Nextcloudpi SSL record too long

ℹ️ Support 📦 Appliances (Docker, Snappy, VM, NCP, AIO)
, ,
1

Hello, I am hoping someone can help me with an issue I am facing as I try to get my nextcloud connected to the internet. I am using Nextcloudpi 1.46.7 on a RPI 4, 8G ram.

I have enabled Namecheap DynamicDNS from the guides linked on the NCP documentation through namecheap for a subdomain sub.domain.net. When I run it the dynamicdns through the webgui I receive this output:

[ namecheapDNS ] (Thu Jan 13 21:32:13 PST 2022)
System config value trusted_domains => 3 set to string sub.domain.net
System config value overwrite.cli.url set to string https://sub.domain.net
System config value trusted_proxies => 11 set to string 127.0.0.1
System config value trusted_proxies => 12 set to string ::1
System config value trusted_proxies => 13 set to string sub.domain.net
System config value trusted_proxies => 14 set to string [IP]
âś“ redis is configured
đź—´ can't connect to push server: cURL error 35: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://sub.domain.net/push/test/cookie
Namecheap DNS client is enabled

I see on the namecheap side that the dynamic DNS has automatically populated my raspberry pi external IP. Yet, I was never able to get the browser to resolve to sub.domain.net using HTTP or HTTPS

After fiddling with my firewall/router settings and turning off httpsonly, I was able to use letsencrypt and received this output:

[ letsencrypt ] (Thu Jan 13 21:21:55 PST 2022)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for sub.domain.net
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/sub.domain.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/sub.domain.net/privkey.pem
Your cert will expire on 2022-04-14. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

INFO: Letsencrypt domain is sub.domain.net
INFO: Metrics enabled: no
Apache self check:
Syntax OK
System config value trusted_domains => 11 set to string sub.domain.net
System config value trusted_domains => 3 set to string sub.domain.net
System config value overwrite.cli.url set to string https://sub.domain.net/
System config value trusted_proxies => 11 set to string 127.0.0.1
System config value trusted_proxies => 12 set to string ::1
System config value trusted_proxies => 13 set to string sub.domain.net
System config value trusted_proxies => 14 set to string [IP]
âś“ redis is configured
đź—´ can't connect to push server: cURL error 35: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for sub.domain.net/push/test/cookie

I still cannot get to my website from sub.domain.net, from either local network or external network. I can reach my NCP 192.168.1.xxx. When I go to sub.domain.net, my browser shows this error message:

Secure Connection Failed

An error occurred during a connection to sub.domain.net. SSL received a record that exceeded the maximum permissible length.

Error code: SSL_ERROR_RX_RECORD_TOO_LONG

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

NCP-report

<--! Paste this in GitHub report -->

<details>
<summary>NextCloudPi diagnostics</summary>

NextCloudPi version  v1.46.7
NextCloudPi image    NextCloudPi_10-08-21
OS                   Debian GNU/Linux 10. 5.4.51-v8+ (aarch64)
automount            yes
USB devices          sda sdb
datadir              /media/NCloud/ncdata
data in SD           no
data filesystem      ext2/ext3
data disk usage      405M/917G
rootfs usage         2.8G/30G
swapfile             /var/swap
dbdir                /var/lib/mysql
Nextcloud check      ok
Nextcloud version    21.0.4.1
HTTPD service        up
PHP service          up
MariaDB service      up
Redis service        up
HPB service          down
Postfix service      up
internet check       ok
port check 80        open
port check 443       open
IP                   ***REMOVED SENSITIVE VALUE***
gateway              ***REMOVED SENSITIVE VALUE***
interface            eth0
certificates         ***REMOVED SENSITIVE VALUE***
NAT loopback         no
uptime               24min
Nextcloud configuration 

