Https lets-encrypt still not possible on Pop!_OS?

When I enter sudo nextcloud.enable-https lets-encrypt in my Pop!_OS snap install, I get the same error described here in 2020: Cannot enable https: unable to read /etc/os-release on Pop!_OS 路 Issue #1348 路 nextcloud-snap/nextcloud-snap 路 GitHub

Is it still not possible to run https lets-encrypt on Pop!_OS? The self-signed https works.

Edit:
The solution posted at the bottom of the link above:

sudo ln -f /etc/os-release /etc/pop-os/os-release
sudo mkdir -p /var/snap/nextcloud/current/certs/certbot
sudo nextcloud.enable-https lets-encrypt

solves the https problem, but then when I type supo apt update, I get the following warning:

** (appstreamcli:1227999): WARNING **: 14:09:59.028: Unable to read /etc/os-release file.

I don鈥檛 know if that is important.

/etc/os-release belongs to the package base-files

I think this is your problem. :wink:

Post to find your correct operation system and version:

uname -a
cat /etc/issue
cat /etc/os-release
dpkg -l |grep base-files
sudo -u www-data cat /etc/os-release

Maybe then we can recreate the file /etc/os-release from repository if it is broken.

Sorry i do not know Pop!_OS and its versions. I think it is not a good idea to use Pop!_OS for Nextcloud. Is it also possible to use only LTS releases (20.04 LTS, 22.04 LTS)? Or do you upgrade every 6 months? That would not be a good idea for server software like Nextcloud. Also additional software (here Pop!_OS added to Ubuntu) makes additional problems. :wink: The same applies to snap. :wink:

1 Like

Thanks for your help! Can you explain what I have done with the above command that broke things?

I think I may have to start from scratch and drop the idea of using PopOS and instead use Ubuntu. Even if we fix the os-release file like you describe, I鈥檒l still be back to square one with the https problem.

What would your recommendation be for a nextcloud install on a linux OS desktop that鈥檚 used for other things too?

My recommendation would be to use a seperate device for server applications, especially if you expose them to the internet. If you absolutly have to run it on your desktop, the Snap package is probably one of the better choices because it provides at least some isolation from the underlying system.

But keep in mind that Canonical is developing Snapd primarily with desktop applications in mind, which are most likely not affected by this issue. Also the developers of the Nextcloud Snap package do their testing prmarily on Ubuntu and while it is true that Pop_OS is based on Ubuntu, it still does many things differently.

Another, slightly better option than installing the Snap directly on your desktop OS, would be to run it in a VM. You could use VirtManager or VirtualBox and run a VM with Ubuntu Server and then install the snap package inside that VM.

1 Like

Thanks for taking the time to reply and explain. I keep hearing on privacy-oriented podcasts that a Nextcloud install is easy, but I鈥檓 still finding it challenging, even as someone now a little more familiar with linux command line.

I am running Nextcloud on a separate device, but it has just one other thing running on it that I can鈥檛 do without GUI, hence this setup. I have wiped the PC and am starting over with Ubuntu.

If you don鈥檛 mind, can I ask a question about running on outward, internet facing Nextcloud snap like this? When you open ports 80 and 443 on your router and point them at the machine running Nextcloud (opening the same ports for ufw), I understand that the Nextcloud snap instance is 鈥榣istening鈥 on those ports, but is opening those ports in anyway a vulnerability for the rest of the system? In other words, could an attacker navigate around the Nextcloud snap and access the rest of the system like this? I remember a long time I go I set up Ubuntu server with a reverse proxy, and I remember the whole point of that was to channel and control all incoming requests on those ports. It seems to me that with this snap setup, you鈥檙e kind of opening up your system to the web. Thanks if you have time to answer.

I would still consider running Ubuntu server without GUI. The potential attack surface is simply smaller the fewer services you run on a server. And at the end of the day, I don鈥檛 see many things where a GUI would be useful in this particular usecase. The Ubuntu Server installer afaik even offers an option to install the Nextcloud Snap during the install process of the OS. Also most if not all of the tools and scripts to maintain the Nextcloud snap package are command line based anyways鈥 GitHub - nextcloud-snap/nextcloud-snap: 鈽侊笍馃摝 Nextcloud packaged as a snap.

But if you feel more comfortable with a GUI, I鈥檇 say the extra 鈥渞isk鈥 is acceptable if it鈥檚 running on a seperate machine.

Not directly. But in theory if there is a security flaw in the Snap deamon it could be possible that a malicious actor could gain access to the underlying os. But I wouldn鈥檛 worry too much about that. Just make sure that you keep everything up to date.

Thank you, that helps a lot. Maybe I should investigate how to run the whole machine in command line. I appreciate your time and the helpful information.

1 Like

If think the best solution for you is a Ubuntu 22.04 LTS system. There you can also install a desktop environment e.g. gnome.

But please use only LTS versions every two years. Disadvantage is that your desktop apps are then somewhat outdated over the two years. But you save the madness every 6 months to update everything.

Maybe you can install Ubuntu 20.04 LTS e.g. with GNOME, apache2, php, MariaDB, Nextcloud, 鈥 I think i would not use Snap. I do not like Snap. Ok i also do not really like Ubuntu. I think i would use Debian (desktop and server, release stable actual Bullseye). :wink:

1 Like

Thank you. With the above, do you mean update every two years? That should be ok, as I am only running one other package on the system.

I f you are gonna use the snap package you could even wait up to five years before you upgrade to newer Ubuntu LTS version, because Snaps are self contained and will get updated independently. But you still have to keep the currently installed LTS version up to date for the security patches.

1 Like

Independent from snap:
You must install security patches regularly. But you change after two years from 22.04 LTS to 24.04 LTS and not every 6 months from 22.04 LTS to 22.10, 23.04, 23.10 to 24.04 LTS.

2 Likes