Newbie to LSIO, and self-hosting in general.
I should preface this by saying that up until yesterday, I had an instance of LSIO’s nextcloud running (without letsencrypt or mariadb), DNS was correctly configured, ports were forwarded, life was good, except for the fact that I THINK that you can’t use NC’s password app with self-signed certs. Otherwise, I would have been content with the way it was. (I completely erased all files including config and data files for this older, simpler instance)
OK, I’m following the guide here:https://blog.linuxserver.io/2019/04/25/letsencrypt-nginx-starter-guide/
My redacted docker-compose:
version: "2" services: nextcloud: image: linuxserver/nextcloud container_name: nextcloud environment: - PUID=1000 - PGID=1001 - TZ=America/Los_Angeles volumes: - /REDACTED/config/nextcloud:/config - /REDACTED/nextcloud:/data depends_on: - mariadb restart: unless-stopped mariadb: image: linuxserver/mariadb container_name: mariadb environment: - PUID=1000 - PGID=1001 - MYSQL_ROOT_PASSWORD=REDACTED - TZ=America/Los_Angeles volumes: - /REDACTED/config/mariadb:/config restart: unless-stopped letsencrypt: image: linuxserver/letsencrypt container_name: letsencrypt cap_add: - NET_ADMIN environment: - PUID=1000 - PGID=1001 - TZ=America/Los_Angeles - URL=REDACTED.COM - SUBDOMAINS=nextcloud - VALIDATION=http - ONLY_SUBDOMAINS=true - EMAIL=REDACTED@EXAMPLE.COM volumes: - /REDACTED/config/letsencrypt:/config ports: - 443:443 - 80:80 restart: unless-stopped
Running logs on nextcloud and mariadb looks good, no errors. However, when I run the logs on letsencrypt (this is partial, focused on the problem. Also redacted):
http-01 challenge for nextcloud.redacted.com http-01 challenge for redacted.com Waiting for verification... Challenge failed for domain nextcloud.redacted.com Challenge failed for domain redacted.com http-01 challenge for nextcloud.redacted.com http-01 challenge for redacted.com Cleaning up challenges Some challenges have failed. IMPORTANT NOTES: - The following errors were reported by the server: Domain: nextcloud.redacted.com Type: connection Detail: Fetching http://nextcloud.redacted.com/.well-known/acme-challenge/Dunno if this is sensitive, so redacted: Connection refused Domain: redacted.com Type: connection Detail: Fetching http://redacted.com/.well-known/acme-challenge/redacted: Connection refused To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided. - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container
Running lsof shows that ports 443 and 80 are open on the host. However if I point my browser at the local server IP address (or my external dns, or IP address), I don’t see NC. (Note that this did let me access NC before I attempted to use mariadb/letsencrypt).
I am certain that port forwarding is set correctly. I haven’t changed it since starting my attempt to use letsencrypt/mariadb with NC. (and once again, it worked before)
About google domains:
This could be where [one of] my problems[s] is. The guide says that you’re supposed to make a c-name point to an a-record, which in turn points to your IP address. I made an ‘a record’ called ‘@’ that points to my ip address, and then a c-name that points to that a record. Was ‘@’ the right thing to enter there? Google doesn’t really explain what @ means. OK, it looks like I did this right according to this: https://my.bluehost.com/hosting/help/whats-an-a-record
So, if letsencrypt is misconfigured and giving up, should I still be able to access nextcloud through the local lan ip address? (I just realized nginx probably complicates this). Maybe a better question is, what happens if letsencrypt fails, is the whole thing inaccessible?
I know this is a lot of text to dig through. I appreciate any help you can give.
PS: I copied nextcloud.subdomain.conf.sample to nextcloud.subdomain.conf, just in case that’s a question that might be asked of me.
PPS: Please let me know if I accidentally posted sensitive information.
EDIT: I just noticed that my nextcloud “data” dir contains nothing but nextcloud.log, and that is 60k of errors saying stuff like:
I thought that might reveal something. It also suggests to me that I don’t have a single problem, but multiple problems. It’s not just letsencrypt that’s misconfigured, it’s also nextcloud.