Reverse Proxy NGINX CERTBOT nextcloud not able to access domain from outside

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: nextcloud.ekspertyzy-szkolenia.pl

I ran this command: nginx -s reload //on nextcloud jail

It produced this output: "ssl_stapling" ignored, no OCSP responder URL in the certificate "/usr/local/etc/letsencrypt/live/truenas/fullchain.pem"

My web server is (include version):

  • nginx/1.22.1 - on nextcloud jail
  • nginx/1.22.0 - on reverse proxy jail

The operating system my web server runs on is (include version): TrueNAS-13.0-U2

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Yes, I am accessing shells through trueNAS for nextcloud and reverse proxy.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0

The problem:
So i have few services under one IP address.
Traffic from web on port 443 is redirected on reverse proxy to specific service based on domain name.
Certificates for each service should be stored on service server itself, so nextcloud has one, and mail has different one, and another service has another one.

My reverse proxy nginx config [/usr/local/etc/nginx/conf.d/nextcloud.conf] looks like this:

upstream nextcloud {
        server <local_IP_nextcloud>:443;
}

server {
    listen 80;
    server_name www.nextcloud.ekspertyzy-szkolenia.pl nextcloud.ekspertyzy-szkolenia.pl;
    return 301 https://nextcloud.ekspertyzy-szkolenia.pl$request_uri;
    }

server {
    listen 443;
    server_name www.nextcloud.ekspertyzy-szkolenia.pl nextcloud.ekspertyzy-szkolenia.pl;
    location / {
        proxy_pass http://nextcloud;
        proxy_ssl_server_name on;
        proxy_ssl_name ekspertyzy-szkolenia.pl;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                }
}

My nextcloud nginx config looks like this [/usr/local/etc/nginx/conf.d/nextcloud.conf] looks like this:

upstream php-handler {
    server unix:/var/run/nextcloud-php-fpm.sock;
}

# Redirect to HTTPS
server {
    if ($host = www.nextcloud.ekspertyzy-szkolenia.pl) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = nextcloud.ekspertyzy-szkolenia.pl) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name nextcloud.ekspertyzy-szkolenia.pl www.nextcloud.ekspertyzy-szkolenia.pl;
    listen 80 default_server;

    location ^~ /.well-known/acme-challenge {
        # Path to the root of your installation
        root /usr/local/www/nextcloud/;
        try_files $uri $uri/ =404;
    }

    location / {
       return 301 https://$host:443$request_uri;
    }
}

server {
    listen 443 ssl http2;
    server_name nextcloud.ekspertyzy-szkolenia.pl www.nextcloud.ekspertyzy-szkolenia.pl;

    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;"always;

    include conf.d/nextcloud.inc;
    ssl_certificate /usr/local/etc/letsencrypt/live/nextcloud.ekspertyzy-szkolenia.pl/fullchain.pem; # managed by Certbot
    ssl_certificate_key /usr/local/etc/letsencrypt/live/nextcloud.ekspertyzy-szkolenia.pl/privkey.pem; # managed by Certbot
    ssl_stapling on;
    ssl_stapling_verify on;

I was able to run on nextcloud jail:

 certbot --nginx -d www.nextcloud.ekspertyzy-szkolenia.pl -d nextcloud.ekspertyzy-szkolenia.pl

and acquire and deploy certificate. I can also renew them, and deploy. Despite that i still cannot access nextcloud.ekspertyzy-szkolenia.pl from outside.

config.php on nextcloud [/usr/local/www/nextcloud/config.config.php] is set up so it allows traffic.
Let's encrypt can successfully generate certificate, so why I can't access the service from the Internet?
When I try, I get the "ERR_SSL_PROTOCOL_ERROR" in my browser.

Hi @zayler, and welcome to the LE community forum :slight_smile:

This seems like it will never complete:

PROXY:

SERVER:

If the connection gets through the proxy, it would encounter a redirect to HTTPS always.
Even when connecting to the proxy via HTTPS, it will hear the redirect.

But it is possible that the FQDN goes unmatched by the SERVER:

["nextcloud" is NOT an FQDN and might be served by the default server block instead]

3 Likes

Seems like i did not understand the guide about upstreams correctly, i thought, that in upstreams i can configure nextcloud to which IP address under which port it should redirect traffic. Kinda like encapsulation,
so http://nextcloud would work like http://local-ip-addr:443 which was configured in upstream nextcloud section.
So what would be the correct configuration in this case?

I don't know exactly [what you are trying to do].
Those are two independent systems.
The first uses SNI to serve the content.
[which is requested from the second]
The second also uses SNI to serve the content.
[which is being requested from the first]
But the SNI request is on the short name "nextcloud".
[which is not shown to be served]

There is an upstream defined.
But I don't see it being used anywhere.

Beyond that, this is not an nginx how to forum.

3 Likes

Ok, this still helps me a little, as from your answer i am getting that if i got the letsencrypt certificates, my only issue is my botched nginx configuration.
So only places i need to look are reverse proxy and nextcloud nginx configs.
Should i care about the warning i am getting ssl_stapling of certificates? Or since it is just a warning it should not be the case why despite having the certs i still cannot access the page?
As for what is the goal, i need to be able to access nextcloud from outside local network. I need reverse proxy, since ports 80 and 443 are also used be mail server.

Yes, but after you get everything else in order.

Yes, you will need that.

3 Likes