Nextcloud - HAProxy Problem

fgonzalez · October 1, 2019, 7:19am

Good Morning,

I have mounted a NethServer that provides Nextcloud service and I want it to previously go through a HAProxy, that is:

Internet -> Haproxy (with Lets Encrypt certificate) —> cloud.mydomain.com/nextcloud

And I have several doubts / problems, the first is the / nextcloud, it is not possible to access directly via cloud.mydomain.com, second when the connection passes through the haproxy if I put cloud.mydomain.com I get to the nethserver page, but putting cloud.mydomain.com/nextcloud gives me the following error in the browser ERR_SSL_PROTOCOL_ERROR

Please if you can help me I would appreciate it, I already have everything configured and I just need to pass it through the reverse proxy / with certificate to put it into production.

Thanks greetings!

JuergenAuer · October 1, 2019, 7:28am

Hi @fgonzalez

please answer the following questions:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

fgonzalez · October 1, 2019, 7:40am

My domain is: cloud.marinador.com

I ran this command: certbot certonly

It produced this output: The following errors were reported by the server:

Domain: cloud.marinador.com
Type: unauthorized
Detail: Invalid response from
http://cloud.marinador.com/.well-known/acme-challenge/LmGUIOPYkxCAeZHQi2-1Byn9D6xIlPI9pveL8pMUOB0
[46.25.72.130]: “\n\n404 Not
Found\n\n

Not Found

\n<p”

My web server is (include version): httpd-2.4.6-89.el7.centos.1.x86_64

The operating system my web server runs on is (include version): Centos7 & Debin 9

My hosting provider, if applicable, is: Arsys

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.10.2

fgonzalez · October 1, 2019, 7:41am

JuergenAuer · October 1, 2019, 7:46am

Your command

is incomplete. Which authenticator did you use?

The SSL_ERROR_RX_RECORD_TOO_LONG is expected. That's the Grade Q - https://check-your-website.server-daten.de/?q=cloud.marinador.com - http on port 443, you don't have a working certificate.

That may not work, that Certbot is too old. Minimum 0.28 is expected.

fgonzalez · October 1, 2019, 8:01am

Good morning JuergenAuer and thanks for your help,

At the moment it does not have a valid certificate in 443 because I expected to take it out in the HAProxy, it is pending to renew the entire HAproxy but at the moment I have several services working with this version of certbot and I have no problems, really the problem gives me when I try to access cloud .marinador.com / nextcloud, access cloud.marinador.com if you access without problems but it is not the service I want to expose, I leave the configuration of the HAproxy in case it helps …

frontend Front_46.25.72.XXX
bind 128.100.0.XX:80
reqadd X-Forwarded-Proto: \ http
acl cloud hdr (host) -i cloud.marinador.com
use_backend Cloud-backend if cloud
default_backend default-backend

frontend Cloud_Front
bind 128.100.0.XX:443
reqadd X-Forwarded-Proto: \ https
acl Nexcloud path_beg / nextcloud
#acl secure dst_port eq 443
#redirect scheme https if! {ssl_fc}
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
use_backend letsencrypt-backend if letsencrypt-acl
default_backend Cloud-backend

Cloud-backend backend
http-request set-header X-Forwarded-Port% [dst_port]
http-request add-header X-Forwarded-Proto https if {ssl_fc}
#reqrep ^ ([^ :] ) \ /(.) \ 1 \ / nexcloud
server NextCloud 10.XX.XX.XX: 80 check

Greetings and thank you!

JuergenAuer · October 1, 2019, 8:24am

Your haproxy isn’t the question, there is a correct answer of port 80 /.well-known/acme-challenge:

Domainname	Http-Status	redirect	Sec.	G
• http://cloud.marinador.com/
46.25.72.130	403	Html is minified: 249,58 %	0.133	M
Forbidden

• https://cloud.marinador.com/
46.25.72.130	-4		0.237	W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. The handshake failed due to an unexpected packet format.

• http://cloud.marinador.com:443/
46.25.72.130	403	Html is minified: 249,58 %	0.133	Q
Forbidden
Visible Content:

• http://cloud.marinador.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
46.25.72.130 Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0	404	Html is minified: 100,00 %	0.140	A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server.

Certbot may not understand your configuration.

What says

apachectl -S

fgonzalez · October 1, 2019, 8:31am

They really are two different servers,

HAPROXY ----> NethServer (with Nextcloud)

I leave the result of the command on the server where the Apache service (Nethserver) is

VirtualHost configuration:
*: 443 is a NameVirtualHost
default server NextCloud.MARINA.LOCAL (/etc/httpd/conf.d/nethserver.conf:44)
port 443 namevhost NextCloud.MARINA.LOCAL (/etc/httpd/conf.d/nethserver.conf:44)
port 443 namevhost NextCloud.MARINA.LOCAL (/etc/httpd/conf.d/ssl.conf:56)
ServerRoot: “/ etc / httpd”
Main DocumentRoot: “/ var / www / html”
Main ErrorLog: “/ etc / httpd / logs / error_log”
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir = “/ run / httpd /” mechanism = default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
PidFile: “/run/httpd/httpd.pid”
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name = “apache” id = 48
Group: name = “apache” id = 48

JuergenAuer · October 1, 2019, 8:42am

There is no port 80 defined. So you run Certbot on the wrong machine.

You have to use the machine with that answer:

 http://cloud.marinador.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
46.25.72.130
Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0	404
	
Html is minified: 100,00 %	0.140
	A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server.

And your complete command is required so your authenticator is visible.

fgonzalez · October 1, 2019, 8:54am

Good again

I’m sorry but I do not quite understand you, you say that port 80 is not defined in the Apache server?

Greetings!

JuergenAuer · October 1, 2019, 10:34am

See your output, there is no port 80. So it's the wrong Apache or the wrong machine.

But checking your domain an Apache answers port 80. So that may be another apache.

If Certbot sees the wrong Apache, the validation can't work.

Read

system · October 31, 2019, 10:34am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.