stupid, namely the downgrade from 14 to 13 (and I would have appreciated a suggestion that I might want to cancel that idea before continuing on). Then Nextcloud was left totally unusable. So next I ran the command:

snap revert nextcloud

…which reverted back to 14. Then Nextcloud worked again as before. Whew! But I was not out of the woods yet. Then snapd’s “Auto-Refresh” feature “helpfully” “upgraded” me back to 13, not long after (as the “channel” was still set to “stable”)! So Nextcloud magically stopped working again. I wanted to strangle Mark Shuttleworth very badly at that time!

So I ran the command:

snap install --channel=candidate/14 nextcloud

…again, to try to set the channel back to 14/candidate. Sorry, no can do, as it’s already installed!

Here is the magical command which fixed it all. After doing another “snap revert nextcloud” (to get back to 14) you have to run:

snap switch --channel=14/candidate nextcloud

Also helpful were the commands:

snap changes

…which revealed that the “Auto-Refreshes” were happening (which kept automatically downgrading my Nextcloud to 13, behind my back), as well as:

snap list --all

…which showed me how I had both Nextcloud 14 and 13 installed at once (and 14 got “disabled”, and could be potentially be reverted to, after a downgrade to 13). It was here where I eventually realized I needed to get the “Tracking” column to be set back to “14/candidate”, not “stable”, for the “nextcloud” line.

I also removed the disabled Nextcloud 13 snap (as a final cleanup step) with the command:

snap remove --revision=9868 nextcloud

How did I know that Rev 9868 needed to be removed? Because that was the “Rev” listed for Nextcloud 13 in the “snap list --all” command.

I see the following error message in my logging app (in the setting) several times a day:

ResourceLocator can not find a web root (root: /var/snap/nextcloud/9868/nextcloud/extra-apps/spreed, file: index.php/css/spreed/73df-4cab-autocomplete.css, webRoot: , throw: true)

I have the following snaps installed on my server

$ snap list
Name       Version      Rev   Tracking  Publisher   Notes
core       16-2.36.1    5897  stable    canonical✓  core
nextcloud  13.0.7snap2  9868  stable    nextcloud✓  -
spreedme   0.29.5snap1  22    stable    nextcloud✓  -

What if we want to use Nextcloud Talk within a Nextcloud snap, complete with a coturn TURN server?

I have questions about using a turnserver (coturn) with the Nextcloud snap, on the same server (this is to try to get Nextcloud Talk working the best). Has anyone done this before? If the Nextcloud snap were to talk to the coturn server, wouldn’t that need some special port “plumbing” added to the snap, to enable the intercommunication between the two?

Furthermore, if one wants to use SSL with the coturn server, then one will want to use the certbot SSL certificate files (cert.pem and privkey.pem) that got generated within the snap, but the pathname leading into the snap is not necessarily a constant thing (or is it?), as it’s got an integer that might change, as the snap periodically upgrades itself. For example, my nextcloud lives within:

/snap/nextcloud/[5_digit_integer_here]

It’s kind of sounding like the coturn server needs to be on a different server than the Nextcloud snap, and have it’s own ssl certificate. Or maybe coturn itself eventually could be bundled into the snap, in case users want to use Nextcloud Talk with their snap.

Snap or not should not make a difference.

Note that Nextcloud Talk and the TURN server do not talk “directly” each other. The users WebRTC clients (e.g. browser, Android app) use the TURN server information from Nextcloud Talk settings to connect remotely to coturn. So as long as both are reachable from the web, it’s fine.

Of course if you have coturn within snap, it needs to be reachable via chosen/configured port. Since I never used snap, you know better than me how to make it listen to/forward a certain port.

A non-snap coturn accessing SSL cert within snap sounds wrong to me. You already mentioned the issue with non-constant path. I suggest you either find a coturn snap then, or create cert files outside of snap.

1 Like

Fairly recently certbot has gained the ability to do wildcard SSL certs (thereby allowing two SSL certs for the same Nextcloud server, the coturn server using a domain name like “turn.yournextcloudserver.com”), however this doesn’t seem to be packaged nicely for Debian 9 yet. A second SSL cert for the coturn server could perhaps be generated using this obscure howto (but I’ve never tried it).

You can as well simply duplicate the certs from certbot. Just needs to be redone, when they are renewed.
AFAIK, self-signed certificates work as well. But not 100% sure if all browsers and such connect well then without complaining about the non-trusted cert.

I’m in Gallery Slideshow/Preview Generator app trouble on my Nextcloud 14/stable server. Please see here for more info.

In summary, I can’t figure out how to properly run the “Preview Generator” app’s “/snap/bin/nextcloud.occ preview:generate-all” on the command line…

Edit: I merely rebooted the server, and it all seems to work OK now.

Request: when Let’s Encrypt generates SSL certificates within the snap, could the actual privkey.pem and cert.pem files be stored outside the snap (say, under /etc/certbot or something like that), in case any other services installed on the same Nextcloud server might also want to use SSL encryption?

Two possible examples of this:

  • Running a TURN server (for use in conjunction with Nextcloud Talk)
  • Running a mail server (where you want SSL on your IMAP, and SMTP submission ports), say from a docker container like this one.

I installed NC via SNAP/Ubuntu 18.04 yesterday and everything was working as expected. Today my site is throwing an HTTP 500 ERROR, and I cannot figure out why. I did not make any changes, but did upload some files via the mobile app this morning (which I see exist in the data directory).

When I look in the logs and elsewhere by running OCC commands (which arnt working) I see messages like the below. My newb brain thinks it looks like a problem with the database. Running php -m I cannot find mysql or other modules I’m would expect were included in the SNAP package. Nor sure how it would have worked before without these. Any advice on this matter would be appreciated.

An unhandled exception has been thrown:
Doctrine\DBAL\DBALException: Failed to connect to the database: An exception occured in driver: SQLSTATE[HY000] [2002] No such file or directory in /snap/nextcloud/10791/htdocs/lib/private/DB/Connection.php:64

Files stopped syncing. When checked the web page, it turns out it is a forced update to version 15.0.2 as seen in the ss.

Screenshot%20from%202019-02-11%2012-02-53

When clicked on to “start update”, it results in error. The last repair step is to “extract the vcard uid and store it in the db”.

Screenshot%20from%202019-02-11%2012-09-42

Then it puts itself into maintenance mode until I restart the snap, in which case it starts over from the “start update” page. How to troubleshoot?

What I could find is that the line in the logs below that repair step is about memory limits.

{“reqId”:“XshGdYhMa5PsodOS2q3p”,“level”:1,“time”:“2019-02-11T08:59:39+00:00”,“remoteAddr”:"",“user”:"–",“app”:“updater”,“method”:"",“url”:"–",“message”:"\OC\Repair::step: Repair step: Extract the vcard uid and store it in the db",“userAgent”:"–",“version”:“14.0.6.0”}
{“reqId”:“XshGdYhMa5PsodOS2q3p”,“level”:3,“time”:“2019-02-11T08:59:41+00:00”,“remoteAddr”:"",“user”:"–",“app”:“PHP”,“method”:"",“url”:"–",“message”:“Allowed memory size of 134217728 bytes exhausted (tried to allocate 217088 bytes) at /snap/nextcloud/11343/htdocs/3rdparty/sabre/vobject/lib/Parser/MimeDir.php#319”,“userAgent”:"–",“version”:“14.0.6.0”}

Also, it says “needsDbUpgrade:true” in the nextcloud status. So maybe it is relevant.

