I have a cname for subdomain and an AName with my external ip. Everything else including changing the ports to issue a new cert for another webapp worked it’s only the nextcloud app.
Please remove the _acme-challenge
CNAME, unless you want to use DNS challenge delegation via dns_challenge_override_domain
(which you aren’t)
I don’t fully understand what you mean by your statement. I read the documentation linked. Can you explain what you are exactly talking about in the Caddyfile you want me to change. I have been using cloudflare for over 2 years with caddy and never had an issue like this. I think something is not being able to be read by caddy from docker.
In your screenshot, we see a DNS entry for a subdomain called _acme-challenge
. We think that’s causing problems. Delete that one.
Your Caddyfile is fine. The problem is with your CloudFlare account.
sorry I didnt fully undestand i remove the acme challenge for my domain and re-ran my command in terminal. ./caddy run --config Caddyfile
this was the error
2023/01/09 00:24:13.051 INFO http.acme_client trying to solve challenge {"identifier": "files.movies4you.stream", "challenge_type": "dns-01", "ca": "https://acme.zerossl.com/v2/DV90"}
2023/01/09 00:24:13.175 ERROR http.acme_client cleaning up solver {"identifier": "files.movies4you.stream", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.files.movies4you.stream\" (usually OK if presenting also failed)"}
2023/01/09 00:24:19.506 ERROR tls.renew could not get certificate from issuer {"identifier": "music.movies4you.stream", "issuer": "acme.zerossl.com-v2-DV90", "error": "[music.movies4you.stream] solving challenges: presenting for challenge: adding temporary record for zone \"movies4you.stream.\": got error status: HTTP 403: [{Code:9109 Message:Invalid access token}] (order=https://acme.zerossl.com/v2/DV90/order/oH6kiMEEVqnXuaLawHxi7w) (ca=https://acme.zerossl.com/v2/DV90)"}
2023/01/09 00:24:19.506 ERROR tls.renew will retry {"error": "[music.movies4you.stream] Renew: [music.movies4you.stream] solving challenges: presenting for challenge: adding temporary record for zone \"movies4you.stream.\": got error status: HTTP 403: [{Code:9109 Message:Invalid access token}] (order=https://acme.zerossl.com/v2/DV90/order/oH6kiMEEVqnXuaLawHxi7w) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 1, "retrying_in": 60, "elapsed": 29.6125625, "max_duration": 2592000}
2023/01/09 00:24:19.980 ERROR tls.obtain could not get certificate from issuer {"identifier": "files.movies4you.stream", "issuer": "acme.zerossl.com-v2-DV90", "error": "[files.movies4you.stream] solving challenges: presenting for challenge: adding temporary record for zone \"movies4you.stream.\": got error status: HTTP 403: [{Code:9109 Message:Invalid access token}] (order=https://acme.zerossl.com/v2/DV90/order/dPf3RIjovSV-u3myJjdJPg) (ca=https://acme.zerossl.com/v2/DV90)"}
2023/01/09 00:24:19.980 ERROR tls.obtain will retry {"error": "[files.movies4you.stream] Obtain: [files.movies4you.stream] solving challenges: presenting for challenge: adding temporary record for zone \"movies4you.stream.\": got error status: HTTP 403: [{Code:9109 Message:Invalid access token}] (order=https://acme.zerossl.com/v2/DV90/order/dPf3RIjovSV-u3myJjdJPg) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 1, "retrying_in": 60, "elapsed": 30.0865563, "max_duration": 2592000}
I typed in 192.168.1.111:8484 on another computer on my network and got an error i think my nextcloud instance wont show on any other computer besides my main rig so i dont think caddy can see it outside that 1 computer
If you are seeing this, your config.php in your NextCloud config, is not set up correctly.
Going backwards to your first post, I can see your NextCloud Env is not set correctly.
NextCloud config file, should be in PHP style format. So if you have more than one, it need to be in an array format.
Example , in config. php, single entry for trusted_domain will be:-
'trusted_domains' => '192.168.1.111',
But if you have more than one site, then it will be:
'trusted_domains' =>
array (
0 => 'localhost',
1 => '192.168.1.111',
2 => 'my.website.com',
3 => 'files.movies4you.stream',
),
or in single line
'trusted_domains' => array ( 0 => 'localhost', 1 => '192.168.1.111', 2 => 'my.website.com', 3 => 'files.movies4you.stream', ),
Based on official documents stated here : https://hub.docker.com/r/linuxserver/nextcloud
You are missing quite a few crucial configuration on your Docker-Compose write up.
I will highlight some as below:
environment:
- PUID=1000
- PGID=1000
- TZ=Asia/Kuala_Lumpur
volumes:
- /path/to/local/config:/config
- /path/to/local/data:/data
-PUID
and -PGID
is to set file ownership for php-fpm to execute correctly. If your NextCloud is running, you can skip this for now
if you have set - /path/to/local/config:/config
this correctly, you should be able to open up /path/to/local/config/config.php at local host computer to change it. and /data folder so you don’t lose your file when your rebuilt your NextCloud container.
He’s not using that container. You linked to the linuxserver
container which is unofficial. He’s using the official NextCloud container, i.e. this one: https://hub.docker.com/_/nextcloud
I don’t know what to tell you at this point. This is obviously a problem with authenticating with CloudFlare.
Try to make a new API token using the instructions I linked to above, from scratch. Make sure the permissions are set correctly for the token.
I don’t use CloudFlare myself so I don’t know what else to suggest.
sorry, my bad. I wasn’t paying attention on the details.
try out with something really simple
{
tls dns cloudflare (API KEY)
}
home.movies4you.stream work-on.local {
root * C:\Tools\OrganizrV2\www\organizr\html
php_fastcgi localhost:9000
respond "Hello World"
}
Before you go all out with many lines, and tons of reverse_proxy , just make sure you can get Hello World form both LAN and WAN. Then only bring in other part , like NextCloud, reverse_proxy, rewrite and so forth
All of my reverse proxies work accept nextcloud. Why am I doing this. Not criticing but everything else in my Caddyfile works.
i fixed the 192.168.1.111:8484 for the local network now i can access it on my other pcs inside the network now we need to tackle Caddy not being able to write a cert to it. I rolled the api key and still the other domains still work accept nextcloud.
to fix the local domains for reference i went to the nextcloud docker-desktop click on console inside docker-desktop and ran apt install nano
cd config
nano config.php
and installed the two domains files.movies4you.stream and 192.168.1.111:8484 in php form as stated a couple of comments above
im getting a rate limiter error now
PS C:\Users\DevilsCoder> cd C:\Tools\Caddy
PS C:\Tools\Caddy> ./caddy run --config Caddyfile
2023/01/10 00:49:52.088 INFO using provided configuration {"config_file": "Caddyfile", "config_adapter": ""}
2023/01/10 00:49:52.091 WARN Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies {"adapter": "caddyfile", "file": "Caddyfile", "line": 2}
2023/01/10 00:49:52.096 INFO admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2023/01/10 00:49:52.096 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc0003e3dc0"}
2023/01/10 00:49:52.096 INFO http server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2023/01/10 00:49:52.096 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
2023/01/10 00:49:52.097 INFO tls cleaning storage unit {"description": "FileStorage:C:\\Users\\DevilsCoder\\AppData\\Roaming\\Caddy"}
2023/01/10 00:49:52.097 INFO http.log server running {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2023/01/10 00:49:52.097 INFO http enabling HTTP/3 listener {"addr": ":443"}
2023/01/10 00:49:52.098 INFO http.log server running {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2023/01/10 00:49:52.098 INFO http enabling automatic TLS certificate management {"domains": ["music.movies4you.stream", "home.ittechnut.com", "requests.movies4you.stream", "tv.movies4you.stream", "ha.movies4you.stream", "files.movies4you.stream", "home.movies4you.stream", "rdp.ittechnut.com", "photos.movies4you.stream", "adg.ittechnut.com", "accounts.movies4you.stream", "kitchen.movies4you.stream", "deluge.movies4you.stream"]}
2023/01/10 00:49:52.099 INFO tls.renew acquiring lock {"identifier": "music.movies4you.stream"}
2023/01/10 00:49:52.101 INFO tls.renew lock acquired {"identifier": "music.movies4you.stream"}
2023/01/10 00:49:52.101 INFO tls.renew renewing certificate {"identifier": "music.movies4you.stream", "remaining": 2427488.8981416}
2023/01/10 00:49:52.103 INFO http waiting on internal rate limiter {"identifiers": ["music.movies4you.stream"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2023/01/10 00:49:52.103 INFO http done waiting on internal rate limiter {"identifiers": ["music.movies4you.stream"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2023/01/10 00:49:52.103 INFO tls.obtain acquiring lock {"identifier": "files.movies4you.stream"}
2023/01/10 00:49:52.104 INFO tls.obtain lock acquired {"identifier": "files.movies4you.stream"}
2023/01/10 00:49:52.104 INFO tls.obtain obtaining certificate {"identifier": "files.movies4you.stream"}
2023/01/10 00:49:52.105 INFO http waiting on internal rate limiter {"identifiers": ["files.movies4you.stream"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2023/01/10 00:49:52.105 INFO http done waiting on internal rate limiter {"identifiers": ["files.movies4you.stream"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2023/01/10 00:49:52.107 INFO autosaved config (load with --resume flag) {"file": "C:\\Users\\DevilsCoder\\AppData\\Roaming\\Caddy\\autosave.json"}
2023/01/10 00:49:52.108 INFO serving initial configuration
2023/01/10 00:49:52.111 INFO tls finished cleaning storage units
2023/01/10 00:49:52.453 INFO http.acme_client trying to solve challenge {"identifier": "music.movies4you.stream", "challenge_type": "dns-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2023/01/10 00:49:52.474 INFO http.acme_client trying to solve challenge {"identifier": "files.movies4you.stream", "challenge_type": "dns-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2023/01/10 00:49:52.908 ERROR http.acme_client cleaning up solver {"identifier": "music.movies4you.stream", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.music.movies4you.stream\" (usually OK if presenting also failed)"}
2023/01/10 00:49:52.959 ERROR tls.renew could not get certificate from issuer {"identifier": "music.movies4you.stream", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[music.movies4you.stream] solving challenges: presenting for challenge: adding temporary record for zone \"movies4you.stream.\": got error status: HTTP 403: [{Code:9109 Message:Invalid access token}] (order=https://acme-v02.api.letsencrypt.org/acme/order/155458460/157894081947) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
2023/01/10 00:49:52.961 INFO http waiting on internal rate limiter {"identifiers": ["music.movies4you.stream"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "caddy@zerossl.com"}
2023/01/10 00:49:52.961 INFO http done waiting on internal rate limiter {"identifiers": ["music.movies4you.stream"], "ca": "https://acme.zerossl.com/v2/DV90", "account": "caddy@zerossl.com"}
2023/01/10 00:49:53.139 ERROR http.acme_client cleaning up solver {"identifier": "files.movies4you.stream", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for \"_acme-challenge.files.movies4you.stream\" (usually OK if presenting also failed)"}
The rate limiter isn’t an error, it’s just info letting you know that Caddy is waiting a while between challenges so it doesn’t flood the APIs with requests. Caddy is just being fair.
Cloudflare is telling your Caddy server that the access token you’ve supplied is not valid e.g. revoked, mistyped, incorrectly scoped etc.
If you’ve double checked the token scope and it’s correctly typed - I see you’ve rolled it and updated it - you might need to contact Cloudflare about a possible issue on their end since their API isn’t accepting it. There is no configuration change you can implement on Caddy’s end to fix this issue if Cloudflare just doesn’t accept the token.
Your other (sub-) domains obtained a certificate a while ago, so they will continue to work for a while (until they expire, more or less).
And they won’t interact with your Cloudflare token at all until they need to renewed (which Caddy starts doing after 2/3 of the certificate’s lifetime).
Just as a sanity check, could you please run the following two commands (requires jq
, but you could also run it without and parse the output yourself).
→ Replace YOUR_TOKEN
with your Cloudflare API token
curl -H "Authorization: Bearer YOUR_TOKEN" "https://api.cloudflare.com/client/v4/zones" --get --data-urlencode "name=movies4you.stream" | jq "{ success, errors, results: [.result[]? | { id, name }]}"
# Then, take the `id` from the previous output and use it in
# the following request instead of `__ZONE_ID__` (in the url)
curl -H "Authorization: Bearer YOUR_TOKEN" "https://api.cloudflare.com/client/v4/zones/__ZONE_ID__/dns_records" -X POST --data '{"type":"TXT","name":"_acme-challenge.files","content":"dummy_value"}' | jq "{ success, errors, result: (.result | { zone_name, name, type, content }) }"
The jq
filters make it safe to post the whole output here
just for reference what is jq so i can do this test
this is the error when i run your command
C:\Users\DevilsCoder>choco install jq
Chocolatey v1.1.0
Installing the following packages:
jq
By installing, you accept licenses for the packages.
jq v1.6 already installed.
Use --force to reinstall, specify a version to install, or try upgrade.
Chocolatey installed 0/1 packages.
See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).
Warnings:
- jq - jq v1.6 already installed.
Use --force to reinstall, specify a version to install, or try upgrade.
C:\Users\DevilsCoder>curl -H "Authorization: Bearer XUm4ywk6Hh-ywxywyxywyx-ywyxywyxywyx" "https://api.cloudflare.com/client/v4/zones" --get --data-urlencode "name=movies4you.stream" | jq '{ success, errors, results: [.result[]? | { id, name }]}'
% Total % Received % Xferd Average Speed Time Time Time Current
'{' is not recognized as an internal or external command,
operable program or batch file.
OMFG Your amazing. It was an API key i will defintly use this in the future to double check. I rolled the api key and re-checked the command with the newly rolled api key and it worked!!!
Can you try using "
(double quotes) instead of '
in for the stuff after jq
?
This topic was automatically closed after 30 days. New replies are no longer allowed.