Forgot to note the original line
Where to find it?
add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot
Thank you, it’s working again!
Warning by Nextcloud
The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds.
For enhanced security, it is recommended to enable HSTS as described in the security tips 
.
See HTTP Strict Transport Security (HSTS) and NGINX - NGINX
Setting the Strict Transport Security (STS) response header in NGINX and NGINX Plus is relatively straightforward:
nano /etc/nginx/sites-available/default
Search the original line
add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot
and replace with
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # managed by Certbot
Should the add 'includeSubDomains" ’ not automaticly be done by the Certbot or the installation of Nextcloud?
Do I need to run the Certbot multiple times after each other for the main domain and seperate for the wanted subdomain?
Or run it just once with the main domain and wanted subdomain seperated by , or ; ?
I get this error running the Certbot by DietPi-LetsEncrypt ‘nextcloud.YourDomain.com’
[FAILED] Setting was found multiple times
The pattern $1
server_name[[:blank:]] was found multiple times in file $3 /etc/nginx/sites-available/default
7: server_name YourDomain.com;
49: server_name YourDomain.com;
Either the pattern $1 needs to be more specific or the desired setting can appear multiple times by design and it cannot be predicted which instance to edit.
Please retry with more specific parameter $1 or apply the setting manually:
server_name nextcloud.YourDomain.com;
?
nano /etc/nginx/sites-available/default
# /etc/nginx/sites-available/default
server {
root /var/www;
index index.php index.html index.htm index.nginx-debian.html;
server_name YourDomain.com;
include /etc/nginx/sites-dietpi/*.conf;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php(?:$|/) {
include snippets/fastcgi-php.conf;
fastcgi_pass php;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/YourDomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/YourDomain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
ssl_trusted_certificate /etc/letsencrypt/live/YourDomain.com/chain.pem; # managed by Certbot
ssl_stapling on; # managed by Certbot
ssl_stapling_verify on; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # managed by Certbot
}
server {
if ($host = YourDomain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server;
server_name YourDomain.com;
return 404; # managed by Certbot
}
server {
if ($host = YourDomain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name nextcloud.YourDomain.com; # managed by Certbot
return 404; # managed by Certbot
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/nextcloud.YourDomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/nextcloud.YourDomain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot
ssl_trusted_certificate /etc/letsencrypt/live/nextcloud.YourDomain.com/chain.pem; # managed by Certbot
ssl_stapling on; # managed by Certbot
ssl_stapling_verify on; # managed by Certbot
}
server {
if ($host = nextcloud.YourDomain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = YourDomain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name nextcloud.YourDomain.com; # managed by Certbot
return 404; # managed by Certbot
}
?
Another question:
My personal info isn’t saved
https:///nextcloud/u/admin
Items like
- Phone number
- Website
Profile visibility of the items is set to Hide
I get the Authentocation required notification , fill in my password but after leaving the page it isn’t saved with the Checkmark and I don’t see a save button!?
-
Website solution > https:// needs to be included before www. https://www.YourDomain.com)
-
Phone number solution > Seems the config /var/www/nextcloud/config/config.php is missing:
‘default_phone_region’ => ‘optional’,
I have stumbled across a not-so-great solution, but it worked for me.
Simply open up some type of notepad, type the number there and copy and then paste it to the phone number field.
It actually worked for me, i would imagine others who are experiencing this issue.
For you more advanced technical wizards, i believe that the data entry times out for some reason, as i could only manually type a few digits before the Checkmark was to appear.
Security & setup warnings
- You have not set or verified your email server configuration, yet. Please head over to the Basic settings in order to set them. Afterwards, use the “Send email” button below the form to verify your settings.
Having a Gmail address I havent been able to set the server settings
Have tried all ‘solutions’ I found regarding Nextcloud mail settings
A problem occurred while sending the email. Please revise your settings. (Error: Failed to authenticate on SMTP server with username “hemertje” using 1 possible authenticators. Authenticator LOGIN returned Expected response code 235 but got code “535”, with message "535-5.7.8 Username and Password not accepted. Learn more at 535 5.7.8 Check Gmail through other email platforms - Gmail Help 19-20020a170906329300b007bc8ef7416asm9433234ejw.25 - gsmtp ".)
Security & setup warnings
- You are currently running PHP 7.4.33. Upgrade your PHP version to take advantage of performance and security updates provided by the PHP Group as soon as your distribution supports it.
https://www.php.net/supported-versions.php
Branch 7.4 is End of Life and his Security Updates by januari 1 2023
How to update to PHP version 8.1 or 8.2?
Security & setup warnings
- The PHP module “imagick” is not enabled although the theming app is. For favicon generation to work correctly, you need to install and enable this module.
Is this the proper way to install and enable this module?
cd /var/www/nextcloud
sudo -u www-data php occ db:add-missing-indices
Security & setup warnings
- The PHP modules “gmp” and/or “bcmath” are not enabled. If you use WebAuthn passwordless authentication, these modules are required.
If I’m correct these last two messages on my system can be ignored?
Imagick is deprecated?
I don’t use passwordless webauth, so I don’t need gmp / bcmath.
These modules could be ignored if not needed.
You need to wait on the release of Debian Bookworm Summer 2023 or go with a 3rd party installation of PHP.
Run it only once, the certificate gets replaced every time. Also if you run it too often you get rate limited by let’s encrypt and then you have to wait a certain time before you can renew your certs.
Can this be added in the NextCloud DietPi config by Default?
Ok, clear to me
thx…
Hello Jappe,
How to add the maindomain and a subdomain to the Let’s Encrypt Certbot?
Is this config correct?
Yesterday i ran the YourDomain Certbot
Today I ran the nextcloud.YourDomain Certbot
See the config at:
At my local IP-Address https:///nextcloud/apps/dashboard/
I get the red http sign that the url is not secure
“certificate is not valid”
Is this the correct way to do it?
Certificate are issued for the specific domain. On an IP address, you will get cert warning by design. You need to use your DDNS even if at home to avoid cert warning.
where is the relation between imagick and db:add-missing-indices ??
I just add every domain I wanna use comma-seperated in dietpi-letsencrypt, like
nextcloud.myddns.net,vpn.myddns.net,another.domain.net.
I think if you ran yesterday the script with domain1 and today with domain2, domain1 will not get renewed since it’s missing in the list now.