Im using a Ubuntu 18 and installed Nexcloud 18. All working fine.
I’m actually using the server as a Calendar server with mostly Apple Mac clients.
The Apple calendar app only supports SSL (https) connectivity for CalDav.
So, using the self-signed certificate works just fine (nextcloud.enable-https self-signed) if you trust the self-signed certificate first. Obviously a bit of a problem.
So, is it possible to extend the self-signed certificate validation to longer than 3 months?
Running nextcloud.enable-https self-signed recreates the certificate (does not update/renew).
This does not work as the client will not trust the renewed certificate.
Is the answer, use a proper certificate? (Paid or Let’s Encrypt)
$ sudo make-ssl-cert generate-default-snakeoil
This will get you a 10 year self-signed certificate. (in /etc/ssl/certs/ssl-cert-snakeoil.pem
with key /etc/ssl/private/ssl-cert-snakeoil.key
)
https://manpages.ubuntu.com/manpages/bionic/man8/make-ssl-cert.8.html
But you should use let’s encrypt if you have internet access, it’s a lot easier.
Thanks. It goes to /etc/ssl/certs/ssl-cert-snakeoil.pem and /etc/ssl/private/ssl-cert-snakeoil.key.
Then copy these to /var/snap/nextcloud/current/certs/custom/
sudo nextcloud.enable-https custom -s cert.pem privkey.pem chain.pem, however it requires a chain.pem too.
Where I get the chain.pem?
You don’t have a chain.pem, it’s meaningless anyway for self-signed certs.
Your cert.pem will probably do fine as chain.pem
Edit: if you really, really want it, there is a way, but it includes making your own certificate authority – it’s A LOT easier to just use let’s encrypt with certbot, it’s really fire and forget.
Ah! Wonderfull. Thanks, working fine now. Expires: Monday, 25 February 2030
1 Like
To anybody that might want the same but a stronger key than an RSA 2048bit, this command is helpful:
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem
(I do not recall where I found it, but it worked for me)
You could also use make-ssl-certificate
to create a stronger RSA certificate (e.g., 4096 bits). Just copy and edit the template (I use the snap-version of nextcloud, therefore the snap-path):
sudo cp /usr/share/ssl-cert/ssleay.cnf /var/snap/nextcloud/common/ssleay-custom.cnf
vim ssleay-custom.cnf
put the IP of your nextcloud in the following:
sudo make-ssl-cert ssleay-custom.cnf nextcloud-custom
safe the certificate and key seperately (I did it by hand via the editor), as: nextcloud-custom.pem
and nextcloud-custom.key
sudo vim nextcloud-custom
Now install the certificate and key:
sudo nextcloud.enable-https custom -s nextcloud-custom.pem nextcloud-custom.key nextcloud-custom.pem
You can delete (or move) the .pem and .key files afterwards:
sudo rm /var/snap/nextcloud/common/nextcloud-custom
sudo rm /var/snap/nextcloud/common/nextcloud-custom.pem
sudo rm /var/snap/nextcloud/common/nextcloud-custom.key
sudo rm /var/snap/nextcloud/common/ssleay-custom.cnf
Finally, you can take a look at the fingerprint via:
sudo openssl x509 -noout -fingerprint -sha256 -inform pem -in /var/snap/nextcloud/current/certs/custom/cert.pem