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": {
            "0": "localhost",
            "22": "nextcloudpi",
            "1": "192.168.1.184",
            "11": "sub.domain.net",
            "3": "sub.domain.net",
            "20": "sub.domain.net",
            "21": "https:\/\/subold.domain.net",
            "14": "nextcloudpi"
        },
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "21.0.4.1",
        "overwrite.cli.url": "https:\/\/sub.domain.net\/",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "memcache.local": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "timeout": 0,
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "tempdirectory": "\/media\/NCloud\/ncdata\/tmp",
        "mail_smtpmode": "smtp",
        "mail_smtpauthtype": "LOGIN",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "preview_max_x": "2048",
        "preview_max_y": "2048",
        "jpeg_quality": "60",
        "overwriteprotocol": "https",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "logfile": "\/media\/NCloud\/ncdata\/nextcloud.log",
        "loglevel": "2",
        "log_type": "file",
        "theme": "",
        "htaccess.RewriteBase": "",
        "mail_sendmailmode": "smtp",
        "mail_smtpsecure": "tls",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***"
    }
}
HTTPd logs 

[Thu Jan 13 21:25:33.436228 2022] [:notice] [pid 867:tid 548418200960] ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/) configured.
[Thu Jan 13 21:25:33.436300 2022] [:notice] [pid 867:tid 548418200960] ModSecurity: APR compiled version="1.6.5"; loaded version="1.6.5"
[Thu Jan 13 21:25:33.436318 2022] [:notice] [pid 867:tid 548418200960] ModSecurity: PCRE compiled version="8.39 "; loaded version="8.39 2016-06-14"
[Thu Jan 13 21:25:33.436332 2022] [:notice] [pid 867:tid 548418200960] ModSecurity: LUA compiled version="Lua 5.1"
[Thu Jan 13 21:25:33.436344 2022] [:notice] [pid 867:tid 548418200960] ModSecurity: YAJL compiled version="2.1.0"
[Thu Jan 13 21:25:33.436356 2022] [:notice] [pid 867:tid 548418200960] ModSecurity: LIBXML compiled version="2.9.4"
[Thu Jan 13 21:25:33.436407 2022] [:notice] [pid 867:tid 548418200960] ModSecurity: Original server signature: Apache
[Thu Jan 13 21:25:33.436516 2022] [:notice] [pid 867:tid 548418200960] ModSecurity: StatusEngine call: "2.9.3,Apache,1.6.5/1.6.5,8.39/8.39 2016-06-14,Lua 5.1,2.9.4,dc"
[Thu Jan 13 21:25:34.563137 2022] [:notice] [pid 867:tid 548418200960] ModSecurity: StatusEngine call successfully sent. For more information visit: http://status.modsecurity.org/
[Thu Jan 13 21:25:34.747796 2022] [ssl:warn] [pid 1133:tid 548418200960] AH01909: localhost:4443:0 server certificate does NOT include an ID which matches the server name
[Thu Jan 13 21:25:34.748013 2022] [ssl:error] [pid 1133:tid 548418200960] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=archlinux / issuer: CN=archlinux / serial: 18C088C8F787E3CFD6C7C76280DC1F392C6E3DC2 / notbefore: Oct  8 19:39:52 2021 GMT / notafter: Oct  6 19:39:52 2031 GMT]
[Thu Jan 13 21:25:34.748035 2022] [ssl:error] [pid 1133:tid 548418200960] AH02604: Unable to configure certificate localhost:4443:0 for stapling
[Thu Jan 13 21:25:34.755486 2022] [mpm_event:notice] [pid 1133:tid 548418200960] AH00489: Apache/2.4.38 (Debian) OpenSSL/1.1.1d   configured -- resuming normal operations
[Thu Jan 13 21:25:34.755631 2022] [core:notice] [pid 1133:tid 548418200960] AH00094: Command line: '/usr/sbin/apache2'
[Thu Jan 13 21:29:46.277394 2022] [mpm_event:notice] [pid 1133:tid 548418200960] AH00493: SIGUSR1 received.  Doing graceful restart
[Thu Jan 13 21:29:46.438453 2022] [ssl:warn] [pid 1133:tid 548418200960] AH01909: localhost:4443:0 server certificate does NOT include an ID which matches the server name
[Thu Jan 13 21:29:46.438724 2022] [ssl:error] [pid 1133:tid 548418200960] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=archlinux / issuer: CN=archlinux / serial: 18C088C8F787E3CFD6C7C76280DC1F392C6E3DC2 / notbefore: Oct  8 19:39:52 2021 GMT / notafter: Oct  6 19:39:52 2031 GMT]
[Thu Jan 13 21:29:46.438758 2022] [ssl:error] [pid 1133:tid 548418200960] AH02604: Unable to configure certificate localhost:4443:0 for stapling
[Thu Jan 13 21:29:46.440125 2022] [mpm_event:notice] [pid 1133:tid 548418200960] AH00489: Apache/2.4.38 (Debian) OpenSSL/1.1.1d   configured -- resuming normal operations
[Thu Jan 13 21:29:46.440161 2022] [core:notice] [pid 1133:tid 548418200960] AH00094: Command line: '/usr/sbin/apache2'
Database logs 

2022-01-13 21:26:06 0 [Note] InnoDB: Uses event mutexes
2022-01-13 21:26:06 0 [Note] InnoDB: Compressed tables use zlib 1.2.11
2022-01-13 21:26:06 0 [Note] InnoDB: Number of pools: 1
2022-01-13 21:26:06 0 [Note] InnoDB: Using generic crc32 instructions
2022-01-13 21:26:06 0 [Note] InnoDB: Initializing buffer pool, total size = 1.875G, instances = 1, chunk size = 128M
2022-01-13 21:26:07 0 [Note] InnoDB: Completed initialization of buffer pool
2022-01-13 21:26:07 0 [Note] InnoDB: If the mysqld execution user is authorized, page cleaner thread priority can be changed. See the man page of setpriority().
2022-01-13 21:26:07 0 [Note] InnoDB: 128 out of 128 rollback segments are active.
2022-01-13 21:26:07 0 [Note] InnoDB: Creating shared tablespace for temporary tables
2022-01-13 21:26:07 0 [Note] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...
2022-01-13 21:26:07 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB.
2022-01-13 21:26:07 0 [Note] InnoDB: 10.3.29 started; log sequence number 5516847; transaction id 11672
2022-01-13 21:26:07 0 [Note] InnoDB: Loading buffer pool(s) from /var/lib/mysql/ib_buffer_pool
2022-01-13 21:26:07 0 [Note] Plugin 'FEEDBACK' is disabled.
2022-01-13 21:26:07 0 [Note] Server socket created on IP: '127.0.0.1'.
2022-01-13 21:26:07 0 [Note] Reading of all Master_info entries succeeded
2022-01-13 21:26:07 0 [Note] Added new Master_info '' to hash table
2022-01-13 21:26:07 0 [Note] /usr/sbin/mysqld: ready for connections.
Version: '10.3.29-MariaDB-0+deb10u1'  socket: '/run/mysqld/mysqld.sock'  port: 3306  Debian 10
2022-01-13 21:26:08 0 [Note] InnoDB: Buffer pool(s) load completed at 220113 21:26:08
Nextcloud logs 

{"reqId":"1m3i04E9vFGwjBhvls8R","level":1,"time":"2022-01-14T03:04:08+00:00","remoteAddr":"","user":"--","app":"updater","method":"","url":"--","message":"\\OC\\Repair::step: Repair step: Reset generated avatar flag","userAgent":"--","version":"21.0.4.1"}
{"reqId":"1m3i04E9vFGwjBhvls8R","level":1,"time":"2022-01-14T03:04:08+00:00","remoteAddr":"","user":"--","app":"no app in context","method":"","url":"--","message":"Deprecated event type for \\OC\\Repair::step: Symfony\\Component\\EventDispatcher\\GenericEvent is used","userAgent":"--","version":"21.0.4.1"}
{"reqId":"1m3i04E9vFGwjBhvls8R","level":1,"time":"2022-01-14T03:04:08+00:00","remoteAddr":"","user":"--","app":"updater","method":"","url":"--","message":"\\OC\\Repair::step: Repair step: Keep legacy encryption enabled","userAgent":"--","version":"21.0.4.1"}
{"reqId":"1m3i04E9vFGwjBhvls8R","level":1,"time":"2022-01-14T03:04:08+00:00","remoteAddr":"","user":"--","app":"no app in context","method":"","url":"--","message":"Deprecated event type for \\OC\\Repair::step: Symfony\\Component\\EventDispatcher\\GenericEvent is used","userAgent":"--","version":"21.0.4.1"}
{"reqId":"1m3i04E9vFGwjBhvls8R","level":1,"time":"2022-01-14T03:04:08+00:00","remoteAddr":"","user":"--","app":"updater","method":"","url":"--","message":"\\OC\\Repair::step: Repair step: Check encryption key format","userAgent":"--","version":"21.0.4.1"}
{"reqId":"1m3i04E9vFGwjBhvls8R","level":1,"time":"2022-01-14T03:04:08+00:00","remoteAddr":"","user":"--","app":"no app in context","method":"","url":"--","message":"Deprecated event type for \\OC\\Repair::step: Symfony\\Component\\EventDispatcher\\GenericEvent is used","userAgent":"--","version":"21.0.4.1"}
{"reqId":"1m3i04E9vFGwjBhvls8R","level":1,"time":"2022-01-14T03:04:08+00:00","remoteAddr":"","user":"--","app":"updater","method":"","url":"--","message":"\\OC\\Repair::step: Repair step: Remove old dashboard app config data","userAgent":"--","version":"21.0.4.1"}
{"reqId":"1m3i04E9vFGwjBhvls8R","level":1,"time":"2022-01-14T03:04:08+00:00","remoteAddr":"","user":"--","app":"no app in context","method":"","url":"--","message":"Deprecated event type for \\OC\\Repair::step: Symfony\\Component\\EventDispatcher\\GenericEvent is used","userAgent":"--","version":"21.0.4.1"}
{"reqId":"1m3i04E9vFGwjBhvls8R","level":1,"time":"2022-01-14T03:04:08+00:00","remoteAddr":"","user":"--","app":"updater","method":"","url":"--","message":"\\OC\\Repair::step: Repair step: Add job to cleanup the bruteforce entries","userAgent":"--","version":"21.0.4.1"}
{"reqId":"1m3i04E9vFGwjBhvls8R","level":1,"time":"2022-01-14T03:04:08+00:00","remoteAddr":"","user":"--","app":"no app in context","method":"","url":"--","message":"Deprecated event type for \\OC\\Repair::step: Symfony\\Component\\EventDispatcher\\GenericEvent is used","userAgent":"--","version":"21.0.4.1"}
{"reqId":"1m3i04E9vFGwjBhvls8R","level":1,"time":"2022-01-14T03:04:08+00:00","remoteAddr":"","user":"--","app":"updater","method":"","url":"--","message":"\\OC\\Repair::step: Repair step: Queue a one-time job to check for user uploaded certificates","userAgent":"--","version":"21.0.4.1"}
{"reqId":"1m3i04E9vFGwjBhvls8R","level":1,"time":"2022-01-14T03:04:08+00:00","remoteAddr":"","user":"--","app":"no app in context","method":"","url":"--","message":"Deprecated event type for \\OC\\Repair::step: Symfony\\Component\\EventDispatcher\\GenericEvent is used","userAgent":"--","version":"21.0.4.1"}
{"reqId":"1m3i04E9vFGwjBhvls8R","level":1,"time":"2022-01-14T03:04:08+00:00","remoteAddr":"","user":"--","app":"updater","method":"","url":"--","message":"\\OC\\Repair::step: Repair step: Repair DAV shares","userAgent":"--","version":"21.0.4.1"}
{"reqId":"1m3i04E9vFGwjBhvls8R","level":1,"time":"2022-01-14T03:04:08+00:00","remoteAddr":"","user":"--","app":"no app in context","method":"","url":"--","message":"Deprecated event type for \\OC\\Repair::step: Symfony\\Component\\EventDispatcher\\GenericEvent is used","userAgent":"--","version":"21.0.4.1"}
{"reqId":"1m3i04E9vFGwjBhvls8R","level":1,"time":"2022-01-14T03:04:08+00:00","remoteAddr":"","user":"--","app":"updater","method":"","url":"--","message":"\\OC\\Repair::step: Repair step: Add background job to set the lookup server share state for users","userAgent":"--","version":"21.0.4.1"}
{"reqId":"1m3i04E9vFGwjBhvls8R","level":1,"time":"2022-01-14T03:04:08+00:00","remoteAddr":"","user":"--","app":"updater","method":"","url":"--","message":"\\OC\\Updater::startCheckCodeIntegrity: Starting code integrity check...","userAgent":"--","version":"21.0.4.1"}
{"reqId":"1m3i04E9vFGwjBhvls8R","level":1,"time":"2022-01-14T03:04:40+00:00","remoteAddr":"","user":"--","app":"updater","method":"","url":"--","message":"\\OC\\Updater::finishedCheckCodeIntegrity: Finished code integrity check","userAgent":"--","version":"21.0.4.1"}
{"reqId":"1m3i04E9vFGwjBhvls8R","level":1,"time":"2022-01-14T03:04:40+00:00","remoteAddr":"","user":"--","app":"updater","method":"","url":"--","message":"\\OC\\Updater::updateEnd: Update successful","userAgent":"--","version":"21.0.4.1"}
{"reqId":"1m3i04E9vFGwjBhvls8R","level":1,"time":"2022-01-14T03:04:40+00:00","remoteAddr":"","user":"--","app":"updater","method":"","url":"--","message":"\\OC\\Updater::maintenanceDisabled: Turned off maintenance mode","userAgent":"--","version":"21.0.4.1"}
{"reqId":"1m3i04E9vFGwjBhvls8R","level":1,"time":"2022-01-14T03:04:40+00:00","remoteAddr":"","user":"--","app":"updater","method":"","url":"--","message":"\\OC\\Updater::resetLogLevel: Reset log level to Warning(2)","userAgent":"--","version":"21.0.4.1"}

</details>

I cannot for the life of me figure out the problem. Please let me know if you need additional logs or information and I will be happy to supply it! I’ve done little to this install - I have been playing around with nextcloudpi for a week now to learn some linux commands and see if I can make something useful. If I need to burn the whole thing down again, that’s ok. Thank you in advance!

2

Seems Dynamic DNS script also has problems with it.

I understood that your PI connected to the LAN.

  1. What kind of IP address did you configured in dynamic DNS for sub.domain.net? Could you check if this is your external IP same as e.g. from output of one those commands:
curl https://api.ipify.org
curl http://icanhazip.com
curl http://wtfismyip.com/text
curl http://nst.sourceforge.net/nst/tools/ip.php
  1. If you execute dig sub.domain.net what address do you see?
    • IP from the LAN / WAN?
    • Is the the same as for commands above?

P.S. This string is not needed in config:

Also 20, 3 and 11 are doubled, please leave only one of them, e.g. 3.

3

Thank you for your assistance!

I used the first curl and received the same IP that is in namecheap’s ddns section. I have the output from the dig command below, which also had the correct IP. I’m not sure if it’s helpful, but I also included my namecheap configuration too.

Thank you also for the note about the trusted domains, I have corrected them!

namecheap config

dig output:

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61214
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 6c9962e5825c88af0100000061e1d6f9ef48701f065dbbf6 (good)
;; QUESTION SECTION:
;sub.domain.net.            IN      A

;; ANSWER SECTION:
sub.domain.net.     180     IN      A       [correct IP]

;; Query time: 3 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Fri Jan 14 12:03:05 PST 2022
;; MSG SIZE  rcvd: 91```
4

Ok, seems good, lets do the next step.

I suppose that you have problem with port forwarding from the Router to your server.
Also please check if you disable “external access” in you router that will usually overtake ports 80 and 443 and expose your Router admin panel to the internet.

Can you reach your server outside of your network, e.g. via Mobile phone without WiFi?