Expired security certificate

computermaster18 · March 8, 2023, 2:21am

PHP
Version: 8.1.16

Memory limit: 512 MB

Extensions: Core, date, libxml, openssl, pcre, zlib, bcmath, bz2, ctype, curl, dom, hash, fileinfo, filter, ftp, gd, gmp, json, iconv, intl, SPL, ldap, mbstring, pcntl, PDO, session, posix, Reflection, standard, SimpleXML, mysqlnd, exif, tokenizer, xml, xmlreader, xmlwriter, zip, pdo_mysql, cgi-fcgi, redis, Zend OPcache

Database
Type: mysql

Version: 8.0.32
Size: 69.1 MB

Ubuntu 22.04
Current version of snap

Hey guys so I am having an issue with my cert and cant seem to renew it. I know that Snap makes everything difficult so I was thinking about just having my HAPROXY server just take over the cert responsibilities. How difficult would it be to completely disable SSL on the server side and just have the proxie do the heavy lifting? Would it break the server? Thank you!

KarlF12 · March 8, 2023, 5:44am

You can manage the certificate on the reverse proxy. You will probably need to set the overwriteprotocol parameter.

It may not be necessary to disable HTTPS on the backend server. You can simply have the reverse proxy go to HTTP typically, although you may want to stop certbot in snap so it isn’t sending unwanted cert requests.

computermaster18 · March 8, 2023, 8:18pm

Thank you for your help! Is this override parameter part of a config file? Where would I find the config file. Currently I cant do anything as its stuck using an expired cert do I need to do anything with the certs or just change the config to 80?

KarlF12 · March 8, 2023, 9:46pm

You can set the overwrite parameter in config.php, but I always recommend using occ whenever possible for safety reasons. Here is that part.

https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/reverse_proxy_configuration.html#overwrite-parameters

I don’t think I can give much guidance on HAPROXY, but yes you would probably just run HTTP from there to the snap’s Apache instance.

computermaster18 · March 8, 2023, 10:34pm

@KarlF12 Okay great while I try to figure that out is there a way to manually update the cert on the snap version to get me back on track?

kyrofa · March 10, 2023, 4:35pm

Have you considered another installation method? There are many.

You can simply run sudo nextcloud.disable-https to make the snap only listen on port 80 again, but if you were previously using Let’s Encrypt you’ll have HSTS to deal with. Your browser will probably not want to visit it over HTTP unless you clear history for the site until you get HTTPS set back up on the reverse proxy.