Recent version(s) overwrites /usr/local/etc/nginx/conf.d/nextcloud.conf on jail restart #45
Comments
|
I am having the same issue. I edit the nextcloud.conf file then I need to restart the plugin, it reverts back to the original. Please help |
|
@eikehein if i follow correctly, you want to modify the configuration file in order to enable SSL ? If yes, we have instructions for those steps here https://github.com/freenas/iocage-plugin-nextcloud/tree/12.2-RELEASE ( README ). Please let me know if you have another use case in mind apart from that ? Thanks! |
|
@sonicaj I see the link to the instructions, thank you. But under the Network Properties tab, there is no field for "Protocol" / "Jail Port Number" / "Host Port Number".
|
|
@asw2012 i suppose the jail in question is not using NAT and is instead using DHCP / static IP ? |
|
Yes, using static IP address. But, as I mentioned, I have the problem of the nextcloud.conf file being overwritten. |
|
I'm also running into the restore issue with nextcloud.conf using static/DHCP. Additionally, and probably related, the certificate generated with certbot --nginx also has to be reinstalled every time the jail is rebooted. |
|
@asw2012 with static IP, you don't have to do the port forwarding as it's not valid. About the configuration file being overwritten, why is it being modified when the certificates can be generated as specified in (https://github.com/freenas/iocage-plugin-nextcloud/tree/12.2-RELEASE ) ? |
|
@sonicaj for sanity sake, I tried following those steps linked, specifically under TLS Certificates (which I already have using certbot), however I have no generate_letsencrypt_certificate script in my PATH, only generate_self_sign_tls_certificates, which I do not want to do. I have my cer and pem files in /usr/local/etc/letsencrypt/live/truenas, as well as my domain added to known hosts in /usr/local/www/nextcloud/config/config.php, however restarts lose that certificate. running a reinstall works (Successfully deployed certificate for to /usr/local/etc/nginx/conf.d/nextcloud.conf) but restarts, again, wipe that file, and (probably unrelated) throw a "too many redirects" error. |
|
I completely removed the plugin/jail and started from scratch. This time the |
|
So from the linked README there's now a way to generate new certs during install, but what I've actually been doing is to supply my own certificate files and related config. How am I supposed to do this in a supported manner - generate certs and replace them? Background: My Nextcloud jail is accessible on the internet, by way of a domain pointing at the static WAN IP of my router, which forwards 443 to a port on my TrueNAS that's mapped to the jail. The process of generating and updating certs for the domain is a separate affair, and then I need to carry them into the jail. The jail plugin is super neat and handy otherwise and saves me a lot of effort, so I'd love to keep using it. Maybe some supported means to supply custom certs? |
|
@eikehein I was doing the same thing, more or less, down to the cert generation. I just put it in the hands of the script in the plugin (which uses Let's Encrypt in basically the same way I was already doing), which creates and attempts to auto-renew weekly. It was much easier to just switch over vs fighting with or creating a cron job to make the changes on reboot. Is there a particular reason you're needing to use an "external" cert? |
|
Well, I'm not using LetsEncrypt for the cert ... :-) It's not the only CA. |
|
Assuming that the certificate format and such is the same, I'd try doing a clean install, per the instructions, while generating the certs with the supplied script, and then swap out your cert with the generated one. If I have some time this weekend, I can do a quick test to help you troubleshoot. |
|
The file itself, with no modifications is broken for LDAP/AD configuration so, excluding the SSL/Static IP configuration, it's bad to begin with and needs modification if you want to use SSL outside of the included SSL/LE utilities for various reasons OR you want to use LDAP/AD. Modification of this file should be permitted without having to go and fix it via custom script or etc. after every jail restart, I'm honestly trying to figure out why this is not the case as it seems to cause more problems than it prevents... |
|
I've added a pull request to fix the stock template issues with LDAP/AD.
|
|
Hello all, can you be more specific on the changes you want to make in the nginx configuration file? What I understand is that you have some SSL certificates in a location and you want the nginx config to use them. Is that right? If this is your only need, then I suggested storing your certificates inside the default location. But I agree that we could use a more generic location. Do you have some suggestions? A thing to keep in mind is that some directories are mounted readonly in the jail so we can't store the certificates there: |
|
First off, thank you for accepting my Pull Req and resolving the LDAP/AD thing, that's awesome. :) So, our need is we need to change the server name, hostname and SSL certificates in the nginx configuration for Nextcloud, we utilize ACME for the certificates, I would rather not have to add another script to rename/move them if at all possible. I guess the underlying question is, why is it now being overwritten when it wasn't in previous versions? Is that an artifact of this plugin or, of updated TrueNAS/IOCage? |
|
Thanks for the feedback @mgob - change the server name This should not be necessary anymore as the Nginx config use a catch all - hostname Can you elaborate? - SSL certificates with ACME ACME requests should be handled properly. Can I ask where are your certificates stored? - Why is it now being overwritten when it wasn't in previous versions? Is that an artifact of this plugin or, of updated TrueNAS/IOCage? The logic here is that the Nginx configuration will probably get some updates in the future, because of new features, security issues, technical changes, you name it, .... Those updates are impossible to apply if the user changes the Nginx configuration, so it is safer to force a canonical Nginx configuration and think of other ways to handle specific use case than tweaking the file. Feel free to counter-argument :) |
|
Maybe this isn't directly related, but what about those of us who specifically want to run Nextcloud without SSL on port 80? Is there a way we can add configuration to the plugin that simply disables all SSL-related functionality (like auto renewing certs, and reverts to running nextcloud on port 80 without TLS)? I don't expose my Nextcloud instance directly to the internet but use a reverse proxy for various subdomains, and I do my SSL stuff there. I specifically don't want to manage my SSL certs on my nextcloud plugin. |
I've made some modifications to
/usr/local/etc/nginx/conf.d/nextcloud.confinside my plugin jail usingiocage console. This has served me well up until now and across several prior upgrades. However, as of a recent upgrade to 22.2.0,nextcloud.confis being reverted to the default contents on every restart of the plugin jail.Several other TrueNAS users have observed and had trouble with the same behavior: https://www.truenas.com/community/threads/ssl-change-after-nextcloud-reboot.95672/
I suggest this is a regression.
The text was updated successfully, but these errors were encountered: