SSL Issues on Fresh Nextcloud AIO Docker Windows 10 install: "Cannot negotiate ALPN protocol"

Hi, first time Nextcloud and Docker user. I’m trying to setup Nextcloud using Docker on Windows 10. I followed the instructions in for the “All-In-One Docker image”.

I have everything running but when I try to open the Nextcloud website my browser tell me this:

Secure Connection Failed
An error occurred during a connection to foobar.nl. Peer reports it experienced an internal error.
Error code: SSL_ERROR_INTERNAL_ERROR_ALERT

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

In the logs of the Apache container I find this:

2023-01-02 18:37:57 {"level":"info","ts":1672681077.4129071,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"foobar.nl"}
2023-01-02 18:37:57 {"level":"info","ts":1672681077.9010909,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"foobar.nl","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
2023-01-02 18:37:59 {"level":"error","ts":1672681079.270551,"logger":"http.acme_client","msg":"challenge failed","identifier":"foobar.nl","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]}}
2023-01-02 18:37:59 {"level":"error","ts":1672681079.2705894,"logger":"http.acme_client","msg":"validating authorization","identifier":"foobar.nl","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/81631473/6300428113","attempt":1,"max_attempts":3}
2023-01-02 18:37:59 {"level":"error","ts":1672681079.270605,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"foobar.nl","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge"}
2023-01-02 18:37:59 {"level":"error","ts":1672681079.2706232,"logger":"tls.obtain","msg":"will retry","error":"[foobar.nl] Obtain: [foobar.nl] solving challenge: foobar.nl: [foobar.nl] authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":3,"retrying_in":120,"elapsed":187.069269292,"max_duration":2592000}

I have replaced my domain with foobar.nl

In what direction should I be looking? Docker config? Windows firewall? DNS settings? Router?

  • I have forwarded port 443 to my computer and confirmed it is open via yougetsignal.com
  • I have deleted all volumes and containers and tried from scratch twice
  • I have tried opening port 443 to any applications on Windows Firewall
  • I don’t use my domain for anything else, but there are default DNS records from provider that I’m not sure I can delete.
  • The first time I tried setting up I forgot to create the backup dir, so I removed all containers and volumes and tried again

Do I need to port forward in Windows firewall for Docker?

Stack:
Windows 10
Docker 20.10.21 (fresh install)
Nextcloud 25.0.2.3 (nextcloud/aio-nextcloud:latest)

I suppose this is likely your issue then. Can you try to use a different (sub-)domain with no default dns records?

1 Like

Thank you for your reply, I’m not too familiar with setting DNS records. Could you explain a bit more about what I need to do? Do I need to create a new DNS record on the same level as the main domain? And the DNS record name is where I put the subdomain name right?

Right now I have these records:

Name Type Content TTL
www A 11.111.111.111 24h
ftp A 11.111.111.111 24h
mail A 11.111.111.111 24h
@ A 11.111.111.111 24h
_domainkey TXT "o=~" 24h
_dmarc TXT "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s" 24h
@ TXT "v=spf1 a mx -all" 24h

I had aaaa records, which I believe are for IPV6 but I removed those because I don’t think I have and ipv6 address at home

Success! I got it working using a subdomain, I made 2 DNS records:

Name Type Content TTL
cloud A 11.111.111.111 24h
www.cloud A 11.111.111.111 24h

I then deleted the docker containers and volumes and did a fresh install following the guide. Not sure why the ‘main’ domain was not working, but I guess I’ll stick with the subdomain