Does not work when running in local network behind a firewall

[LuFlo]

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

Steps to reproduce

1. Install Ubuntu Server 22.04
2. Install docker as shown in official docker documentation
3. Install Nextcloud AIO as shown in Readme

Expected behavior

I should be able to disable SSL or so deploy a self-signed certificate for testing.

Actual behavior

I get the "SSL_ERROR_INTERNAL_ERROR_ALERT" in firefox when I try to access nextcloud. It does not matter if I use http (it redirects to https) or if I use the the ip address

Host OS

Ubuntu Server 22.04

Nextcloud AIO version

Nextcloud AIO v1.2.1

Current channel

latest

Other valuable info

Is there a possibility to disable the redirect? I did some digging and apparantly AIO uses caddy, but I couldn't find a way to alter the configuration. I also tried the occ command in order to import a certificate manually to nextcloud, but no luck, since there is the caddy reverse proxy in the way.

Please do not suggest to manually deploy nextcloud via docker or to use snap or something like this. I would like to test AIO in a local network, behind a VPN before exposing the instance to the internet. We use our own DNS Server for this. AIO would be awesome, since it has the high performance backend already installed and set up :)

[szaimen]

You should be able to get it working with https://github.com/nextcloud/all-in-one/tree/main/manual-install

[LuFlo]

Ok, it's crazy, but I copied the CA into the /usr/share/ca-certificates folder of the mastercontainer and ran dpkg-reconfigure ca-certificates it feels like a hack but it's a workaround I guess. Now I have some weird database errors inside of nextcloud:

PostgreSQL username and/or password not valid
 -> You need to enter details of an existing account.
Trace: #0 /var/www/html/lib/private/Setup.php(354): OC\Setup\PostgreSQL->setupDatabase('admin')
#1 /var/www/html/core/Command/Maintenance/Install.php(108): OC\Setup->install(Array)
#2 /var/www/html/3rdparty/symfony/console/Command/Command.php(255): OC\Core\Command\Maintenance\Install->execute(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#3 /var/www/html/3rdparty/symfony/console/Application.php(1009): Symfony\Component\Console\Command\Command->run(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#4 /var/www/html/3rdparty/symfony/console/Application.php(273): Symfony\Component\Console\Application->doRunCommand(Object(OC\Core\Command\Maintenance\Install), Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#5 /var/www/html/3rdparty/symfony/console/Application.php(149): Symfony\Component\Console\Application->doRun(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#6 /var/www/html/lib/private/Console/Application.php(211): Symfony\Component\Console\Application->run(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#7 /var/www/html/console.php(99): OC\Console\Application->run()
#8 /var/www/html/occ(11): require_once('/var/www/html/c...')

[szaimen]

Yes, it is a hack since self-signed certificates are not officially supported. So not sure if or how it will play out.

[szaimen]

I guess you probably got hit by #740

[LuFlo]

Yes, it seems possible, I will retry it with the new version

[szaimen]

The new version is unfortunately still beta...
But a workaround for the current version was provided...

[LuFlo]

Ok, I just got it working and here is a summary of my setup:

Caddy reverse proxy

I downloaded the caddy binary and setup a small reverse proxy with my custom certificates. Here is my Caddyfile:

{
    http_port 1180
    https_port 443
}
https://nextcloud-test.example.com:443 {
    tls /home/user/caddy/ssl/Nextcloud+Test+Certificate.crt.pem /home/user/caddy/ssl/Nextcloud+Test+Certificate.key.pem
    header Strict-Transport-Security max-age=31536000;
    reverse_proxy localhost:11000
}

As you can see, caddy assumes the web service to be running on port 11000

Docker stack file

I use portainer and there you have the possibility to startup docker-compose files via a web UI. My compose file looks like this:

version: "3.8"

volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer

services:
  nextcloud:
    image: nextcloud/all-in-one:latest # Must be changed to 'nextcloud/all-in-one:latest-arm64' when used with an arm64 CPU
    restart: always
    container_name: nextcloud-aio-mastercontainer
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    ports:
      - 80:80 # Can be removed when running behind a reverse proxy. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
      - 8080:8080
      - 8443:8443 # Can be removed when running behind a reverse proxy. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
    environment: # Is needed when using any of the options below
      - APACHE_PORT=11000 # Is needed when running behind a reverse proxy. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
      # - NEXTCLOUD_DATADIR=/mnt/ncdata # Allows to set the host directory for Nextcloud's datadir. See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
      # - NEXTCLOUD_MOUNT=/mnt/ # Allows the Nextcloud container to access the chosen directory on the host. See https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host

The most critical option is APACHE_PORT=11000

Now we can startup the stack file. Important: Do not start the nextcloud containers from the AIO web interface yet!

Copying the CA file into the container

No the hacky part: We need to make the mastercontainer to accept our certificates from the reverce proxy. For this we need to install the public CA file, so all certificates signed by our CA are accepted by the mastercontainer.

On the host, copy the file into the volume: cp MyCA.crt /var/lib/docker/volumes/nextcloud_aio_mastercontainer/_data/

Interact with nextcloud_aio_mastercontainer, in portainer this is possible via Web UI and perform following commands:

cd /mnt/docker-aio-config
cp MyCA.crt /usr/share/ca-certificates
dpkg-reconfigure ca-certificates

Follow the instructions, you need to allow every certificate. For me, I had 129 preinstalled CA-certificates plus the one we just copied, so I typed 1-130 in order to import all CAs.

Final steps

Now open the AIO web interface, login, set the Timezone (important in order to avoid database erros) and you are ready to go!

[LuFlo]

Also thanks @szaimen for pointing me in the right directions 🙂

[cerebrux]

This should be probably submitted as documentation about local dev environment, or for people wanting to install it on a local raspberry pi and don't want it exposed outside. Just throwing an idea :)

[szaimen]

I fear this is not a "stable" workaround. See #805 for a better way.