How to export private certificates

dmay.cuny · August 5, 2024, 8:09pm

Since the SSL certs are auto-updated every 90 days, how do I export the certs so that our firewall can do content inspection?

bb77 · August 6, 2024, 5:24am

Hi @dmay.cuny

Aside from the fact that this topic is not really Nextcloud specific, one would need a lot more information about your network and server infrastructure before they could even begin to think about giving you any kind of educated advice.

Just this much: transparent traffic inspection on edge firewalls is a dying breed, precisely because today everything runs over HTTPS and therefore IPS/IDS is shifting more and more to the endpoints. You could use a web proxy, but that comes with it’s own challenges, especially as Encrypted SNI, Encrypted Client Hello, and HTTP3/QUIC gain more traction…

Inspect traffic from client devices:

Client devices → web proxy → Internet. This requires the web proxy certificate to be installed on the client devices.

Inspect traffic to a web applictaion server:

Client devices → reverse (web) proxy → web application server. In this case you would inspect the traffic on the reverse proxy, and there would be no need to copy certificates back and forth because the reverse proxy is also the HTTPS endpoint.

dmay.cuny · August 6, 2024, 11:41am

No. That want my question. At all.

My firewall does the traffic inspection for me. All I need is the SSL certs from Nextcloud to then import into my firewall to do the inspection.

How do I export the private key and cert chain from Nextcloud so that I can import them into my firewall?

rakekniven · August 6, 2024, 11:42am

Nextcloud has no ssl certs and keys.
You need to check config of your Webserver

bb77 · August 6, 2024, 11:59am

Where the actual certificate files are stored depends on the operating system, the installation type, and how exactly you obtained the certificates. For example, if you are using Certbot on a Debian or Ubuntu system, they are stored in /etc/letsencrypt/live/cloud.yourdomain.tld/.

Also, since the web server handles https, as @rakekniven already said, you should be able to find the path to the certificate files in your web server’s ssl configuration:

Example in Apache:

SSLCertificateFile /etc/letsencrypt/live/cloud.yourdomain.tld/fullchain.pem
SSLCACertificateFile /etc/letsencrypt/live/cloud.yourdomain.tld/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cloud.yourdomain.tld/privkey.pem

dmay.cuny · August 6, 2024, 7:53pm

Well, Nextcloud does maintain the Nextcloud SNAP package on github, and that DOES include an automated, trusted cert renewal.

So I realize I probably need to extract them via an openssl CLI command but didn’t know how the SNAP package was architected if it would allow for this or was its cert config non-standard.

bb77 · August 7, 2024, 5:02am

I don’t use snap myself, but according to their documentation it looks like the keys and certificates are stored in: /var/snap/nextcloud/current/

https://github.com/nextcloud-snap/nextcloud-snap#where-is-my-stuff

scubamuc · August 7, 2024, 3:30pm

@bb77 is right, /var/snap/nextcloud/current/certs is the correct location.
see also managing enctryption

dmay.cuny · August 7, 2024, 4:48pm

Since the cert renewals are automated in the SNAP package there must be a password required to access and export the private cert and chain files, or is root access enough?

scubamuc · August 7, 2024, 5:20pm

yes sudo will suffice.