Nextcloud version: 28.0.1
Operating system and version: Debian 12 (Bookworm)
Apache or nginx version: Apache 2.4.57
PHP version: 8.2.7
The issue you are facing:
I know, this has been discussed in this forum several times, but I am somehow not able to find a answer to my problem:
In my Nextcloud, the error description of a missing HTTP Strict Transport Security header appears.
The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS.
But when I add the lines to my nextcloud.conf file in the Apache config folder as described in the docs, nothing changes.
Interestingly, it works, when I add the same lines to the .htaccess file of the Nextcloud installation, but obviously, after every update, the problem appears again.
Does anybody have an idea what my problem could be?
Here is my Apache config file:
VirtualHost *:80>
ServerName my.server.org
Redirect permanent / https://my.server.org/
RewriteEngine on
RewriteCond %{SERVER_NAME} =my.server.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /var/www/nextcloud/
ServerName my.server.org
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
<Directory /var/www/nextcloud/>
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
<IfModule mod_dav.c>
Dav off
</IfModule>
</Directory>
SSLCertificateFile /etc/letsencrypt/live/my.server.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.server.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =my.server.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
Is this the first time you’ve seen this error?
No
The output of your Nextcloud log in Admin > Logging:
(It is empty.)
The output of your Apache/nginx/system log in /var/log/apache2/error.log:
[Wed Dec 27 00:00:01.546459 2023] [ssl:warn] [pid 6597] AH01909: 127.0.1.1:443:0 server certificate does NOT include an ID which matches the server name
[Wed Dec 27 00:00:01.546551 2023] [mpm_prefork:notice] [pid 6597] AH00163: Apache/2.4.57 (Debian) OpenSSL/3.0.11 configured -- resuming normal operations
[Wed Dec 27 00:00:01.546555 2023] [core:notice] [pid 6597] AH00094: Command line: '/usr/sbin/apache2'
[Wed Dec 27 03:48:58.433906 2023] [php:error] [pid 12764] [client 1.123.123.123:12345] script '/var/www/html/echo.php' not found or unable to stat, referer: https://www.google.com/
[Wed Dec 27 06:44:48.313609 2023] [mpm_prefork:notice] [pid 6597] AH00171: Graceful restart requested, doing restart
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
[Wed Dec 27 06:44:48.349923 2023] [ssl:warn] [pid 6597] AH01909: 127.0.1.1:443:0 server certificate does NOT include an ID which matches the server name
[Wed Dec 27 06:44:48.350017 2023] [mpm_prefork:notice] [pid 6597] AH00163: Apache/2.4.57 (Debian) OpenSSL/3.0.11 configured -- resuming normal operations
[Wed Dec 27 06:44:48.350022 2023] [core:notice] [pid 6597] AH00094: Command line: '/usr/sbin/apache2'
[Wed Dec 27 06:44:52.772560 2023] [mpm_prefork:notice] [pid 6597] AH00171: Graceful restart requested, doing restart
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
[Wed Dec 27 06:44:52.800281 2023] [ssl:warn] [pid 6597] AH01909: 127.0.1.1:443:0 server certificate does NOT include an ID which matches the server name
[Wed Dec 27 06:44:52.800355 2023] [mpm_prefork:notice] [pid 6597] AH00163: Apache/2.4.57 (Debian) OpenSSL/3.0.11 configured -- resuming normal operations
[Wed Dec 27 06:44:52.800359 2023] [core:notice] [pid 6597] AH00094: Command line: '/usr/sbin/apache2'
Thank you for you support!
nicleobonus