[/details]
Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can.
The Basics
- Nextcloud Server version (e.g., 29.x.x):
30.0.2
- Operating system and version (e.g., Ubuntu 24.04):
- Nextcloud container -
Alpine 3.20
- Host -
Windows 11
- Nextcloud container -
- Web server and version (e.g, Apache 2.4.25):
Apache 2.4.62
- Reverse proxy and version _(e.g. nginx 1.27.2)
replace me
- PHP version (e.g, 8.3):
replace me
- Is this the first time you’ve seen this error? (Yes / No):
Yes
- When did this problem seem to first start?
Has been there since I started setup a few days ago
- Installation method (e.g. AIO, NCP, Bare Metal/Archive, etc.)
AIO
- Are you using Cloudflare, mod_security, or similar? (Yes / No)
Yes, Cloudflare for DNS records
Summary of the issue you are facing:
I followed the AIO setup guide and completed instructions on the AIO interface. All my containers were updated and are running, but I still can’t open nextcloud due to SSL_PROTOCOL_ERROR. I checked this but the error in my apache container logs is different - “Error getting validation data” (Detailed logs below).
I know that letsencrypt can reach my nextcloud server, because when I hadn’t forwarded my port and it wasn’t able to reach I got a different error - timeout during connect (likely firewall problem). I have also tried to host a simple web page on that machine on port 80, that also works.
I tried running certbot container directly on the same machine to see if I can find out why the acme challenge was failing, but the certbot docker was able to generate certificate successfully. For some reason, only nextcloud cert validation is failing.
Passing SKIP_DOMAIN_VALIDATION environment variable is also not helping. It still tries to validate the domain and won’t let me connect.
I have a few questions:
- How can I fix this?
- How can I reproduce nextcloud AIO’s certificate validation independently, so I can debug it?
- Is there a way I can input the certificates I generated using certbot into nextcloud config?
I have added spaces in some of the links in my log because the forum won’t allow me to post more than 4 links
Steps to replicate it (hint: details matter!):
- Launch the master container using this command:
docker run `
>> --init `
>> --sig-proxy=false `
>> --name nextcloud-aio-mastercontainer `
>> --restart always `
>> --publish 85:80 `
>> --publish 8085:8080 `
>> --publish 8448:8443 `
>> --publish 448:443 `
>> --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config `
>> --volume /var/run/docker.sock:/var/run/docker.sock:ro `
>> nextcloud/all-in-one:latest
- Forward port 80 on router to port 85 on the machine, 8443 on router to 8448 on machine and 8080 on router to 8085 on machine. Notice that ultimately because of the mappings in the above command, traffic is directed to the correct port in docker
- Follow all steps in AIO setup
Log entries
Nextcloud
Please provide the log entries from your Nextcloud log that are generated during the time of problem (via the Copy raw option from Administration settings->Logging screen or from your nextcloud.log
located in your data directory). Feel free to use a pastebin/gist service if necessary.
2024-11-23T19:52:00.865141845Z Connection to nextcloud-aio-database (172.18.0.5) 5432 port [tcp/postgresql] succeeded!
2024-11-23T19:52:03.058181472Z now
2024-11-23T19:52:03.058284507Z -------------------------------
2024-11-23T19:52:03.058300168Z 2024-11-23 19:52:03.026284+00
2024-11-23T19:52:03.058308786Z (1 row)
2024-11-23T19:52:03.058314758Z
2024-11-23T19:52:03.089122242Z + '[' -f /dev-dri-group-was-added ']'
2024-11-23T19:52:03.090339532Z ++ find /dev -maxdepth 1 -mindepth 1 -name dri
2024-11-23T19:52:03.092967082Z + '[' -n '' ']'
2024-11-23T19:52:03.093099798Z + set +x
2024-11-23T19:52:03.119845745Z Enabling Imagick...
2024-11-23T19:52:05.931658332Z WARNING: opening from cache https://dl-cdn.alpinelinux.org/alpine/v3.20/main: No such file or directory
2024-11-23T19:52:05.931703119Z WARNING: opening from cache https : //dl-cdn. alpinelinux. org/alpine/v3.20/community: No such file or directory
2024-11-23T19:52:05.959823465Z Connection to nextcloud-aio-redis (172.18.0.6) 6379 port [tcp/redis] succeeded!
2024-11-23T19:52:09.307392305Z Applying one-click-instance settings...
2024-11-23T19:52:09.823762688Z System config value one-click-instance set to boolean true
2024-11-23T19:52:10.308602909Z System config value one-click-instance.user-limit set to integer 100
2024-11-23T19:52:10.820182210Z System config value one-click-instance.link set to string https : // nextcloud. com/all-in-one/
2024-11-23T19:52:11.274268152Z support already enabled
2024-11-23T19:52:11.301473183Z Adjusting log files...
2024-11-23T19:52:11.838396665Z System config value upgrade.cli-upgrade-link set to string https : // github. com/nextcloud/all-in-one/discussions/2726
2024-11-23T19:52:12.283658222Z System config value logfile set to string /var/www/html/data/nextcloud.log
2024-11-23T19:52:12.748616364Z Config value were not updated
2024-11-23T19:52:13.219366141Z System config value updatedirectory set to string /nc-updater
2024-11-23T19:52:13.692587822Z System config value maintenance_window_start set to integer 100
2024-11-23T19:52:13.710703911Z Applying network settings...
2024-11-23T19:52:14.171517413Z System config value allow_local_remote_servers set to boolean true
2024-11-23T19:52:14.654937853Z System config value davstorage.request_timeout set to integer 3600
2024-11-23T19:52:15.277428091Z System config value trusted_domains => 1 set to string <my domain>
2024-11-23T19:52:15.767051953Z System config value overwrite.cli.url set to string https : //<my domain>/
2024-11-23T19:52:16.236395533Z System config value htaccess.RewriteBase set to string /
2024-11-23T19:52:16.707709967Z .htaccess has been updated
2024-11-23T19:52:17.189108788Z System config value dbpersistent set to boolean false
2024-11-23T19:52:17.678620443Z System config value auth.bruteforce.protection.enabled set to boolean true
2024-11-23T19:52:18.183934307Z System config value ratelimit.protection.enabled set to boolean true
2024-11-23T19:52:18.720198200Z System config value files_external_allow_create_new_local set to boolean false
2024-11-23T19:52:23.420629094Z notify_push is up-to-date or no updates could be found
2024-11-23T19:52:23.907593460Z System config value trusted_proxies => 0 set to string 127.0.0.1
2024-11-23T19:52:24.361172014Z System config value trusted_proxies => 1 set to string ::1
2024-11-23T19:52:24.884506630Z System config value trusted_proxies => 10 set to string 172.18.0.0/16
2024-11-23T19:52:25.391882886Z Config value were not updated
2024-11-23T19:52:25.425370911Z + echo nextcloud-aio-collabora
2024-11-23T19:52:25.425387416Z + grep -q 'nextcloud-.*-collabora'
2024-11-23T19:52:25.426991717Z + COLLABORA_HOST=<my domain>
2024-11-23T19:52:25.427088669Z + set +x
2024-11-23T19:52:26.395103917Z richdocuments is up-to-date or no updates could be found
