Certificats with Windows CA

Hi to all,

i have a problem. I have an Windows CA, an SophosUTM an Snap Nextcloud-Server.
The SophosUTM is my reverseProxy and works perfekt. It requires all Certificates to do his job. So i need to import the whole Certificate of my Nextcloud in it.
My WindowsCA runs on an DomainController on Windows2012R2.
The NextCloud is an snap on UbuntuServer-Running. Virtualized on the Windows Server which hosts the CA and the virtualized SophosUTM

I want to run the Nextcloud in HTTPS for Security. I tried to run the Nextcloud with an SelfSign-certificate but i cannot export the self-sign with an Password and the SophosUTM requires an Password to Import an certificate.
“nextcloud.enable-https self-signed” runs the Nextcloud perfekt behind my sophosUTM but i cannot get the Certificate in my Sophos because as i written before the Sophos requires an Password :angry:
Running an Certificate an my CA cannot import probarly in the Snap because it wants the CRL and this is not the right format.

The whole thing makes me crazy.
I want if it’s possible to run my Nextcloud with an Certificate of my CA and reachable through my reverseproxy so that my nextcloud is reachable in internet.

Hi @MrB

The SSL certificates are not handled by Nextcloud, but by the web server, respectively by a separate acme client like certbot. How exactly did you install Nextcloud? Manually, Snap Package, Docker…?

i thought it was clear, because i have written “…an Sophos UTM an Snap Nextcloud-Server”. It is an Snap Package.

Ah my mistake. I must have overlooked that.

I don’t use the Snap package my self, but I think the certificates are stored in /var/snap/nextcloud/current/certs/


No Problem. I sometimes also overlooking something :slight_smile:

yes indeed they are stored there in /var/snap/nextcloud/current/. i tried it also. i have problems with the CertChain because it will be given in p7b and so not usable in linux. even tried to convert it already with comments in internet and it does not work.

Hmm that’s odd. I can’t imagine that they use certificates in p7b format. The snap package is based on Linux and Apache, where normally pem certificates are used…

So I did a test installation:

sudo snap install nextcloud

sudo snap nextcloud.enable-https self-signed
/var/snap/nextcloud/current/certs/self-signed# ls -al
total 16
drwxr-x--- 2 root root 4096 Feb  5 14:37 .
drwx------ 4 root root 4096 Feb  5 14:37 ..
-rw-r--r-- 1 root root 1805 Feb  5 14:37 cert.pem
lrwxrwxrwx 1 root root   54 Feb  5 14:37 chain.pem -> /var/snap/nextcloud/current/certs/self-signed/cert.pem
-rw------- 1 root root 3272 Feb  5 14:37 privkey.pem

Looks like pem to me, but I’m no expert…

no i was also something thinking wrong. I thought that you want to give me a possibility for using my CA in windows.
Okay the sophos wants PKCS#12 and the nextcloud does only make pem files and also as written above ""nextcloud.enable-https self-signed” runs the Nextcloud perfekt behind my sophosUTM but i cannot get the Certificate in my Sophos because as i written before the Sophos requires an Password "

Ok sorry, I can only help with the snap package, which btw does nothing else than any other Linux server with Apache would do. Maybe you can terminate the ssl connection on the sophos box and then use the self signed certificates from the snap for the connection from the sophos to the snap. But how to do that would be a question for the Sophos forums…

If you want to have an end-to-end SSL chain with your sophos as man-in-the middle, and everything has to be signed by your root CA, you have to import your existing certifactes to in the snap. Maybe this thread can help you with that… Help needed with installing a third party SSL Cert

hi to everyone,
it works :smiley: :smiley: :heart_eyes: :star_struck:
openssl pkcs12 -export -in nextcloud.cer -inkey nextcloud.key -out /home/nextcloud/nextcloud.p12
then my key was “merged” with the Cert and i got an valid bundel. This downloaded and put in my sophos makes it work. the only thing is that it is marked as untrusted_domain i have to search again the doku. but i know this error.
thanks for all bb77!

1 Like

tata fixed. i remembered a known issue reported by myself with sophosutm together. passing hostheader at sophos makes it work. I’m so happy at the moment :heart_eyes: :heart_eyes: :heart_eyes: :heart_eyes: :heart_eyes: :heart_eyes: :star_struck: :star_struck: :star_struck: :star_struck: :star_struck: :star_struck: :star_struck: :star_struck: :star_struck: :heart_eyes: :heart_eyes: :heart_eyes: :heart_eyes: :heart_eyes: :heart_eyes: :heart_eyes: :heart_eyes: