So I installed Nextcloud on a virtual machine(Ubuntu Server 20.04) on my home server. Everything worked great, I connected all my network computers, and I even connected all our cell phones via the Nextcloud ios/andriod apps so that we can download our photos to Nextcloud.
Then I created a problem for myself. I decided I wanted the Nextcloud to be available on the go. That is where the problem starts. AT&T does not allow me to forward port 80. So I went into setting and changed the port number in all my config files(apache, nextcloud, etc). Forwarded the port on my router to my chosen port(8069).
So when I type in my ip.ip.ip.ip:8069/nextcloud I can login to my nextcloud from any device anywhere that has internet access via a web browser, works great. However, when I try to connect using the ios/android app, I get SSL errors.
“An SSL error has occurred and a secure connection to the server cannot be made”
I am not really a networking whizz or anything, so I am not sure how to go about fixing this issue. I don’t get any sort of warnings or anything when it comes to the browser connection, even from safari on my iphone. Does the nextcloud app just not allow other port connections?
Thanks in advance.
is the ssl-certificate selfmade or official? like which authority was signing the certficate?
I never made an SSL certificate. As a matter of fact, I don’t remember setting one up either.
it most prolly would result in something lik this:
How come I don’t have any SSL issued when I connect to it from the browser?
depending upon how you’re accessing it. http:// --> no certificate necessary.
https:// --> you’d need a ssl-certificate.
accessing your instance through your own ip at home-lan … could be okish by http.
accessing your instance through an qualified url from outside your home-lan should be ssl-protected.
A security certificate is something that needs to be set up separately. Up until the last few years, they actually cost money. A group called Startssl was offering free certificates for a while, but required that you jump through so many hoops to get one that it became impractical. Alternatively, you could create “self-signed” certificates, which work to secure your connection, but throw warnings in all modern browsers and are outright rejected by most mobile apps.
Thankfully, a group called Let’s Encrypt started providing free certificates in 2016. These certificates are easy to obtain and install.
Unfortunately you’re gonna have to do a bit of reading to bring yourself up to speed. There’s no way around that, securing your site is your responsibility. This also involves understanding how your webserver is configured, because it’s your webserver (e.g. Apache, NginX) that uses the certificate to encrypt the connection.
You’re currently thinking about port 80. That’s the default HTTP port. However HTTPS (with a certificate, the “s” at the end means “secured”) uses port 443 by default. Does your ISP block that, too?
Lastly, certificates can only be issued against domain names, not IP addresses. You’ll need to organise one of those, too. Do a web search, there are plenty of ways to get a free domain.
Hopefully this points you in the right direction, and gives you something to think about. If you were further along in the process, it would be easier to help with specific issues. This forum isn’t really the place to explain the basics of obtaining and configuring certificates! But you should still look into it, and get started on HTTPS. Once you get started and have more directed/specific questions, you’ll get more helpful answers
That is good information. I was able to get everything to work on port 80 once I called my provider. However, I was not planning on using a domain name. Do I need one even if I create my own self signed certificate with openssl?
Nope, you don’t need a domain if you use self signed certificates. When you create a self signed cert, it asks for the domain. Instead of a domain you can enter an IP address.
But that comes with its own issues. On a desktop/laptop, you’ll get an error or warning (depending on what browser you use). You can make a permanent exception and see no further warning.
But mobile apps generally don’t offer to make exceptions, they just won’t connect. You may have trouble finding a mobile app that will sync contacts, calendar, or notes. The Nextcloud app probably won’t sync or upload photos either.
I use a free .tk domain from dot.tk, and below is my Apache config. I changed my cert and key paths for privacy reasons, otherwise it’s accurate.
Redirect permanent / https://cloud.darksteve.tk/
Header always set Strict-Transport-Security "max-age=15768000"
The first section redirects all unencrypted HTTP traffic to the encrypted HTTPS port. You should be able replace the domain with an IP.
I pay extra for a static IP, but if you have a dynamic IP, you can do a web search for “dynamic dns” or similar. I used to do that years ago. I small program (dyndns, from memory) would run on my server checking for IP changes, and it would update my domain’s DNS settings accordingly. It’s not that scary!
But honestly, it’ll be good for you to play with self signed certificates. Doing so helped me wrap my head around how all this works without involving additional external services.
Best of luck!
Wow, that is great information. Thanks for getting me started. I will eventually get a domain once I get everything figured out, but for now, I have to try and make it work.