Https requests not working for docker/nextcloud (plain http request sent to https port)

Dear all!

I am trying to secure my nextcloud installation (docker on Ubuntu 18.04 on ESXi 6.7) with traefik & letsencrypt. However, when I try to access the NC instance via https, my browser either redirects to https://_/ (Vivaldi) or gives an error ("The plain HTTP request was sent to HTTPS port", curl / Firefox).

The dashboard works via https as well as another simple whoami container. Only nextcloud does not work as expected and I am losing my mind over what I could have done wrong. So far I mostly followed guides & tutorials (starting with the excellent one on medium), modifying and adding where necessary. Maybe I have created an amalgamate of several configurations, which leads to the current problems but even restarting from scratch does not work anymore.

My config files:

docker-compose.yml

version: '3'

services:
  traefik:
    image: traefik:v2.0.4
    container_name: traefik
    restart: unless-stopped
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /root/traefik/acme.json:/acme.json
      - /root/traefik/traefik.yml:/traefik.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik.domain.net`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=user:pass"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.domain.net`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=http"
      - "traefik.http.routers.traefik-secure.service=api@internal"

  whoami:
    image: "containous/whoami"
    container_name: "simple-whoami"
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.domain.net`)"
      - "traefik.http.routers.whoami.entrypoints=https"
      - "traefik.http.routers.whoami.tls.certresolver=http"

  nextcloud:
    image: linuxserver/nextcloud
    container_name: "nextcloud"
    networks:
      - proxy
    environment:
      - PUID=1001
      - PGID=1001
      - TZ=Europe/Berlin
    volumes:
      - /home/dockeruser/nextcloud:/config
      - /home/dockeruser/nextcloud_data:/data
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud-secure.entrypoints=https"
      - "traefik.http.routers.nextcloud-secure.rule=Host(`nextcloud.domain.net`)"
      - "traefik.http.routers.nextcloud-secure.tls=true"
      - "traefik.http.routers.nextcloud-secure.tls.certresolver=http"
      - "traefik.http.routers.nextcloud-secure.service=nextcloud"

networks:
  proxy:
    external: true

traefik.yml

api:
  dashboard: true

log:
  level: DEBUG

entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false

certificatesResolvers:
  http:
    acme:
      email: email@domain.net
      storage: acme.json
      httpChallenge:
        entryPoint: http

last part of docker-compose logs

traefik      | time="2019-11-07T12:30:39Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"M
ethod\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":
false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"*/*\"]
,\"User-Agent\":[\"curl/7.58.0\"],\"X-Forwarded-Host\":[\"nextcloud.domain.net\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-P
roto\":[\"https\"],\"X-Forwarded-Server\":[\"b3bbad79f113\"],\"X-Real-Ip\":[\"ip-address\"]},\"ContentLength\":0,\"TransferEncod
ing\":null,\"Host\":\"nextcloud.domain.net\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAdd
r\":\"ip-address:36902\",\"RequestURI\":\"/\",\"TLS\":null}"

Any ideas?
In case you were wondering why the traefik directory is under /root - I first tried /opt/traefik but somehow it did not recognize the docker-compose.yml there. A simple cp to /root was sufficient to make it run.

Use the config files that you posted above. Discard all the experiments, that you've done after posting.

Add this to your traefik.yml:

serversTransport:
  insecureSkipVerify: true

Modify your docker-compose.yaml, so that NC section labels look like this:

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud-secure.entrypoints=https"
      - "traefik.http.routers.nextcloud-secure.rule=Host(`nextcloud.domain.net`)"
      - "traefik.http.routers.nextcloud-secure.tls=true"
      - "traefik.http.routers.nextcloud-secure.tls.certresolver=http"
      - "traefik.http.routers.nextcloud-secure.service=nextcloud"
      - "traefik.http.services.nextcloud.loadbalancer.server.port=443"
      - "traefik.http.services.nextcloud.loadbalancer.server.scheme=https"

This works, thanks! :slight_smile:

The only modifications were the loadbalancer service and insecureSkipVerify, correct? Could you elaborate on why the SSL certificate should not be verified? I thought it was a regular, valid, letsencrypt-issued certificate. However, it works, so maybe I should not think too hard about it.

Yes

1 Like