Web Access OK - unable to use iOS or Windows client

Truenas Scale 22.12.1
cloudflare tunnel
nextcloud 25.0.4_1.6.18

I was getting the error message [EINVAL] values.ingress.main.tls: Item#0 is not valid per list types: [EINVAL] tlsEntry.scaleCert: Invalid choice: 3 when I was on nextcloud 25.0.2_19.0.51 (truecharts) and was not able to upgrade so I deleted nextcloud and installed 25.0.4_1.6.18 (standard truenas scale apps).

I manually added my web address to config.php add cloud.myweb.mycom as trusted domain, and am able to access nextcloud fine using a browser. But fails when using the windows web app with the error untrusted certificate - The host name did not match any of the valid hosts for this certificate for windows and iOS "web login not available, use the old login method."

So after reading a number of posts, changed the owner (chown) to the directory - in my case /mnt/Main/vmStorage/nextcloud to www-data with the same results.

I would prefer using the latest version of nextcloud, but the posts I’m finding on various sites have somewhat conflicting information. I do have webDAV installed at the server level but don’t have any webDAV shares set up (some posts indicated adding webDAV username to the config file).

In looking at the log in Administration/Overview in the web interface I see:

  • You are accessing your instance over a secure connection, however your instance is generating insecure URLs. This most likely means that you are behind a reverse proxy and the overwrite config variables are not set correctly. Please read the documentation page about this :arrow_upper_right:.

Although i think this only applies to the direct web access I’m using I did find an article related to access, so I added the following in config.php:
‘overwritehost’ => ‘custom.domain.com’,
‘overwriteprotocol’ => ‘https’,
‘overwritewebroot’ => ‘/’,
‘overwrite.cli.url’ => ‘https://custom.domain.com/’,
‘htaccess.RewriteBase’ => ‘/’,

With no change in behavior. Spinning my wheels now trying to find the appropriate documentation to follow.

Any help would of course be appreciated.

Is your certificate actually valid? And does it match the URL you typed in the apps? You can test it here: https://ssllabs.com/ssltest

Usually this is the result of a reverse proxy using HTTP on the backend connection, and you would need overwriteprotocol to fix it. Are you using a reverse proxy?

1 Like

Two good points @KarlF12 , thanks. I had thought that the cloudflared app in Truenas was handling the certificate. And, yes I am using reverse proxy. I tried using the overwriteprotocol as HTTPS, but I’ll try HTTP? I’ll see if I can find better documentation on the parameters like overwriteprotocol.

You would want it set to HTTPS. Your NC server thinks it’s HTTP because that’s what’s coming to it from the proxy and so sends the client to HTTP URLs (“generating insecure URLs”).

See here for docs. https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/reverse_proxy_configuration.html

I deleted everything, re-installed the certificates, double checked cloudflare tunnel configuration it is working using the web again using cloud.mydomain.com, but not the app. cloud.mydomain.com is added to the trusted domains. I don’t understand why it would work with the web page and not the app.

Still working on it. In the logs I see "failed to create fsnotify watcher: too many open files (nextcloud-postgresql log, nextcloud-redis log, hpb log, etc.). I increased the inotify ( sudo sysctl fs.inotify.max_user_watches=262144) but not helping and not certain it’s related.

THanks @KarlF12

Have you tested the setup without the Cloudflare tunnel?

Thanks again @KarlF12
I re-installed again making sure to configure ingress on initial installation in truenas scale. Again, cloud.mydomain.com works fine using a browser (phone, pc, etc.). I’ve added the external IP address to the trusted domains in the config.php; added a port forward for nextcloud (10020) to the server in the router and the app message is - “connection error Could not connect to server”. On a PC web browser using the external IP & port I get:
** Access through untrusted domain

Please contact your administrator. If you are an administrator, edit the “trusted_domains” setting in config/config.php like the example in config.sample.php.

Further information how to configure this can be found in the documentation.**

both of these make sense because I’m trying to https into a web site that is http only. I use the tunnel to create my https connection.

With the re-install I am getting “Error Web Login not available, use the old login method”. What’s the old login method?

FYI Web access on iOS works fine - including uploading and viewing files; just the app has issues. Also, added ‘overwriteprotocol’ => ‘https’, to the config file when I re-installed.
Here’s my redacted config.php:
config.odt (25.9 KB)

In one post above, you said you had the external IP in trusted_hosts, and in another you said cloud.mydomain.com. Ultimately to resolve this error, whatever IP or FQDN you are putting in the address bar of your browser (or server address of the app) needs to be included in trusted_domains. The error means it is not finding an entry that matches.

This should be cloud.mydomain.com along with a matching certificate if the goal is to have valid HTTPS. And then ideally you should always use the valid URL to access it, never the IP.

That’s fine, and possibly necessary to make it work with the tunnel. But also understand that this means you MUST use HTTPS when connecting because it will always redirect you to HTTPS URLs.

This may mean that you need to connect over the tunnel even when coming from your LAN in order for all the moving parts to line up.