Let's encrypt not working

[Dustin1358]

It seems that let's encrypt is not working with the default configuration provided here. I only changed some fields in the inventory file according to my domain and needed configuration and I cannot get certificates. In the logs is written that let's encrypt always gets a 400 error because it cannot access the .well-known site. When I wget the site it takes a long time and finally I get a 404. It seems that traefik is blocking too much but with my limited traefik and docker knowledge I could not reconfigure traefik.

My configuration: Ubuntu 18.04.3 with a freenom domain which has only an A record which points to my static ip.

Another issue I found which might be related to the to strong blocking of traefik it that as soon as I change my dns from freenom to cloudflare I cannot access my site anymore. I always get a 512 error at a cloudflare site when I try to access my domain. This may also comes from a too strict traefik blocking?

Here is the my inventory file (with my personal data changed):

[nextcloud]
localhost ansible_connection=local

[nextcloud:vars]

### Preliminary variables ###

# The domain name for your Nextcloud instance. You'll get a Let's Encrypt certificate for this domain.
nextcloud_server_fqdn       = mydomain.tk

# Your email address (for Let's Encrypt).
ssl_cert_email              = mymail@provider.de

### Nextcloud variables ###

# Choose a directory for your Nextcloud data.
nextcloud_base_dir          = /opt/nextcloud

# Choose a username and password for your Nextcloud admin user.
nextcloud_admin             = 'user'
nextcloud_passwd            = 'userpwd'              # If empty the playbook will generate a random password.

# You must choose one database management system.
# Choose between 'pgsql' (PostgreSQL), 'mysql' (MariaDB) and 'sqlite' (SQLite).
nextcloud_db_type           = 'pgsql'

# Options for Mariadb and PostgreSQL.
nextcloud_db_host           = 'localhost'
nextcloud_db_name           = 'nextcloud'
nextcloud_db_user           = 'nextcloud'
nextcloud_db_passwd         = ''              # If empty the playbook will generate a random password (stored in {{ nextcloud_base_dir }}/secrets ).
nextcloud_db_prefix         = 'oc_'

### Optional variables ###

# Setup the Nextcloud mail server.
nextcloud_configure_mail    = false
nextcloud_mail_from         = 
nextcloud_mail_smtpmode     = smtp
nextcloud_mail_smtpauthtype = LOGIN
nextcloud_mail_domain       =
nextcloud_mail_smtpname     =
nextcloud_mail_smtpsecure   = tls
nextcloud_mail_smtpauth     = 1
nextcloud_mail_smtphost     =
nextcloud_mail_smtpport     = 587
nextcloud_mail_smtpname     =
nextcloud_mail_smtppwd      = 

# Use S3 Bucket as primary storage
aws_s3_key            = ''
aws_s3_secret         = ''
# aws_s3_bucket_name    = ''
# aws_s3_hostname       = 's3.amazonaws.com'
# aws_s3_port           = '443'
# aws_s3_use_ssl        = 'true'
# aws_s3_region         = 'us-east-1'
# aws_s3_use_path_style = 'true'

# Install restic backup tool if backup_folder is not empty
restic_repo                 = ''              # e.g. /var/nc-backup
# crontab settings restic for restic
backup_day                  = *
backup_hour                 = 12
backup_minute               = 0

# Choose an online office suite to integrate with your Nextcloud. Your options are (without quotation marks): 'none', 'collabora' and 'onlyoffice'.
online_office               = onlyoffice
# When using Collabora, you're able to install dictionaries alongside with it. Collabora's default is German (de).
collabora_dictionaries      = 'en'            # Separate ISO 639-1 codes with a space.

# Set to true to install TURN server for Nextcloud Talk.
talk_install                = true

# Set to true to enable access to your database with Adminer at https://nextcloud_server_fqdn/adminer . The password will be stored in {{ nextcloud_base_dir }}/secrets .
adminer_enabled             = true

# Set to true to install Portainer webgui for Docker.
portainer_enabled           = true
portainer_passwd            = ''              # If empty the playbook will generate a random password.

# Uncomment 'traefik_api_user' to get access to your Traefik dashboard at https://nextcloud_server_fqdn/traefik .
traefik_api_user          = traefik

Here the error which comes from the logs of the traefik container (also changed my personal data):

time="2020-01-22T10:35:43Z" level=error msg="Unable to obtain ACME certificate for domains \"mydomain.tk\" detected thanks to rule \"Host:mydomain.tk; PathPrefixStrip:/portainer\" : unable to generate a certificate for the domains [mydomain.tk]: acme: Error -> One or more domains had a problem:\n[mydomain.tk] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://mydomain.tk/.well-known/acme-challenge/LzGbdsFsKcsJZdfsHVvds75dsdhds9m4PpEHtH7l533c: Connection refused, url: \n"

[Dustin1358]

I just realized that I cannot connect to my nextcloud from outside of the network at all. But I'm not sure where this behavior could come from the nginx.conf, traefik.toml, config.php or acme.json.

[ReinerNippes]

Hi Dustin, traefik handles web traffic and letsencrypt certificates stand-alone. Your setting in the inventory are OK. If you see a "Connection Refused" and you can't reach your nextcloud from the internet normally you should look at your firewall and/or router. To check trafik/nextcloud/docker you have to put the internal ip address of your nextcloud machine as xx.xx.xx.xx mydomain.tk in your /etc/hosts. Trying to access trafik/nextcloud via curl xx.xx.xx.xx won't work. But curl -vk mydomain.tk should output some info about a self signed cert plus some "nextcloud html". If you try this an a separate server you know that the internal firewall of your nextcloud machine is OK. You can run also run a sudo docker ps that should output a line like

b73538a0b025        traefik:alpine               "/entrypoint.sh trae…"   4 months ago        Up 5 weeks          0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp   traefik

which tells you that trafik is up&running and exposes port 80/443 to the world.

According to "cloudflare" there are issues with nextcloud. You can't run nextcloud behind cloudflare.

[Dustin1358]

Thanks for your information it helped me to understand traefik and let's encrypt better. And you are right there was an additional firewall which I did not know about.