NextcloudPi (21.0.9.1) - --> Access through untrusted domain

ℹ️ Support 📦 Appliances (Docker, Snappy, VM, NCP, AIO)
, , , ,
10

My problem is that i do not use a NextcloudPi.
For upgrade of NextcloudPi read this.
Perhaps someone with NextcloudPi can help you.

Yes you can upgrade your system the the latest NextcloudPi version.
Sooner or later you must do it.
But it i think this does not solve your problem with untrusted domain.

1 Like
11

Hello @devnull

Many thanks for all your effort and time, which you have put in my problem! I really really appreciate it.

I want to and will get rid of NextCloudPi and their scripts. So I deactivated everything which is related to NextcloudPi. So lets deal my request ticket like a “general” Nextcloud ticket :smile:

Regarding my quesions above, do you have an idea?

  • Can you please tell me WHERE the nextcloud web ui reaches these information? From my understanding it should check the config/config.php. Or does it use another source like checking out theses parameters directly from the mysql database?
12

UPDATE:

I found out that my cron.php cronjob (running every 5 minutes) did NOT run successfully since a very long time.

WebUI showed me that everything was OK
CLI showed no error output when I triggered it manually:
sudo -u www-data php -f /var/www/nextcloud/cron.php

BUT, when I checked /var/mail/www-data , I saw that it ran in this error every 5 minutes:

“failed to connect to the database”

By duckduckgoing the internet, I found out that can occur after an upgrade of PHP packages and that one should reinstall all PHP packages and reactivate all php modules for apache etc.
I thought “Oh my god! NO, please NO!”

Then I did an “apt update && apt upgrade” and I was luckily offered an upgrade to php 8.0.16 for all my installed php 8.0.15 packages.

I thought: I can’t make it worse as it is currently, so I installed them.

Afterwards my cron.php job worked again - so I was lucky that it has been solved so easy :slight_smile:

One of my problems is now gone: WebUI finally shows me the correct NC version 21.0.9.1 and offers me NC 22.2.5.

What I learned here was, that I will be more careful with updating packages in the future :sweat_smile:

Now I can continue with all the other problems that I discovered - especially the “trusted domains” issue.

13

@SoCloudy The trusted domain configuration is commented out in the script because those configuration values aren’t used :slight_smile:

This is the correct location the trusted domain values are set

https://github.com/nextcloud/nextcloudpi/blob/dd8fc3dd7d663faf5d916039ee042ef049aaf728/bin/ncp/CONFIG/nc-init.sh#L108

  ncc config:system:set trusted_domains 7 --value="nextcloudpi"
  ncc config:system:set trusted_domains 5 --value="nextcloudpi.local"
  ncc config:system:set trusted_domains 8 --value="nextcloudpi.lan"
  ncc config:system:set trusted_domains 3 --value="nextcloudpi.lan"

  # email
  ncc config:system:set mail_smtpmode     --value="sendmail"
  ncc config:system:set mail_smtpauthtype --value="LOGIN"
  ncc config:system:set mail_from_address --value="admin"
  ncc config:system:set mail_domain       --value="ownyourbits.com"

You need to give an ID higher than 20 for your own domains in the config.php, else you’ll get all sorts of troubles.

Here is my config.php as a reference from the VM I’m using to experiment with when I have some time over besides work and my studies


<?php
$CONFIG = array (
  'passwordsalt' => 'TRALALALA',
  'secret' => 'TRALALALA',
  'trusted_domains' => 
  array (
    0 => 'localhost',
    22 => 'MY.DOMAIN.COM',
    '' => 'nextcloudpi',
    11 => 'THIS.VMs.IPv6.ADDRESS',
    1 => 'THIS.VMs.IPv4.ADDRESS',
    14 => 'nextcloudpi',
    20 => 'nextcloudpi.local',
    21 => 'MY.DOMAIN.local',
    23 => 'MY.DOMAIN.COM',
    24 => 'LOCAL.IP.ADDRESS',
    25 => 'MY.DOMAIN.COM',
    3 => 'nextcloudpi',
  ),
  'datadirectory' => '/media/USBdrive/ncdata/data',
  'dbtype' => 'mysql',
  'version' => '23.0.0.10',
  'overwrite.cli.url' => 'https://nextcloudpi/',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'TRALALALA',
  'dbpassword' => 'TRALALALA',
  'installed' => true,
  'instanceid' => 'TRALALALA',
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => '/var/run/redis/redis.sock',
    'port' => 0,
    'timeout' => 0.0,
    'password' => 'TRALALALA',
  ),
  'tempdirectory' => '/media/USBdrive/ncdata/data/tmp',
  'mail_smtpmode' => 'sendmail',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_from_address' => 'admin',
  'mail_domain' => 'ownyourbits.com',
  'preview_max_x' => '2048',
  'preview_max_y' => '2048',
  'jpeg_quality' => '60',
  'overwriteprotocol' => 'https',
  'trusted_proxies' => 
  array (
    11 => '127.0.0.1',
    12 => '::1',
    13 => 'nextcloudpi',
    14 => '',
  ),
  'maintenance' => false,
  'logfile' => '/media/USBdrive/ncdata/data/nextcloud.log',
  'loglevel' => '2',
  'log_type' => 'file',
  'twofactor_enforced' => 'true',
  'twofactor_enforced_groups' => 
  array (
    0 => 'Users',
    1 => 'admin',
  ),
  'twofactor_enforced_excluded_groups' => 
  array (
  ),
);
14

You must go into your config, and add your FQDN to trust domains.

15

@qubit2022 He already has ↓

2 => ‘foo.no-ip.info’, = canonical name for foo.ddns.net
3 => ‘foo.ddns.net’

I believe the issue is the ID assigned to the FQDN

Unless of course he is literally using foo.ddns.org cuz then you’re right, it needs to be the FQDN

16

[quote=“SoCloudy, post:7, topic:134366”]
'overwriteprotocol' => 'https'
[/quote

He should try to add the public IP to trusted domains, and not the local.
‘overwriteprotocol’ => ‘https’ usually does the trick here though.
Seems to me his DNS records are incorrect or his DDNS is not pointing to the correct IP.

17

Well yes obviously, unless you want to access it in the local network as well by IP address, which I do. If you do not add your local IP there you cannot do this

If you use proxies in the local network, which I do, these need to be added as well, except under trusted proxies instead

The overwrite cli only overwrites from http to https, it does not affect which trusted domain is allowed or not

A DDNS should point to the public IP of the router, which then forwards the request to the server via port forwarding.

Now which addresses you’re allowed to use when connecting is what trusted domains are for, both with a domain name (local and external) and IP address

1 Like
18

Yes I copied the wrong part of that post.

2 => ‘foo.no-ip.info’, = canonical name for foo.ddns.net
3 => 'foo.ddns.net

usually does the trick here.

His DNS records are 100 percent messing with him im certain of it. Something from the registar, all the way to the DNS provider, is wrong. It could even be a wrong ssl certification. After reinistalling nextcloud most usually reissue or (try to) reissue a letsencrypt ssl cert. If youve used up your 5 for the week it would mean the cert youre using is no longer valid.

1 Like
19

Aha I see :partying_face:

21

It should not be the DNS, as he is able to reach the server … that would not have worked at all if it was the DNS

Well it looks like you’ve changed quite a bit from the set defaults :sweat_smile: and it looks like you’re using PHP 8 as well? And Debian 11? Which means you’re on a configuration not yet supported really (by ncp i mean)

1 Like
23

Taking about your issue of accessing through trusted domains and your configuration in general :slightly_smiling_face:

24

I agree to a certain extent. But, this would be an issue if ssl is not valid. My hosting panel, sometimes likes to reissue certification, and after 5 times (https://tools.letsdebug.net/) It will not reissue, so the server then pulls the previous ssl certification or tries to self cert. This will cause an untrusted domain issue.

But yea I do agree he wouldnt be able to access the site, if DNS IP was incorrect.

1 Like
25

Ahh gotcha. I am not having an issue with trusted domains. Mine works perfectly. I am talking about the issue im having here.

https://help.nextcloud.com/t/requesting-address-is-denied-unable-to-open-next-cloud-office/134634

26

@qubit2022 Yeah sorry ! I just noticed it was the wrong person :sweat_smile: I’ll take a look

27

Understood. Ill delete all of my posts, once you have, that way Im not hijacking.

28

No worries, they can be it’s fine :+1:

29

Oh understood! Thats good to know.

30

Hello guys,

many thanks for your proposals. What I was doing was to completely disable all the NextcloudPi scripts and removed the related systemd services.

NextcloudPi is no more existing in my installation.

Afterwards I manually installed Nextcloud 21.0.9.1 once again and imported my old config.php.
In fact, I HAD to reinstall everything again, because I had the very good idea to rename the config.php and so my Nextcloud stuck in the “It looks like you want to re-install Nextcloud once again. CAN_INSTALL file is missing” mode.

Afterwards the trusted domains problems has been solved - without setting the IDs higher than 20.

As the NextcloudPi scripts have been deactivated, my domains were no more overwritten. And there are no more other strange modifications going on my Pi :joy:

Sorry for the open words, I don’t want to insult the Nextcloudpi devs. They do a great work, but in my situation, I did so many manual changes in my nextcloud config, that NextcloudPi could only crash.

So the only remaining solution for me was to remove the NextcloudPi stuff, without loosing my data.

Many thanks for your help!
I really appreciate this forum!!!

31

No worries :+1:

I’m glad you got it working for you again :slightly_smiling_face: