Installing SSL domain certificates

I have a new installation of NextCloud using the instructions from Marksei found at the URL below. Overall they are excellent instructions and I was basically up and running with an admin account in shortly thereafter, however, he only provides instructions on how to install Let-Encrypt and not actual live SSL certificates.

https://www.marksei.com/how-to-install-nextcloud-16-on-ubuntu/

In my previous snap install of NextCloud installing the certs via the occ command was easy. There are commands to like nextcloud.enable-https to enable https and nextcloud.import to upload your certs including your private key. These do not exist with the current NextCloud version 16. There is the occ security:certificates:import command but it only works with the cert.pem and chain.pem file and it fails with the private key import.

root@nc:/var/www/nextcloud# occ security:certificates:import /home/admin/pem_files/privkey.pem

In Certificate.php line 63:

  Certificate could not get parsed.


security:certificates:import \<path\>

root@nc:/var/www/nextcloud#

I would like to know what this command actually does to the nextcloud configuration. I think it updates the ../core/signature.json file, but It’s not clear.

Since that didn’t work, I simply updated the nextcloud.conf file managed by apache2 and added the certs there which works fine.

<VirtualHost *:443\>
  ServerName cloud.mydomain.net
  DocumentRoot /var/www/nextcloud
  SSLCertificateFile /etc/apache2/certs/cert.pem
  SSLCertificateKeyFile /etc/apache2/certs/privkey.pem
  SSLCertificateChainFile /etc/apache2/certs/chain.pem
  <Directory /var/www/nextcloud/>
    Require all granted
    AllowOverride All
    Options FollowSymLinks MultiViews
    SetEnv HOME /var/www/nextcloud
    SetEnv HTTP_HOME /var/www/nextcloud
    <IfModule mod_dav.c>
      Dav off
    </IfModule>
  </Directory>
</VirtualHost>

The website looks and tests “good” and secure with my SSL certs, but I get this message when I open up the NextCloud in the browsers under the settings | overview tab:

Some files have not passed the integrity check. Further information on how to resolve this issue can be found in the [documentation]. ([List of invalid files…] / [Rescan…]

I also see this message when I click “List of invalid files…”.

Technical information
=====================
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.

Results
=======
- core
	- EXCEPTION
		- OC\IntegrityCheck\Exceptions\InvalidSignatureException
		- Certificate is not valid.

Raw output
==========
Array
(
    [core] => Array
        (
            [EXCEPTION] => Array
                (
                    [class] => OC\IntegrityCheck\Exceptions\InvalidSignatureException
                    [message] => Certificate is not valid.
                )

        )

)

Here are some other details about the configuration.

Nextcloud version: 16.0.0
Operating system and version: Ubuntu 19.10
Apache version: 2.4.41 (Ubuntu)
PHP version: 7.3

The output of your config.php file in /var/www/nextcloud/config (make sure you remove any identifiable information!):

root@nc:/var/www/nextcloud/config# cat config.php
<?php
$CONFIG = array (
  'instanceid' => 'XXXXXXXX',
  'passwordsalt' => 'XXXXXXXXX',
  'secret' => 'XXXXXXXXX',
  'trusted_domains' =>
  array (
    0 => '192.168.1.XXX',
    1 => 'cloud.mydomain.net',
  ),
  'datadirectory' => '/var/www/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '16.0.0.9',
  'overwrite.cli.url' => 'http://192.168.1.XXX/nextcloud',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'user',
  'dbpassword' => 'XXXXXX',
  'installed' => true,
  'maintenance' => false,
  'memcache.locking' => '\OC\Memcache\Redis',
  'memcache.distributed' => '\OC\Memcache\Redis',
  'memcache.local' => '\OC\Memcache\APCu',
    'redis' => [
      'host' => 'localhost',
      'port' => 6379,
    ],
);

The output of your Apache/nginx/system log in /var/log/____:

Apache2 seems to be running pretty well right now. I did start and stop the sevice many times testing various configurations.

Nov 14 20:09:01 nc CRON[2052]: (root) CMD (  [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Nov 14 20:09:01 nc systemd[1]: Starting Clean php session files...
Nov 14 20:09:01 nc systemd[1]: phpsessionclean.service: Succeeded.
Nov 14 20:09:01 nc systemd[1]: Started Clean php session files.
Nov 14 20:17:01 nc CRON[2110]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Nov 14 20:39:01 nc CRON[2141]: (root) CMD (  [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Nov 14 20:39:01 nc systemd[1]: Starting Clean php session files...
Nov 14 20:39:01 nc systemd[1]: phpsessionclean.service: Succeeded.
Nov 14 20:39:01 nc systemd[1]: Started Clean php session files.
Nov 14 20:46:09 nc systemd[1]: Starting The Apache HTTP Server...
Nov 14 20:46:09 nc systemd[1]: Started The Apache HTTP Server.
Nov 14 21:08:37 nc freshclam[887]: Thu Nov 14 21:08:37 2019 -> Received signal: wake up
Nov 14 21:08:37 nc freshclam[887]: Thu Nov 14 21:08:37 2019 -> ClamAV update process started at Thu Nov 14 21:08:37 2019
Nov 14 21:08:37 nc freshclam[887]: Thu Nov 14 21:08:37 2019 -> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Nov 14 21:08:37 nc freshclam[887]: Thu Nov 14 21:08:37 2019 -> daily.cld is up to date (version: 25633, sigs: 1988123, f-level: 63, builder: raynman)
Nov 14 21:08:37 nc freshclam[887]: Thu Nov 14 21:08:37 2019 -> bytecode.cvd is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)
Nov 14 21:09:01 nc CRON[2581]: (root) CMD (  [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Nov 14 21:09:01 nc systemd[1]: Starting Clean php session files...
Nov 14 21:09:01 nc systemd[1]: phpsessionclean.service: Succeeded.
Nov 14 21:09:01 nc systemd[1]: Started Clean php session files.
Nov 14 21:17:01 nc CRON[2666]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Nov 14 21:39:01 nc CRON[2736]: (root) CMD (  [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Nov 14 21:39:01 nc systemd[1]: Starting Clean php session files...
Nov 14 21:39:01 nc systemd[1]: phpsessionclean.service: Succeeded.
Nov 14 21:39:01 nc systemd[1]: Started Clean php session files.
Nov 14 21:40:11 nc systemd[1]: Stopping The Apache HTTP Server...
Nov 14 21:40:12 nc systemd[1]: apache2.service: Succeeded.
Nov 14 21:40:12 nc systemd[1]: Stopped The Apache HTTP Server.
Nov 14 21:40:12 nc systemd[1]: Starting The Apache HTTP Server...
Nov 14 21:40:12 nc systemd[1]: Started The Apache HTTP Server.
Nov 14 22:08:37 nc freshclam[887]: Thu Nov 14 22:08:37 2019 -> Received signal: wake up
Nov 14 22:08:37 nc freshclam[887]: Thu Nov 14 22:08:37 2019 -> ClamAV update process started at Thu Nov 14 22:08:37 2019
Nov 14 22:08:37 nc freshclam[887]: Thu Nov 14 22:08:37 2019 -> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Nov 14 22:08:37 nc freshclam[887]: Thu Nov 14 22:08:37 2019 -> daily.cld is up to date (version: 25633, sigs: 1988123, f-level: 63, builder: raynman)
Nov 14 22:08:37 nc freshclam[887]: Thu Nov 14 22:08:37 2019 -> bytecode.cvd is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)
Nov 14 22:09:01 nc CRON[2921]: (root) CMD (  [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Nov 14 22:09:01 nc systemd[1]: Starting Clean php session files...
Nov 14 22:09:01 nc systemd[1]: phpsessionclean.service: Succeeded.
Nov 14 22:09:01 nc systemd[1]: Started Clean php session files.
Nov 14 22:17:01 nc CRON[3005]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)

1. My first priority is to make sure my SSL certs are installed properly.
2. Secondly, I would like to request any advise/updates/improvements to these config files. Right now my NextCloud site is running terrible meaning very very slow, which seems to be related to caching, but I will open another thread to address those issues.

1. Just to clarify, Let’s Encrypt does provide a valid certificate.
2. You don’t install the certificate in Nextcloud. The snap version is kind of an exception in many ways because of the nature of snaps. You need to set up certbot with whatever web server you are using to run Nextcloud. In your case that would be Apache.
3. The file integrity issue I think is going to be unrelated to your certificate.
4. On the performance issue, what sort of hardware are you running this on?

What difference do you understand there to be between these two things? Because Let’s Encrypt provides (and has provided for nearly four years) “actual live SSL certificates”, to the tune of nearly a billion of them. The guide you link to will give you actual live SSL certificates, and renew them automatically. If for some reason you want to spend money unnecessarily and buy a certificate, you’d really be on your own to configure Apache correctly–it has nothing to do with Nextcloud.

Thank you so much for your reply. I’ve used Let’s Encrypt and I know they are valid certificates, but for a variety of reasons, I purchased a wild card domain certificate from COMODO to run multiple systems. I’ve set up the certs in apache and they seem to be working well and the site is secured, however, my concern is that NextCloud is complaining about not being able to parse the certificates. Those messages may be caused by me uploading the chain.pem and cert.pem files thinking that NC needed to be aware of the certs to function securely. From your comments, it apparently relies on apache2 for its security, which is totally fine by me. Your comments regarding the snap version of NC helps me a lot.

The hardware I’m running on is a Dual Intel CPU motherboard by AsRock EP2C602-4L/D16, with 2 Intel® Xeon® CPU E5-2697 v2 @ 2.70GHz (24-cores/48-virtual cores) with about 200 TB of storage attached. The system is running FreeNAS 11.3 and I’ve set up a virtual machine running Ubuntu 19.10 where NextCloud is installed. I’ve had NextCloud running in a virtual machine on this system for about 4 years. I have a 12 TB storage pool shared with NextCloud over NFS for all the data. I recently observed some data corruption on the older Ubuntu 16.04 virtual machine running the Nextcloud snap. In my efforts to clean this up (long story), I apparently made a mistake and made it worse. Nextcloud would no longer run, hence the reinstallation to the new 19.10 Ubuntu virtual machine. All the data is still on the storage pool so no data was lost, but I’ve been down for about 2 weeks. The new virtual machine is configured with 12 GB of RAM, (2) CPU cores and 200 GB of a fast SSD for the OS to live on, which is thin provisioned. The network interface is bridged to a 10-Gbit Ethernet card and subsequent 10Gb switch. I have a dedicated port on my router opened externally to connect NextCloud to the Internet.

The slow performance is that adding 25 MB to my Windows desktop NextCloud client takes about 2 hours to upload on my local LAN. I see errors in my NC logs like this:

[webdav] Fatal: Sabre\DAV\Exception\BadRequest: expected filesize 4645374 got 229376 at <<closure>>

 0. /var/www/nextcloud/apps/dav/lib/Connector/Sabre/Directory.php line 156
    OCA\DAV\Connector\Sabre\File->put(null)
 1. /var/www/nextcloud/apps/dav/lib/Upload/UploadFolder.php line 45
    OCA\DAV\Connector\Sabre\Directory->createFile("00000001", null)
 2. /var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 1096
    OCA\DAV\Upload\UploadFolder->createFile("00000001", null)
 3. /var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php line 525
    Sabre\DAV\Server->createFile("uploads/trdemoss/439194787/00000001", null, null)
 4. <<closure>>
    Sabre\DAV\CorePlugin->httpPut(Sabre\HTTP\Reque ... "}, Sabre\HTTP\Response {})
 5. /var/www/nextcloud/3rdparty/sabre/event/lib/EventEmitterTrait.php line 105
    undefinedundefinedcall_user_func_array([Sabre\DAV\CorePlugin {},"httpPut"], [Sabre\HTTP\Requ ... }])
 6. /var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 479
    Sabre\Event\EventEmitter->emit("method:PUT", [Sabre\HTTP\Requ ... }])
 7. /var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 254
    Sabre\DAV\Server->invokeMethod(Sabre\HTTP\Reque ... "}, Sabre\HTTP\Response {})
 8. /var/www/nextcloud/apps/dav/lib/Server.php line 316
    Sabre\DAV\Server->exec()
 9. /var/www/nextcloud/apps/dav/appinfo/v2/remote.php line 35
    OCA\DAV\Server->exec()
10. /var/www/nextcloud/remote.php line 163
    undefinedundefinedrequire_once("/var/www/nextcl ... p")

PUT /remote.php/dav/uploads/trdemoss/439194787/00000001
from XXX.XXX.XXX.XXX by trdemoss at 2019-11-14T23:09:28+00:00

I have a lot of very large ISO images and such that uploaded fine with my snap version of NextCloud but the new install seems to just die in place.

Any idea what this maybe? Are there any other logs I can provide to help debug this or should I just do a fresh install?

Thanks for the reply danb35. I think my statement “actual live SSL certs” was poorly worded on my part. I was just trying to compare purchased certs to a Let’s Encrypt certs. I’ve used Let’s Encrypt for years in other configurations. The bottom line is that certs and NextCloud are two different functions. The confusion was mine because the “snap” version of NextCloud does have you install the SSL certs using the “occ” commands, but in the non-snap version, there are no certs installed. The certs are installed in Apache2. These instructions are not clear in the Marksei documentation and I could not find anything to explain this in the NextCloud documentation. I now understand that Let’s Encrypt installs it’s certs into Apache2 and is not integrated into NextCloud. I incorrectly presumed there was some integration because of the differences between the snap install and the manual install of the NextCloud application.

Just to clarify a little more, Nextcloud is a website. Apache is the web server running that website. So Apache is what uses the certificate to provide HTTPS.

The snap version is a little weird and not as well documented. I gave up on it early on when I found out it’s impossible to install smbclient in it.

@KarlF12

I wasn’t paying very close attention when I did the install since I was hammering through the instructions, however after thinking about this for a while, could the performance issue be related to the cache configuration I setup? Can you or anyone verify if my cache is configured correctly based on the config file I posted earlier? I recall, I set this up after I connected to and created an admin account on the NextCloud install.

Your cache config looks like mine, so if you don’t have any warnings in Nextcloud under settings > overview, I think it’s probably fine. Warnings about your cache config are shown there. You do have redis and APCu installed and running, right?

One thing I do notice, which unfortunately is not mentioned in the relevant section of the installation docs, is that you don’t want your data folder to be within your web root.

Some background, this is a fairly small NextCloud implementation with about 10 users.

I installed redis and OPcache per the Marksei instructions. When the performance was slow, I referenced the “Memory Caching” section of the NextCloud instructions and followed the instructions there to install APCu and configured it. This did not correct the performance issue. I don’t have any experience with these caching mechanisms, but I do have experience with other caching systems. I would like to see they are actually working. I will research this but if you know any commands that can verify if the cache is working, counting cache hits and misses, the memory size of the cache in use, the eviction policy, etc.

I just used the default data folder location, but based on your comment, I will move it outside of the www path.

So I just finished a reinstall and everything seems to be working fine.

I followed the same Marksei instructions as before, but added my SSL certs to apache2, placed my data directory outside of the webroot, installed and enabled redis caching with pretty much the same config settings and everything worked well first try. My windows NextCloud client is sync’ing data at full speed. There are no errors in the NextCloud logs.

I learned what I needed and I should be able to bring my server back online for my users by tomorrow. Thanks for the help.