UPDATED Aug 15 2018 - Script 100% auto install on Debian 9. Apache, MPM Event, php-fpm socket, Redis socket on both local and locking cache, LRU data eviction, LetsEncrypt SSL A+

Sorry for OT, where can I get the Tech and me Script? I have bought the Hyper-V Image, but since I am new at Linux, I canā€™t understand where all the pathes to find. Maybe Tech and me is very busy, but the support is awful. If I can read the script, I find out by my self.

TIA

its on their github page:

Last I used it about 2 months ago it was trickyā€¦ got some errors didnā€™t know what was going wrong. I made my own installer for debian:

I found an even easier way to install it with yunohost. Just download the yunohost iso, install it to a vm, and then activate the nextcloud app. Worked great for me anyway.

1 Like

Iā€™m not able to geht NC on my fresh Deb 9 running with this script :-/

Iā€™m struggling with the Letsencrypt part.

Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

I have tried the update from certbot


But also not successful.
There i have a mistake - i think with the apache configuration because the certob script is not able zu check and activete my URL

Does anybody have any idear to support me?

@Konrad : I have had the same problem with letsencrypt. The problem relies within the old version in debian strrtchā€™s standard repo. You have to enable stretch backports and update certbot and certbot-apache to the latest stretch-backport version. Best regards kamekun

This is due to a security issue LetsEncrypt had with TLS-SNI challenge: https://community.letsencrypt.org/t/2018-01-11-update-regarding-acme-tls-sni-and-shared-hosting-infrastructure/50188

This method was disabled for older certbot clients than 20.X(?), thus for apache/nginx authentication modules. Solution is, if you donā€™t want to/ can update certbot, to use webroot authenticator, which uses http challenge by default: e.g.
certbot renew -i apache -a webroot -w /path/to/webroot (apache installer module but webroot authentication module).

But of course better to upgrade certbot client.

I ended up using acme.sh to handle certbot/letsencrypt cert issuance and renewal and it works great since I donā€™t have a static ip. It can be found here https://github.com/Neilpang/acme.sh.

The issue I am having is that when I try to access nextcloud (both via local static ip and domain) via https - I get a 503 Service Unavailable error. Is there something additional I forgot to include - I should mention that I did enable SSL in Apache2 post script.

I did confirm I can access nextcloud via http but clearly perfer https.

I use the NextcloudPi curl script for installation on Debian 9. I like that it handles SSL via the ncp-config tool. Also nice that the tool received unattended updates.

I am making progress on resolving my errors but still have some questions. Since I am not using certbot to generate my letā€™s encrypt ssl and adjust Apache, what changes do I need to make to the Apache config & Nextcloud config files?

Thank you very much for your useful script.

I used the backport-package of certbot and commented the apt install-line, but left everything else as it is.

I only receive a 403 Forbidden if I enter the URL

https://nc.mydomain.tld/index.php

In apache error log I get:

[Tue Jun 12 15:49:27.910228 2018] [authz_core:error] [pid 588:tid 140702918895360] [client 192.168.0.180:36178] AH01630: client denied by server configuration: /a/nextcloud/, referer: https://nc.mydomain.tld/nextcloud

Permissions for /a seem to be right.

Any ideas?

mrtx

I have resolved all of my issues by modifying the Nextcloud.conf file to include a Virtual Host for 443 and point it to the location of my SSL certs.

When I run I check the basic settings I have 2 errors that come up; strict headers which I have corrected by modifying my nextcloud.conf file; and the other is PHP OPcache.

The specific PHP OPcache error is:

The PHP OPcache is not properly configured. For better performance it is recommended to use the following settings in the php.ini:

opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1a

Any thoughts on how to modify the php files? The standard google results are not yielding any success.

Have you checked the nextcloud.conf file to make sure it has both the 80 and 443 w/ssl paths virtual hosts listed? I was having a similar issue which led me to the virtual host conf.

Also have you confirmed you can access the 80 and 443 ports from outside your network? Many ISPs block them by default.

@Scott This script isnā€™t so complex. It just installs the basics. The Tech and Me script provide tweaks and is based on a lot of arguments. In other words, itā€™s more complex and there might be bugs in it. If you find any, please report them to the Nextcloud VM repo on Github.

@3Dscrewer Why do you think that the support is ā€œawfulā€?

In general, you canā€™t use the script on Debian, as itā€™s intended to use on Ubuntu 18.04 (atm).

The way you have things set up it might be really easy to support both Debian and Ubuntu. Just have two different lists of dependencies. One for Ubuntu and one for Debian. The main script can do something like $ lsb_release -d then call the appropriate list!

Are you willing to implement it? :wink:

Yeah sure maybe.
When I find a little time I would like to first rewrite my script (the one above) to work around the security issue that broke LetsEncrypt with the TLS-SNI challenge: https://community.letsencrypt.org/t/2018-01-11-update-regarding-acme-tls-sni-and-shared-hosting-infrastructure/50188 and to use a tuned Redis instead of ACPu.

Ha det =)

maybe this would do the trick ??

certbot --apache --rsa-key-size 4096 --must-staple --hsts --uir --staple-ocsp \
  --strict-permissions --email "$email" --agree-tos --redirect -d "$domainname"

to

certbot --rsa-key-size 4096 --authenticator standalone --installer apache  --must-staple --hsts --uir \
--staple-ocsp --strict-permissions --email "$email" --agree-tos --redirect \
  -d "$domainname" --pre-hook "apachectl -k stop" --post-hook "apachectl -k start"

and dont forget small dependency:
source.list
deb http://ftp.debian.org/debian stretch-backports main
and
apt-get install python-certbot-apache -t stretch-backports -y

Thanks for the tip! Really wanted to avoid using backports. Changed the script and improved it a bunch. Should work now!

Neat trick for mysql_secure_installation! However, on modern Debian/Ubuntu systems, the script is no-op. Read the script to see what it does ā€“ by default, there is no anonymous user, test database or remote root accounts. Try to run (as you described) ā€œSELECT User, Host, password, plugin from mysql.user;ā€ on a fresh MariaDB installation.

I have not yet tried the script with Ubuntu or Debian Testing. This script is for for Debian stable (aka Debian 9) Have they removed those questions in upstream versions of mysql_secure_installation ? Thanks for the heads up.

22 posts were split to a new topic: Failed authorisation procedure at the request of @onryo