search

danb35 / freenas-iocage-nextcloud

Script to create an iocage jail on FreeNAS for the latest Nextcloud 28 release, including Caddy, MariaDB or PostgreSQL, and Let's Encrypt
GNU General Public License v3.0
258 stars 69 forks source link

Certificate is not trusted #220

Open MoritzSchrenk opened 5 months ago

MoritzSchrenk commented 5 months ago

Hey,

I ran the installer with STANDALONE_CERT=1, and then ran iocage exec nextcloud /root/remove-staging.sh.

I can access the site, but the certificate is not trusted. Issued By: Common Name (CN) (STAGING) False Fennel E6 Organization (O) (STAGING) Let's Encrypt Organizational Unit (OU)

I assume the staging part is the issue, but I'm not sure if I did something wrong or the script didn't work as expected?

danb35 commented 5 months ago

What you're seeing is indeed a staging cert, but it isn't clear why it's there. Can you share the top of your Caddyfile? In the jail, it's in /etc/caddy/Caddyfile.

MoritzSchrenk commented 5 months ago

Couldn't find a Caddyfile in that location, but there was one in /usr/local/www - I assume that's the right one? Here's the whole file:

{
    # debug
    ##acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
    email <myemail>
    # default_sni nextcloud.mydomain.com
}

nextcloud.mydomain.com {
    root * /usr/local/www/nextcloud
    file_server
    log {
        output file /var/log/nextcloud.mydomain.com.log
    }

    php_fastcgi 127.0.0.1:9000 {
        env front_controller_active true
    }

    header {
        # enable HSTS
        # Strict-Transport-Security max-age=31536000;
    }

    # client support (e.g. os x calendar / contacts)
    redir /.well-known/carddav /remote.php/dav/ 301
    redir /.well-known/caldav /remote.php/dav/ 301
    redir /.well-known/webfinger /index.php/.well-known/webfinger 301
    redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301

    # Required for legacy
    @notlegacy {
        path *.php
        not path /index*
        not path /remote*
        not path /public*
        not path /cron*
        not path /core/ajax/update*
        not path /status*
        not path /ocs/v1*
        not path /ocs/v2*
        not path /updater/*
        not path /ocs-provider/*
        not path */richdocumentscode/proxy*
    }
    rewrite @notlegacy /index.php{uri}

    # .htaccess / data / config / ... shouldn't be accessible from outside
    @forbidden {
        path /.htaccess
        path /data/*
        path /config/*
        path /db_structure
        path /.xml
        path /README
        path /3rdparty/*
        path /lib/*
        path /templates/*
        path /occ
        path /console.php
    }

    respond @forbidden 404
}
MoritzSchrenk commented 5 months ago

Does the fact that I have a DDNS hostname matter? It's been so long since I set it up that I completely forgot, but on namecheap mydomain.com has a CNAME set up to mydomain.ddns.net.

danb35 commented 5 months ago

The Caddyfile looks fine (and yes, that's the correct location; I'd confused Linux and FreeBSD locations for it), and no, a DDNS hostname shouldn't affect it. Can you try just deleting the acme_ca line and then restarting Caddy with service caddy restart? If you're still getting the staging cert, see if you can find anything relevant in Caddy's logs.

MoritzSchrenk commented 5 months ago

Well, I restarted it without even editing anything and it seems fine now ... that probably should have occured to me sooner >.>

Thanks for the help (and creating this amazing script!)