Sophie Moreira's picture
Sophie Moreira - Mon, 2024/04/15 - 13:01

Hi guys,

I am trying to setup 2 nextcloud embedded in containers. The host being proxmox. All the thing is hosted in a private server in OVH.

I am very new to networking and unix administration (I have though a little knowledge of some commands as a former developper).

I have set up a container with turnkey-nextcloud and initiate the installation process with turnkey-init.

When I try to reach the login page with curl I have this:

curl https://10.0.0.2
curl: (60) SSL: no alternative certificate subject name matches target host name '10.0.0.2'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

when I try with the full domain name I have this:

curl https://ncloud1.domain.fr:443
curl: (35) OpenSSL/3.0.11: error:0A00010B:SSL routines::wrong version number

Any help would be appreciated. Is there a tutorial about setting up the SSL ?

Thank you,

Sophie

Forum: 
Support
Tags: 
ssl
nextcloud
Sophie Moreira's picture

Sophie Moreira - Mon, 2024/04/15 - 14:23

more details : I have tried to get a certificate using conf console and validating the domain by using the dns provider. but I get the error :

/usr/bin/turnkey-lexicon: line 78: 74712 Illegal   │
                                                                            │ instruction     "$VENV_BASE/lexicon/bin/lexicon"   │
                                                                            │ $(printf '%q ' "$@")

thx in advance

Jeremy Davis's picture

Jeremy Davis - Wed, 2024/04/17 - 00:54

In your op, the 2 issues you encountered sound to me like respectively:

  1. the response that you would expect when trying to access an https interface via IP - even with a CA signed cert, you can only match a cert to a domain, not an IP.
  2. the response you would expect to a self signed certificate - i.e. not a CA signed one.

The 2nd one you could test my suspicion like this:

curl --insecure https://ncloud1.domain.fr

Regarding your issue with getting a Let's Encrypt cert via Confconsole using DNS-01 validation, I'm not 100% sure, but unless you've updated to the latest version of Confconsole I think you might be hitting an issue that was in the initial release. If I'm right then updating Confconsole should fix it. Update like this:

apt update && apt install confconsole

Alternatively, you could upgrade all available packages like this:

apt update && apt upgrade

I hope that helps. Regardless, please post back to let me know how you go.

Sophie Moreira's picture

Sophie Moreira - Thu, 2024/04/18 - 17:09

Hi

thank you Jeremy, unfortunately i have resetted the server and I am now unable to have the exact same setup.

I have setup a haproxy and now I request the urls from internet.

I still can't get a let's encrypt certificate. I updated confconsole as you suggested. I tried both methods http and dns. I have a nextcloud initiated with the turnkey-init command that answers to ncloud1-parthenos.egide-vault.fr

For the http method I got the logs :

[2024-04-18 09:32:20] confconsole.hook.sh: INFO: Serving /var/lib/dehydrated/acme-challenges/E0pUGHzVy5gxUpsTGZdAFeIkXuILDG_VVO7l1u5t4ec on http://ncloud1-parthenos.egide-vault.fr/.well-known/acme-challenge/E0pUGHzVy5gxUpsTGZdAFeIkXuILDG_VVO7l1u5t4ec
+ Responding to challenge for ncloud1-parthenos.egide-vault.fr authorization...
+ Cleaning challenge tokens...
[2024-04-18 09:32:30] confconsole.hook.sh: INFO: Clean challenge for ncloud1-parthenos.egide-vault.fr
+ Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result:
 ["type"] "http-01"
 ["status"] "invalid"
 ["error","type"] "urn:ietf:params:acme:error:unauthorized"
 ["error","detail"] "37.187.126.199: Invalid response from http://ncloud1-parthenos.egide-vault.fr/.well-known/acme-challenge/E0pUGHzVy5gxUpsTGZdAFeIkXuILDG_VVO7l1u5t4ec: 404"
 ["error","status"] 403
 ["error"] {"type":"urn:ietf:params:acme:error:unauthorized",
            "detail":"37.187.126.199: Invalid response from http://ncloud1-parthenos.egide-vault.fr/.well-known/acme-challenge/E0pUGHzVy5gxUpsTGZdAFeIkXuILDG_VVO7l1u5t4ec: 404",
            "status":403}

I have not found any .well-known folder on the server btw...

For the dns method I still have the exact same error as before.

Thank you in advance for your help.

Sophie

Jeremy Davis's picture

Jeremy Davis - Tue, 2024/04/23 - 04:46

I have reformatted your post a bit to make it easier to read.

Does the external port 80 of your domain point to you internal server? According to the log message you provided, when the Let's Encrypt server tried to contact your server via port 80, it received a 403 HTTP code "Forbidden".

That suggests you have port 80 publicly available (which is good) but it is configured to not allow external access. You note that you have HAProxy set up. I'm not personally familiar with it, but I suspect that is not allowing access. Having said that, I tried accessing your server myself and it redirects to https - via a 301 HTTP code "Moved Permanently".

Regardless, when I tried contacting your server, it seems to have a valid Let's Encrypt SSL/TLS certificate? I guess that you are doing the https termination at your HAProxy server?

Add new comment