Hi,
currently I am running a Pi 3 with Lighttpd as a Webserver. The most important Software on this System is Nextcloud. Some time agon I tried zu Update Nextcloud to a newer Version (NC 21 or 22) than 20.13, which is the highest Version as of 20.xx.
Generally the Update worked, but I got some Errors in the Security Tab, but I was not able to solve the Problems.
I did some Research and it seems, that the Webserver could be the Cause. So my Question is, is it possible to switch over to another Webserver, just by unticking LLSP/LLMP to LASP/LAMP without any harm?
what are the Errors in the Security Tab you have? Maybe we could try fixing it. I don’t think there is a need to switch web server stack.
Hi & thank you for your Answer.
I will quote, what I see in the Security Tab.
"Sicherheits- & Einrichtungswarnungen
Für die Sicherheit und Performance Deiner Instanz ist es wichtig, dass alles richtig konfiguriert ist. Um Dir dabei zu helfen, führen wir einige automatische Prüfungen durch. Weitere Informationen kannst Du der verlinkten Dokumentation entnehmen.
Es gibt einige Warnungen bei Deiner Systemkonfiguration.
Eine Hintergrundaufgabe, die nach vom Benutzer importierten SSL-Zertifikaten sucht, läuft noch. Bitte später erneut versuchen.
Dein Webserver ist nicht richtig konfiguriert, um "/.well-known/webfinger" aufzulösen. Weitere Informationen hierzu findest Du in unserer Dokumentation ↗.
Dein Webserver ist nicht richtig konfiguriert, um "/.well-known/nodeinfo" aufzulösen. Weitere Informationen hierzu findest Du in unserer Dokumentation ↗.
Für Deine Installation ist keine Standard-Telefonregion festgelegt. Dies ist erforderlich, um Telefonnummern in den Profileinstellungen ohne Ländercode überprüfen zu können. Um Nummern ohne Ländercode zuzulassen, füge bitte "default_phone_region" mit dem entsprechenden ISO 3166-1-Code ↗ der gewünschten Region hinzu.
In der Datenbank fehlen einige Indizes. Auf Grund der Tatsache, dass das Hinzufügen von Indizes in großen Tabellen einige Zeit in Anspruch nehmen kann, wurden diese nicht automatisch erzeugt. Durch das Ausführen von "occ db:add-missing-indices" können die fehlenden Indizes manuell hinzugefügt werden, während die Instanz weiter läuft. Nachdem die Indizes hinzugefügt wurden, sind Anfragen auf die Tabellen normalerweise schneller.
Fehlender Index "fs_size" in der Tabelle "oc_filecache".
Dem Modul php-imagick fehlt die SVG-Unterstützung. Für eine bessere Kompatibilität wird empfohlen, es zu installieren."
If you do not speak German I can translate those Passages, that you need to be translated.
So in short you can see these “webfinger” and “nodeinfo” Messages, as well as the missing phone Number?
Also it is said that an Index “fs_size” is missing in the “oc_filechache”.
What has to be done here?
At the end they claim a missing module called "php-imagick.
It would be great, if you can help me solving those things above. Thanks in Advance.
Don’t worry, I speak German very well 
But I will stick to English language as this is an international board 
To mute the well-known warnings, vergleich mal deine /etc/lighttpd/conf-available/99-dietpi-nextcloud.conf mit dieser: https://raw.githubusercontent.com/MichaIng/DietPi/master/.conf/dps_114/lighttpd.nextcloud.conf
EDIT: Whoops, mitten im Satz auf Deutsch gewechselt 
.
Der url.redirect Block fehlt bei dir vermutlich. Die Warnungen sind bei einer neueren Nextcloud version dazu gekommen und sind somit bei älteren Systemen/Installationen noch nicht vorhanden.
Um die Indizes zu erstellen:
ncc db:add-missing-indices
php-imagick würde ich ignorieren, da wird nach wie vor drüber diskutiert ob es aus Sicherheitsgründen überhaupt benutzt werden sollte.
Inserting those Redirect-Rules unfortunately results in a non-reachable Webinterface. Also the Clients are not syncing then.
I commented it then temporarily, as you can see in the Screenshot.
ncc db:add-missing-indices worked perfectly. Thanks for this.
did you restart the web server after changing the config file? was that working?
systemctl restart lighttpd.service
systemctl status lighttpd.service
dietpi@DietPi:~$ sudo systemctl restart lighttpd.service
Job for lighttpd.service failed because the control process exited with error code.
See "systemctl status lighttpd.service" and "journalctl -xe" for details.
dietpi@DietPi:~$ sudo systemctl status lighttpd.service
● lighttpd.service - Lighttpd Daemon
Loaded: loaded (/lib/systemd/system/lighttpd.service; disabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2021-11-04 22:36:37 CET; 32s ago
Process: 9788 ExecStartPre=/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf (code=exited, status=255/EXCEPTION)
Nov 04 22:36:37 DietPi systemd[1]: lighttpd.service: Service RestartSec=100ms expired, scheduling restart.
Nov 04 22:36:37 DietPi systemd[1]: lighttpd.service: Scheduled restart job, restart counter is at 5.
Nov 04 22:36:37 DietPi systemd[1]: Stopped Lighttpd Daemon.
Nov 04 22:36:37 DietPi systemd[1]: lighttpd.service: Start request repeated too quickly.
Nov 04 22:36:37 DietPi systemd[1]: lighttpd.service: Failed with result 'exit-code'.
Nov 04 22:36:37 DietPi systemd[1]: Failed to start Lighttpd Daemon.
dietpi@DietPi:~$ sudo nano /etc/lighttpd/conf-available/99-dietpi-nextcloud.conf
dietpi@DietPi:~$ sudo systemctl restart lighttpd.service
dietpi@DietPi:~$ sudo systemctl status lighttpd.service
● lighttpd.service - Lighttpd Daemon
Loaded: loaded (/lib/systemd/system/lighttpd.service; disabled; vendor preset: enabled)
Active: active (running) since Thu 2021-11-04 22:37:46 CET; 3s ago
Process: 9808 ExecStartPre=/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf (code=exited, status=0/SUCCESS)
Main PID: 9813 (lighttpd)
Tasks: 1 (limit: 2088)
CGroup: /system.slice/lighttpd.service
└─9813 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
Nov 04 22:37:45 DietPi systemd[1]: Starting Lighttpd Daemon...
Nov 04 22:37:46 DietPi systemd[1]: Started Lighttpd Daemon.
dietpi@DietPi:~$
The Errors above happen, when I uncomment those two Redirect Lines.
let’s check configuration
/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf
dietpi@DietPi:~$ /usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf
2021-11-04 22:44:51: (mod_openssl.c.445) SSL: BIO_read_filename('/etc/letsencrypt/live/MYDOMAIN/combined.pem') failed
2021-11-04 22:44:51: (server.c.1183) Initialization of plugins failed. Going down.
dietpi@DietPi:~$
this is pointing to issue with SSL configuration. could you share content of
ls -la /etc/letsencrypt/live/MYDOMAIN/
dietpi@DietPi:~$ sudo ls -la /etc/letsencrypt/live/MYDOMAIN
total 20
drwxr-xr-x 2 root root 4096 Oct 7 17:58 .
drwx------ 4 root root 4096 Sep 28 2020 ..
-rw-r--r-- 1 root root 692 Sep 28 2020 README
lrwxrwxrwx 1 root root 49 Oct 7 17:58 cert.pem -> ../../archive/MYDOMAIN/cert9.pem
lrwxrwxrwx 1 root root 50 Oct 7 17:58 chain.pem -> ../../archive/MYDOMAIN/chain9.pem
-rw-r--r-- 1 root root 5488 Nov 4 15:58 combined.pem
lrwxrwxrwx 1 root root 54 Oct 7 17:58 fullchain.pem -> ../../archive/MYDOMAIN/fullchain9.pem
lrwxrwxrwx 1 root root 52 Oct 7 17:58 privkey.pem -> ../../archive/MYDOMAIN/privkey9.pem
could you try running dietpi-letsencrypt again to recreate the certificate?
I did, but nothing has changed. Certificate Duration is until third of February.
Furthermore I have noticed, that there is another Folder at /etc/letsencrypt/live.
As far as I remember it has been created during another DynDNS attempt of mine (ddns.de). Should I delete that folder?
I am using the upper one.
DDNS has nothing to do with certificate creation. It doesn’t matter how many DDNS you have. Inside /etc/letsencrypt/live you see all your certificate created. The last one was created back in September 2020 and certificate should be expired already. You should be able to remove all related folder/files inside /etc/letsencrypt/
Once cleaned up, using dietpi-letsencrypt 1 should force recreation of your current certificate.
Just to make sure that I do no mistake.
Inside /etc/letsencrypt I shall now delete all files/folders with (sudo) rm -rf and afterwards then dietpi-letsencrypt 1?
What I dont understand is, why this is a concern now, but not with Version 20.xx before.
Issue with web server is not related to NC as this is just a web app. Basically go inside each sub folder and remove stuff not needed.
Hmm… I don´t really get it.
This is what I have planned to do:
sudo rm -rf /etc/letsencrypt/ and afterwards sudo dietpi-letsencrypt 1
Can you confirm this? Do I risk losing my SSH-Connection this way?
I am asking, because it is an Raspberry, which is not located at my house.
