RE: Terminal Questions re LAMP App

@girish Thanks so much for the great answers.

I look forward to installing the cloudron cli on my computer running Linux Mint .

@girish I successfully migrated my Cloudron from one server to another. I followed your directions and updated Cloudron to v 6.0.0 before making my final backup of the old server.

Thank you.

@girish wrote "I remember mentioning NAT loopback in https://blog.cloudron.io/installing-cloudron-on-a-home-server/."

That is indeed where I learned about it and was diligent when I set up the old router... but forgot about it it completely when setting up the new one. Always a good idea to work from docs and not just your own head.

@girish Thanks so much for the great service! I'm a happy customer.

@girish thx. It was really helpful for you to say that you didn't think the problem was with the cert. It got me thinking outside that box.

The problem was that I hadn't properly set up Nat loopback support on the new router (the config for that was different from the one on the old router).

I had to un-tick the box "Stop DNS Rebind" in order to get my site to resolve on my local computers (access from outside my network was fine --which I hadn't realized at first).

There was a big warning when I unticked that setting. Any thoughts on this. It's possible that I have some other local network or router setting that isn't quite right.

Thx.

I had the same problem and searched the forum.

Got the solution here, thanks! @alkomy

Since finding where to add the white-listed IP on Namecheap can cause you to pull your hair out, I thought I'd document it here for others:

Direct URL: https://ap.www.namecheap.com/settings/tools/apiaccess/

Via the UI: account => profile => tools => Business & Dev tools => Namecheap API access (click "Manage") and then click "Edit" across from "Whitelisted IPs".

I'd like to not use Nextcloud's encryption-at-rest.

So I would love to be able to provide users with server logs that would show anytime a file was accessed by someone who did not own it or have share-access to it.

In other words, I want to do more than promise, "I won't access user files."

Ideas? I know there is a Linux program Auditd. I wanted to get other folks perspectives before I dive into that.

@girish

Trying to understand your question. Are you referring to users somehow accessing the files via SSH'ing into your server? If not, how can someone access files they did not own?

My interest is in auditing admin access and making those audits transparent.

Which software is running this forum?

Is it Discourse? NodeBB? Something else?

@girish

Will do. Thx for the link.

@girish

Trying to understand your question. Are you referring to users somehow accessing the files via SSH'ing into your server? If not, how can someone access files they did not own?

My interest is in auditing admin access and making those audits transparent.

@subven

You won't be able to protect unencrypted files even if you promise.

It's not so much about protection that I'm after but rather making Admin access transparent.

Note that NextCloud admins will always be able to impersonate users

Yes, but I'm imagining that would trigger a log entry that would be made available to instance users.

The feature you want should be requested upstream since this cannot be solved within cloudron.

Agreed.

You have to trust your administrators.

We should not have to trust administrators. I hope the goal of NextCloud is to be a true alternative to Google cloud apps. If we are just asking folks to trust one administrator instead of another administrator then NextCloud becomes less compelling, in my opinion.

I'd like to not use Nextcloud's encryption-at-rest.

So I would love to be able to provide users with server logs that would show anytime a file was accessed by someone who did not own it or have share-access to it.

In other words, I want to do more than promise, "I won't access user files."

Ideas? I know there is a Linux program Auditd. I wanted to get other folks perspectives before I dive into that.

@girish Thanks so much for the great service! I'm a happy customer.

@nebulon thanks for sticking with me on this one.

• green lock on all browsers on both nextcloud.mydomain.tech and collabora.mydomain.tech
• I renewed all certs twice
  • First time it essentially ran a check but didn't change anything because it saw the certs were fine.
  • Second time I changed the cert type from LetsEncrypt wildcard to LetsEncrypt prod. This time it created new certs.
• I ran the curl to Collabora after each time that I renewed the certs. No change, exact same messages.

Some more data from my troubleshooting

I removed all the gazillion certs that were in /etc/ssl/certs and also deleted all lines in /etc/ssl/certs/ca-certificates.crt in advance of renewing my domain certs in the Cloudron domains admin page. Those actions had absolutely no effect on anything. Green lock still appeared on all my Cloudron sites and Nextcloud still couldn't contact Cloudron server.

find / -iname "*letsencrypt*" returned zero rows

Some wild ideas to just toss out there:

• Are there ever cert issues related to new TLDs like the .tech domains that I am using?
• I've got two Nextcloud instances on the same Cloudron. (I've only been trying to connect 1 instance to Collabora.)

Again, I appreciate you sticking in there with me on this one. Any ideas on what I could try next?

@nebulon

Hmm, self-signed certificate in chain...
Thanks in advance for advising on my next step.

@girish Okay, took the "https://" off. I restarted Nextcloud as well as Collabora. Still same error, red X and "Could not establish connection to the Collabora Online server."

@robi @nebulon Thank you. I will try the recipe I found at Stack Exchange and then report back. In my situation it is for a home server. So I can easily connect a keyboard and monitor to enter the encryption password on the drive in the wake of a server reboot.

I do want to be able to do it remotely though if I'm not home. But the situation is not urgent for me. That explains my delay in following through. But I will.