Hey,
I’ve brought together some examples in my Github Repo. (As posted here )
I used a few other docker containers for letsencrypt certificates and the reverse proxy. I hope it gives you a starting point.
I just came home from a vacation, but I plan to update / add more examples soon. If you have any question feel free to ask in this forum or open a github issue.
Hello Snowyo,
thank you for this great work. I use the wonderfall/nextcloud image a long time with Selfhost. But your solution with LetsEncrypt is perfect. One question:
I also use the image wonderfall/rainloop. Nextcloud is on domain.de. Rainloop on mail.domain.de. Is there a way rainloop to use with your solution? Whats to do?
THX
PS: I have a solution. Its very easy. Thanks for your work
The compose file is neat, takes me off very much work.
But I ran in a problem:
in the nginx, I get a (correct) server directive:
server { server_name cloud.blablupp.net; listen 80 ; access_log /var/log/nginx/access.log vhost; include /etc/nginx/vhost.d/default; location / { proxy_pass http://3afac6260a30ad5a478f7c1e03596252dbf8a712; }}
but, this is http only. should be https / port 443.
Also, the folder with the certs that should have been generated by the nginx-letsencrypt-companion is empty:
|-- certs
| |-- cloud.blablupp.net
| `-- dhparam.pem
Seems like the letsencrypt part didn’t work AND nginx didn’t create a ssl vhost.
VIRTUAL_HOST and LETSENCRYPT_HOST are set as followed:
- VIRTUAL_HOST=cloud.blablupp.net - LETSENCRYPT_HOST=cloud.blablupp.net
Anyone any hint on that issue?
I find the following error in the logs, too. Is there a variable not correctly set / missing?
letsencrypt-companion | 2017-01-31 12:33:18,024:ERROR:simp_le:1271: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or
–default_root? Is there a warning log entry about unsuccessful self-verification? Are all your domains accessible from the internet? Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/lowSQoRJKmoZXhgczHZiA81J-GlLrjmS6aGXCH_7yxM
Seems like the verification via acme-challenge failes, letsencrypt can’t connect to the chalenge file:
etsencrypt-companion | 2017-01-31 12:54:17,507:ERROR:acme.challenges:256: Unable to reach http://cloud.cipherspec.net/.well-known/acme-challenge/9edsC2tt9RNwXOWwwZw53J6KkHJjHvRBfW0JJsgGMkQ: HTTPConnectionPool(host=‘cloud.cipherspec.net’, port=80): Max ret
ries exceeded with url: /.well-known/acme-challenge/9edsC2tt9RNwXOWwwZw53J6KkHJjHvRBfW0JJsgGMkQ (Caused by NewConnectionError(‘<requests.packages.urllib3.connection.HTTPConnection object at 0x7f22ac78db90>: Failed to establish a new connection: [Errno 111] Connection ref
used’,))
Propably this happens because in the nginx conf, this (sub)domain is not set up.
Any hints?
Hi Snowyo,
I had to fight a bit but now its running 
However I would really recommend to change the tutorial to the version WITHOUT ‘proxy-tier’ only. The mix is really confusing and I don’t see the advantages of the ‘proxy-tier’ flavor.
The thing which still confuses me is that most of the environment for wonderfall/nextcloud isn’t working. For example you set UID=1000, GID=1000 but I always get 991, the default.
And why do we have to set the LETSENCRYPT environment in nextcloud and not in nginx or letsencrypt-nginx-proxy-companion?
Thanks in advance for helping me to better understand such things better,
Maik
Hey,
The tutorial is really outdated ;). The official nextcloud container is finally there and working great. There are two different versions: fpm and apache. I suggest you go there.
Personally I’m not using the wonderfall container anymore so I can’t help you with that. You might go to github and ask there.
Words on the proxy + letsencrypt configuration:
The official nextcloud container (just like the wonderfall when I wrote this tutorial) contains a webserver. But to connect to your nextcloud encrypted via https (which is mandatory if you’re using it via the internet) you need additional settings. Of course you could generate/validate certificates manually and then copy / mount them into the container and reconfigure apache but who wants to do that? 
Using the reverse proxy in front with the letsencrypt-companion handles the whole certificate generation, validation and renewal automatically. So you just have to fire it up and it works. The best part is, you don’t even have to understand how it works, if you get what it does 
.
Basically (and that differs from what I did in the tutorial, I learned a lot since then) you want to split your whole server configuration in different networks. Containers that interact with each other share at least one network. In front of your servers sits a proxy wich handles connections to the outside (internet) and takes care of https encryption.
So first part: You create your nextcloud instance. It requires a database and the webserver container. So you have your first network wich has the nextcloud and database container in it.
Second: You have the proxy and the letsencrypt container. Since you want to proxy the traffic to your nextcloud it also has to be in the proxy network. Since only traffic to the nextcloud container is proxied, it’s the only one having the VIRTUAL_HOST, LETSENCRYPT_HOST and LETSENCRYPT_EMAIL variables.
Third step: To make the servers available from the outside, you map the ports (80 and 443) from the proxy to your host. It’s the only container that is reachable directly from the internet.
Additional: As you might have guessed already, the proxy setup can do many more things for you. It makes it extremely easy to add other services on the same host which also use a webserver (ports 80 / 443). You can assign different domain names to the same docker-host and have the proxy resolve the requests to the right container. So for example you could run the following setup on you domain (example.com):
you could even add a second wordpress on (example2.com)
Are you still getting this problem? This is not an expected behavior.
Otherwise for those who want to use my image over the official one, the README.md is always updated with latest instructions, except for the reverse proxy part where I only give some hints (there are so many ways).