A little bit of a ‘noob’ here. Have installed nextcloud snap (15 edge currently but have been working on stable version as well) on an old macbook air (1,1) with Ubuntu server (18.04) with an external disk which I have working (although it’s a little moody) and I have figured out how to add files and folders directly (ie. an hour or two) rather than uploading them (days) via the nextcloud client (which anyway seems to have its own issues) but I am having problems working out how to get nextcloud to acknowledge that they’re there and make them available for clients. I have tried various incarnations of;
sudo -u www-data nextcloud.occ files:scan --all

but it seems to run into folder permission issues - “cannot create user data directory … permission denied”.

Reading up a little on this page it would seem that this might be an issue with the snap and to get this working I’d have to reinstall without using the snap. Is that correct or is there a way around this?

And I did try changing the folder permissions temporarily (to 777) but that didn’t work either and changing them (/var/snap/nextcloud/12142) back to 755 seems to have stopped uploads completely.

For now I’ve only added two files both set to 640 (apparently folders should be 750 and files 640). Both of these are not showing up on the client side (but are definitely in the right folder alongside two other files uploaded via the client which are showing up).

For me, it installs fine and I can reach the http site. But when I “snap Nextcloud.enable-https custom -s cert.crt key.csr chain.ca-bundle”. it successfully installs the ssl cert files but there is an error when restarting apache. Apache shows as inactive. I have then disabled https but apache remains inactive. I also tried enable https with each ssl file renamed to .pem

A message I get is that the is a syntax error at line 69 of ssl.conf. cert.pem is either missing or empty.

I entered /var/snap/nextcloud/11891/certs/live. The cert file is present. I then open it and it has the same key as our custom .crt file. So it is neither missing nor empty. And the path on line 69 of ssl.conf points to the location where cert.pem is located.

You’re more likely to get help logging issues on the project itself.

I am facing a SSL handshake issue from an android 4.4.2 device.

i have a setup where I sync my contancts on Nextcloud with multiple Android devices using Davx5 (davdroid). It used to work fine but now one of my devices stopped syncing. Don’t know for sure but I have a sense that this could be related to the snap update specific to the Android version because my other android device (and thunderbird as well) is continuing to sync properly.

The error I am getting from Davx5 says:

2019-04-16 10:35:50 2 [HttpClient] <-- HTTP FAILED: javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x5e210c78: Failure in SSL library, usually a protocol error

error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:744 0x5e2b2830:0x00000000)

Full Error Log: https://pastebin.com/8N4sm0d9

From what I read on Davx5 forums, this could be about incompatible ciphers (https://forums.bitfire.at/topic/1091/handshake-error-sl23_get_server_hello/15). But I am not sure what they are, how to test or change them in a nextcloud snap installation setting.

Any idea how to proceed with troubleshooting?

@qweqweqwe please start a new thread or log an issue.

I have external storage mounted to /media/nextcloud. By default apparmor denies access to this folder. Logs looks like this:

May 23 11:06:58 cloud kernel: [255431.083533] audit: type=1400 audit(1558598818.295:5976): apparmor=“DENIED” operation=“open” profile=“snap.nextcloud.php-fpm” name="/media/nextcloud/data/nextcloud.log" pid=26872 comm=“php-fpm” requested_mask=“ac” denied_mask=“ac” fsuid=0 ouid=0

I can change profile /var/lib/snapd/apparmor/profiles/snap.nextcloud.php-fpm
and nextcloud works fine.
But after each update apparmor replaces this profile and my changes are lost.
How to save my fixes in apparmor profiles and prevent them from changes on update?

today I noticed that my nextcloud box i still on version 13 (13.0.12 to be exact) and wondered, since version 16 seems to be out, shouldn’t the snap version in nextcloud box auto update at some point?

Danger alert: if you are running Nextcloud from a ver. 15 snap, don’t upgrade your “Bookmarks” app to 2.1.1! It needs the php-gmp package/library, which is not in the ver. 15 snap! Stay on “Bookmarks” version 1.1.1.

Note: Cross-posted from here.

Also note: a ver. 16 snap seems to work, for the bookmarks app! Problem only exists with ver. 15 snap.