If you are running Nextcloud on an Umbrel server, you may eventually encounter a screen that blocks access with the message: “Access through untrusted domain.”
This is one of the most common configuration hurdles for self-hosters. It typically occurs when you attempt to access your Nextcloud instance via a new IP address, a different hostname (such as a Tailscale VPN address), or after migrating your Umbrel installation to new hardware. While the error is frustrating, it is a critical security feature designed to prevent HTTP Host header poisoning attacks.
This guide provides a comprehensive, technical solution to whitelist your new domain or IP address directly within the Nextcloud container on Umbrel OS.
What This Error Actually Means
Nextcloud maintains a whitelist of permitted domains and IP addresses in its configuration file (config.php). This whitelist is defined in the trusted_domains array.
When an HTTP request reaches the Nextcloud server, the application checks the Host header of the request against this array. If the header (e.g., 192.168.1.50 or nextcloud.local) does not match an entry in the whitelist, Nextcloud rejects the request immediately to prevent potential spoofing.
On Umbrel, this configuration is automatically generated during the initial installation. However, because Umbrel acts as a wrapper around Docker containers, manual intervention is required when your network environment changes.
Main Causes
The “untrusted domain” error on Umbrel is almost always caused by one of the following scenarios:
- DHCP IP Rotation: Your router assigned a new local IP address to your Umbrel device, but Nextcloud is still configured to trust the old IP.
- Remote Access Tools: You are trying to access Nextcloud via Tailscale, ZeroTier, or a reverse proxy that uses a different IP range or hostname than the local network.
- Migration: You moved your SSD to a new Raspberry Pi or Mini PC, resulting in a network interface change.
- Hostname usage: You are accessing via
umbrel.localwhen the config expects an IP, or vice versa.
Step-by-Step Fix
To fix this, you must edit the Nextcloud configuration. The most reliable method on Umbrel is using the occ (Nextcloud command-line interface) via Docker.
Prerequisites:
- SSH access to your Umbrel server.
- The new IP address or domain you wish to trust.
Step 1: SSH into your Umbrel
Open your terminal (macOS/Linux) or PowerShell (Windows) and connect to your Umbrel device.
ssh umbrel@umbrel.local
# Default password is usually your dashboard password or 'moneyprintergobrrr' on older versions.
Step 2: Locate the Nextcloud Container
Umbrel runs applications in isolated Docker containers. You need to identify the exact name of your Nextcloud container.
Run the following command:
docker ps | grep nextcloud
Look for the container name usually formatted as nextcloud_web_1 or similar.
Step 3: Verify Current Trusted Domains
Before making changes, check the current configuration to confirm the issue. Run the following command (replace nextcloud_web_1 with your actual container name if different):
docker exec -u www-data nextcloud_web_1 php occ config:system:get trusted_domains
Note: We use -u www-data to run the command as the correct web server user.
Output Example:
Plaintext
localhost
umbrel.local
192.168.1.10
If the IP address you are currently using to access Nextcloud is missing from this list, that is the root cause.
Step 4: Add the New Trusted Domain
You can append a new domain or IP to the list using the config:system:set command. Nextcloud uses an array index for these entries. You need to pick the next available number (e.g., if you have 0, 1, and 2, use 3).
Command Syntax:
docker exec -u www-data nextcloud_web_1 php occ config:system:set trusted_domains [INDEX] --value=[YOUR_NEW_IP]
Practical Example (Adding a Tailscale IP): Assuming your Tailscale IP is 100.80.50.25 and you want to add it as the 3rd entry:
docker exec -u www-data nextcloud_web_1 php occ config:system:set trusted_domains 3 --value=100.80.50.25
Step 5: Verify and Restart
Run the get command from Step 3 again to verify the new IP is listed. Once confirmed, you should be able to refresh your browser and access Nextcloud immediately. A full container restart is generally not required for config.php changes, but if issues persist, restart the app via the Umbrel dashboard.
Alternative: Editing config.php Manually
If you prefer editing files directly or cannot run Docker commands, you can edit the file on the host filesystem.
- Navigate to the Nextcloud app data directory:Bash
cd ~/umbrel/app-data/nextcloud/data/config - Edit the file using Nano:Bash
nano config.php - Locate the
trusted_domainsarray block:PHP'trusted_domains' => array ( 0 => 'localhost', 1 => 'umbrel.local', 2 => '192.168.1.X', ), - Add your new line, ensuring you maintain the syntax (comma at the end of the line).
- Press
Ctrl+X, thenY, thenEnterto save.
When It’s a Hardware Limitation
While the “Trusted Domain” error is a software configuration issue, hardware limitations can sometimes mimic connectivity problems or cause configuration drift.
1. Raspberry Pi vs. Mini PC
On Raspberry Pi 4 (especially 4GB models), running Nextcloud alongside the Bitcoin node and Electrum server can lead to I/O bottlenecks. If the system hangs during boot due to slow I/O, the network stack might initialize late, causing the Nextcloud container to grab an incorrect internal IP or fail to bind to the correct interface. If you frequently lose access despite correct configs, consider migrating to a Mini PC (NUC) architecture.
2. SSD Enclosure Issues
Cheap USB-to-SATA adapters often cause file system corruption on Umbrel. If your config.php file suddenly becomes empty or unreadable, leading to a “Internal Server Error” rather than a “Trusted Domain” error, this is likely a hardware fault with your drive controller, not a Nextcloud bug.
When Reinstalling Is Necessary
You should only consider uninstalling and reinstalling the Nextcloud app on Umbrel if:
- The
config.phpis corrupted: The file is empty or contains garbage characters and you do not have a backup. - Permission Errors: You manually edited files using
rootinstead ofwww-dataand broke the ownership permissions recursively, making the container unbootable. - Database Inconsistencies: You resolved the domain issue, but now face persistent SQL errors that
occ maintenance:repaircannot fix.
Warning: Uninstalling the app via the Umbrel dashboard will delete your data unless you have a separate backup.
How to Prevent It in the Future
To avoid facing this error repeatedly:
- Set a Static IP: Configure a static IP address for your Umbrel device in your router’s DHCP settings. This ensures your local access IP never changes.
- Use mDNS: Rely on
http://umbrel.localinstead of the raw IP address when possible, as this hostname is whitelisted by default. - Tailscale MagicDNS: If using Tailscale, add your full Tailscale machine name (e.g.,
umbrel.tail-scale.ts.net) to the trusted domains list once, and use that URL for remote access.
FAQ
Q: Can I disable trusted domains completely? A: Technically yes, by allowing * as a value, but this is highly insecure and strongly discouraged. It opens your instance to host header poisoning.
Q: I added the IP but still get the error. Why? A: You may be accessing via HTTPS (port 443) but defined the trust for HTTP, or vice versa. Additionally, ensure you are not behind a strict firewall or using a browser extension that forces a different header. Clear your browser cache.
Q: Does this fix work for “Strict Transport Security” warnings? A: No. HSTS warnings are related to SSL/HTTPS headers. Trusted domains are strictly about the hostname/IP being used to access the server.
Q: Can I run the occ command from the Umbrel UI? A: No. Umbrel does not currently provide a terminal interface within the dashboard for app-specific commands. You must use SSH.
Conclusion
The “Access through untrusted domain” error in Nextcloud on Umbrel is a safeguard, not a system failure. It confirms that your security settings are active. By using the occ command within the Docker container, you can safely whitelist new IP addresses or VPN domains without risking file permission errors. Always prioritize setting a static IP for your server to minimize the need for these adjustments in the future.
Internal Linking Suggestions:
