"Insecure URLs", "Strict-Transport-Security" HTTP header"

Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version (eg, 20.0.5): 25.0.2
Operating system and version (eg, Ubuntu 20.04): Ubuntu 22.04
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.54
PHP version (eg, 7.4): 8.1.13

The issue you are facing:
I’m getting “You are accessing your instance over a secure connection, however your instance is generating insecure URLs.” and “The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds.” warnings despite being fairly certain that my nextcloud-le-ssl.conf is set correctly. I’m thinking that the issue is related to something I broke in apache, but I’m not sure what that’d be…

nextcloud-le-ssl.conf
<VirtualHost *:443>
        DocumentRoot "/var/www/nextcloud"
        ServerName nextcloud

        <Directory "/var/www/nextcloud/">
                Options MultiViews FollowSymlinks
                AllowOverride All
                Order allow,deny
                Allow from all
        </Directory>

        TransferLog /var/log/apache2/nextcloud
        ErrorLog /var/log/apache2/nextcloud

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias cloud.saeumii.xyz
SSLCertificateFile /etc/letsencrypt/live/cloud.saeumii.xyz/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cloud.saeumii.xyz/privkey.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:80>
        DocumentRoot "/var/www/nextcloud"
        ServerName cloud.saeumii.xyz

        <Directory "/var/www/nextcloud/">
                Options MultiViews FollowSymlinks
                AllowOverride All
                Order allow,deny
                Allow from all
        </Directory>

        TransferLog /var/log/apache2/nextcloud.log
        ErrorLog /var/log/apache2/nextcloud.log


</VirtualHost>
</IfModule>

Is this the first time you’ve seen this error? (Y/N):
Y

Steps to replicate it:
I’m not even sure. I think running updates broke something. I don’t remember seeing the warnings before doing “sudo apt install update” and “sudo apt autoremove” or whatnot

The output of your Nextcloud log in Admin > Logging:
Nothing that seems relevant [the most recent entry is as below]

dns_get_record(): A temporary server error occurred. at /var/www/nextcloud/lib/private/Http/Client/DnsPinMiddleware.php#83

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => 'occgteo5ijbf',
  'passwordsalt' => '-',
  'secret' => '-',
  'trusted_domains' =>
  array (
    0 => 'cloud.saeumii.xyz',
  ),
  'datadirectory' => '/var/www/nextcloud_data/data',
  'dbtype' => 'mysql',
  'version' => '25.0.2.3',
  'overwrite.cli.url' => 'http://cloud.saeumii.xyz',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => '-',
  'installed' => true,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'default_phone_region' => 'US',
  'loglevel' => 2,
  'maintenance' => false,
  'theme' => '',
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
  'mail_smtpname' => '',
  'mail_smtppassword' => '',
);

The output of your Apache/nginx/system log in /var/log/____:
Not sure it has anything relevant

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.
Not sure that has anything relevant either. Will provide if necessary though

Hi,

did you enable mod_headers? sudo a2enmod headers

“Module headers already enabled”

“Module headers already enabled”

sorry about the repost, i wasn’t sure if i replied to you properly-

The error indicates that this is related to DNS configuration of your server. I assume that Nextcloud tests the DNS Server before doing any update/upgrade.

There was a bug years ago and maybe it returned. https://bugs.php.net/bug.php?id=73149

https://github.com/nextcloud/server/blob/master/lib/private/Http/Client/DnsPinMiddleware.php#L83

the admin log error? I just included it because the form asked me to- i’m not even sure it’s relevant to my problem

Yes - i just thought it cloud help as well :wink:

Did you try to set the default value as max age that nextcloud complains about?
max-age=15552000

You cloud also add env=HTTPS…
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" env=HTTPS

Please check your .htaccess file for the following section:
<IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" </IfModule>

I’m pretty sure the log error is just a remnant of when I was trying [and failing] to set my email server. Probably shouldn’t have included it honestly…

the value of max age in nextcloud-le-ssl.conf is already 63072000, so I don’t think that’d change anything

I added env=HTTPS to nextcloud-le-ssl.conf and
<IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" </IfModule>
to .htaccess, since it wasn’t already there, and restarted apache, but the warnings are still there

I managed to fix this warning by adding
'overwriteprotocol' => 'https',
to config.php

now to figure out why The “Strict-Transport-Security” HTTP header is apparently not getting set properly

Perhaps because the CLI URL ist set to http as well?

doesn’t seem like it. changed the cli url to “https:// …” but I’m still getting the http header warning

i have no clue what i did, but i ran a few commands [maintenance:repair, cron.php] and suddenly the http header warning disappeared. The only thing I can think of that I did differently this time was set
* * * * * php -f /var/www/nextcloud/cron.php --define apc.enable_cli=1
in
sudo crontab -e -u www-data
and run
sudo -u www-data php -f /var/www/nextcloud/cron.php --define apc.enable_cli=1
but since i wasn’t guessing and checking, I have no idea which specific operation helped to clear the warning…

maybe these steps can help someone else, but i’m not including this in the solution bc i have no idea what I did specifically to solve the problem

side note: the Your web server is not properly set up to resolve “/.well-known/caldav” and Your web server is not properly set up to resolve “/.well-known/carddav” notices also disappeared at the same time