2024-11-23T19:52:26.907256061Z Config value were not updated
2024-11-23T19:52:28.175211782Z Config value were not updated
2024-11-23T19:52:28.205053876Z + '[' -z '' ']'
2024-11-23T19:52:28.205091267Z + TALK_HOST=<my domain>
2024-11-23T19:52:28.205100448Z + HPB_PATH=/standalone-signaling/
2024-11-23T19:52:28.205106817Z + '[' -z '' ']'
2024-11-23T19:52:28.205112600Z + TURN_DOMAIN=<my domain>
2024-11-23T19:52:28.205118584Z + set +x
2024-11-23T19:52:29.338262359Z spreed is up-to-date or no updates could be found
2024-11-23T19:52:31.489828410Z Config value recording_servers of app spreed deleted
2024-11-23T19:52:32.049330619Z System config value enabledPreviewProviders => 0 set to string OC\Preview\Imaginary
2024-11-23T19:52:32.546309543Z System config value preview_imaginary_url set to string http : //nextcloud-aio-imaginary :9000
2024-11-23T19:52:33.057893935Z System config value preview_imaginary_key set to string 04495aea8e96c1b87b31b9b2e9ab65e5cbd4989364949c15
2024-11-23T19:52:33.152681221Z + '[' true = true ']'
2024-11-23T19:52:33.152702169Z + '[' 443 = 443 ']'
2024-11-23T19:52:33.153435465Z ++ dig nextcloud-aio-apache A ++ +short +search
2024-11-23T19:52:33.153451834Z grep '^[0-9.]\+$'
2024-11-23T19:52:33.153542187Z ++ sort
2024-11-23T19:52:33.153694886Z ++ head -n1
2024-11-23T19:52:33.233700450Z + IPv4_ADDRESS_APACHE=172.18.0.10
2024-11-23T19:52:33.234591389Z ++ grep '^[0-9a-f:]\+$'
2024-11-23T19:52:33.234629419Z ++ dig nextcloud-aio-apache AAAA +short +search
2024-11-23T19:52:33.234639248Z ++ head -n1
2024-11-23T19:52:33.235218126Z ++ sort
2024-11-23T19:52:33.284715791Z + IPv6_ADDRESS_APACHE=
2024-11-23T19:52:33.285900222Z ++ ++ sort
2024-11-23T19:52:33.285930275Z dig nextcloud-aio-mastercontainer A +short +search
2024-11-23T19:52:33.285933977Z ++ grep '^[0-9.]\+$'
2024-11-23T19:52:33.286147017Z ++ head -n1
2024-11-23T19:52:33.374267560Z + IPv4_ADDRESS_MASTERCONTAINER=172.18.0.2
2024-11-23T19:52:33.376430727Z ++ dig nextcloud-aio-mastercontainer AAAA +short +search
2024-11-23T19:52:33.377517977Z ++ grep '^[0-9a-f:]\+$'
2024-11-23T19:52:33.378305322Z ++ sort
2024-11-23T19:52:33.379188934Z ++ head -n1
2024-11-23T19:52:33.444225033Z + IPv6_ADDRESS_MASTERCONTAINER=
2024-11-23T19:52:33.444260805Z + sed -i 's|^;listen.allowed_clients|listen.allowed_clients|' /usr/local/etc/php-fpm.d/www.conf
2024-11-23T19:52:33.446867938Z + sed -i 's|listen.allowed_clients.*|listen.allowed_clients = 127.0.0.1,::1,172.18.0.10,,172.18.0.2,|' /usr/local/etc/php-fpm.d/www.conf
2024-11-23T19:52:33.450035761Z + sed -i '/^listen.allowed_clients/s/,,/,/g' /usr/local/etc/php-fpm.d/www.conf
2024-11-23T19:52:33.453396012Z + sed -i '/^listen.allowed_clients/s/,$//' /usr/local/etc/php-fpm.d/www.conf
2024-11-23T19:52:33.454792017Z + grep listen.allowed_clients /usr/local/etc/php-fpm.d/www.conf
2024-11-23T19:52:33.456648003Z listen.allowed_clients = 127.0.0.1,::1,172.18.0.10,172.18.0.2
2024-11-23T19:52:33.457105801Z + set +x
2024-11-23T19:52:34.916615591Z [23-Nov-2024 19:52:34] NOTICE: fpm is running, pid 291
2024-11-23T19:52:34.916652183Z [23-Nov-2024 19:52:34] NOTICE: ready to handle connections
2024-11-23T19:52:49.782098486Z Activating Collabora config...
2024-11-23T19:52:50.304383901Z ✓ Reset callback url autodetect
2024-11-23T19:52:50.304417297Z Checking configuration
2024-11-23T19:52:50.304420277Z 🛈 Configured WOPI URL: https://<my domain>
2024-11-23T19:52:50.304422630Z 🛈 Configured public WOPI URL: https://<my domain>
2024-11-23T19:52:50.304425031Z 🛈 Configured callback URL:
2024-11-23T19:52:50.304427188Z
2024-11-23T19:52:55.343046582Z Failed to fetch discovery endpoint from https :// <my domain>
2024-11-23T19:52:55.343090922Z cURL error 28: Operation timed out after 5002 milliseconds with 0 bytes received (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://<my domain>/hosting/discovery
Web Browser
If the problem is related to the Web interface, open your browser inspector Console and Network tabs while refreshing (reloading) and reproducing the problem. Provide any relevant output/errors here that appear.
PASTE
Web server / Reverse Proxy
The output of your Apache/nginx/system log in /var/log/____
:
2024-11-23T20:05:46.634360499Z {"level":"error","ts":1732392346.6326392,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"<my domain>","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"<my ip address>: Error getting validation data","instance":"","subproblems":[]}}
2024-11-23T20:05:46.634421484Z {"level":"error","ts":1732392346.6328216,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"<my domain>","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"<my ip address>: Error getting validation data","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/<order id>","attempt":1,"max_attempts":3}
2024-11-23T20:05:46.634432878Z {"level":"error","ts":1732392346.632888,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"<my domain>","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - <my ip address>: Error getting validation data"}
2024-11-23T20:05:46.634439923Z {"level":"error","ts":1732392346.6329577,"logger":"tls.obtain","msg":"will retry","error":"[<my domain>] Obtain: [<my domain>] solving challenge: <my domain>: [<my domain>] authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - <my ip address>: Error getting validation data (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":4,"retrying_in":300,"elapsed":310.498036022,"max_duration":2592000}
Configuration
Nextcloud
The output of occ config:list system
or similar is best, but, if not possible, the contents of your config.php
file from /path/to/nextcloud
is fine (make sure to remove any identifiable information!):
{
"system": {
"one-click-instance": true,
"one-click-instance.user-limit": 100,
"memcache.local": "\\OC\\Memcache\\APCu",
"apps_paths": [
{
"path": "\/var\/www\/html\/apps",
"url": "\/apps",
"writable": false
},
{
"path": "\/var\/www\/html\/custom_apps",
"url": "\/custom_apps",
"writable": true
}
],
"check_data_directory_permissions": false,
"memcache.distributed": "\\OC\\Memcache\\Redis",
"memcache.locking": "\\OC\\Memcache\\Redis",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"password": "***REMOVED SENSITIVE VALUE***",
"port": 6379
},
"overwritehost": "<my domain>",
"overwriteprotocol": "https",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"localhost",
"<my domain>"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "pgsql",
"version": "30.0.2.2",
"overwrite.cli.url": "https:\/\/<my domain>\/",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"instanceid": "***REMOVED SENSITIVE VALUE***",
"maintenance": false,
"updatedirectory": "\/nc-updater",
"loglevel": 2,
"app_install_overwrite": [
"nextcloud-aio"
],
"log_type": "file",
"logfile": "\/var\/www\/html\/data\/nextcloud.log",
"log_rotate_size": 10485760,
"log.condition": {
"apps": [
"admin_audit"
]
},
"preview_max_x": 2048,
"preview_max_y": 2048,
"jpeg_quality": 60,
"enabledPreviewProviders": {
"1": "OC\\Preview\\Image",
"2": "OC\\Preview\\MarkDown",
"3": "OC\\Preview\\MP3",
"4": "OC\\Preview\\TXT",
"5": "OC\\Preview\\OpenDocument",
"6": "OC\\Preview\\Movie",
"7": "OC\\Preview\\Krita",
"0": "OC\\Preview\\Imaginary"
},
"enable_previews": true,
"upgrade.disable-web": true,
"mail_smtpmode": "smtp",
"trashbin_retention_obligation": "auto, 30",
"versions_retention_obligation": "auto, 30",
"activity_expire_days": 30,
"simpleSignUpLink.shown": false,
"share_folder": "\/Shared",
"one-click-instance.link": "https:\/\/nextcloud.com\/all-in-one\/",
"upgrade.cli-upgrade-link": "https:\/\/github.com\/nextcloud\/all-in-one\/discussions\/2726",
"maintenance_window_start": 100,
"allow_local_remote_servers": true,
"davstorage.request_timeout": 3600,
"htaccess.RewriteBase": "\/",
"dbpersistent": false,
"auth.bruteforce.protection.enabled": true,
"ratelimit.protection.enabled": true,
"files_external_allow_create_new_local": false,
"trusted_proxies": "***REMOVED SENSITIVE VALUE***",
"preview_imaginary_url": "***REMOVED SENSITIVE VALUE***",
"preview_imaginary_key": "***REMOVED SENSITIVE VALUE***",
"DOMAIN": "<my domain>"
}
}
Apps
The output of occ app:list
(if possible).
Enabled:
- activity: 3.0.0
- admin_audit: 1.20.0
- app_api: 4.0.0
- bruteforcesettings: 3.0.0
- calendar: 5.0.1
- circles: 30.0.0
- cloud_federation_api: 1.13.0
- comments: 1.20.1
- contacts: 6.1.1
- contactsinteraction: 1.11.0
- dashboard: 7.10.0
- dav: 1.31.1
- deck: 1.14.2
- federatedfilesharing: 1.20.0
- federation: 1.20.0
- files: 2.2.0
- files_downloadlimit: 3.0.0
- files_pdfviewer: 3.0.0
- files_reminders: 1.3.0
- files_sharing: 1.22.0
- files_trashbin: 1.20.1
- files_versions: 1.23.0
- firstrunwizard: 3.0.0
- logreader: 3.0.0
- lookup_server_connector: 1.18.0
- nextcloud-aio: 0.6.0
- nextcloud_announcements: 2.0.0
- notes: 4.11.0
- notifications: 3.0.0
- notify_push: 0.7.0
- oauth2: 1.18.1
- password_policy: 2.0.0
- photos: 3.0.2
- privacy: 2.0.0
- provisioning_api: 1.20.0
- recommendations: 3.0.0
- related_resources: 1.5.0
- richdocuments: 8.5.2
- serverinfo: 2.0.0
- settings: 1.13.0
- sharebymail: 1.20.0
- spreed: 20.0.2
- support: 2.0.0
- survey_client: 2.0.0
- systemtags: 1.20.0
- tasks: 0.16.1
- text: 4.1.0
- theming: 2.5.0
- twofactor_backupcodes: 1.19.0
- twofactor_totp: 12.0.0-dev
- user_status: 1.10.0
- viewer: 3.0.0
- weather_status: 1.10.0
- webhook_listeners: 1.1.0-dev
- workflowengine: 2.12.0
Disabled:
- encryption: 2.18.0
- files_external: 1.22.0
- suspicious_login: 8.0.0
- twofactor_nextcloud_notification: 4.0.0
- user_ldap: 1.21.0
Tips for increasing the likelihood of a response
- Use the
preformatted text
formatting option in the editor for all log entries and configuration output. - If screenshots are useful, feel free to include them.
- If possible, also include key error output in text form so it can be searched for.
- Try to edit log output only minimally (if at all) so that it can be ran through analyzers / formatters by those trying to help you.