Self-signed certificate expiration

Im using a Ubuntu 18 and installed Nexcloud 18. All working fine.
I’m actually using the server as a Calendar server with mostly Apple Mac clients.
The Apple calendar app only supports SSL (https) connectivity for CalDav.
So, using the self-signed certificate works just fine (nextcloud.enable-https self-signed) if you trust the self-signed certificate first. Obviously a bit of a problem.

So, is it possible to extend the self-signed certificate validation to longer than 3 months?
Running nextcloud.enable-https self-signed recreates the certificate (does not update/renew).
This does not work as the client will not trust the renewed certificate.

Is the answer, use a proper certificate? (Paid or Let’s Encrypt)

$ sudo make-ssl-cert generate-default-snakeoil

This will get you a 10 year self-signed certificate. (in /etc/ssl/certs/ssl-cert-snakeoil.pem with key /etc/ssl/private/ssl-cert-snakeoil.key)

But you should use let’s encrypt if you have internet access, it’s a lot easier.

Thanks. It goes to /etc/ssl/certs/ssl-cert-snakeoil.pem and /etc/ssl/private/ssl-cert-snakeoil.key.
Then copy these to /var/snap/nextcloud/current/certs/custom/
sudo nextcloud.enable-https custom -s cert.pem privkey.pem chain.pem, however it requires a chain.pem too.
Where I get the chain.pem?

You don’t have a chain.pem, it’s meaningless anyway for self-signed certs.

Your cert.pem will probably do fine as chain.pem

Edit: if you really, really want it, there is a way, but it includes making your own certificate authority – it’s A LOT easier to just use let’s encrypt with certbot, it’s really fire and forget.

Ah! Wonderfull. Thanks, working fine now. Expires: Monday, 25 February 2030

1 Like

To anybody that might want the same but a stronger key than an RSA 2048bit, this command is helpful:

openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem

(I do not recall where I found it, but it worked for me)

You could also use make-ssl-certificate to create a stronger RSA certificate (e.g., 4096 bits). Just copy and edit the template (I use the snap-version of nextcloud, therefore the snap-path):

sudo cp /usr/share/ssl-cert/ssleay.cnf /var/snap/nextcloud/common/ssleay-custom.cnf
vim ssleay-custom.cnf

put the IP of your nextcloud in the following:

sudo make-ssl-cert ssleay-custom.cnf nextcloud-custom

safe the certificate and key seperately (I did it by hand via the editor), as: nextcloud-custom.pem and nextcloud-custom.key

sudo vim nextcloud-custom

Now install the certificate and key:

sudo nextcloud.enable-https custom -s nextcloud-custom.pem nextcloud-custom.key nextcloud-custom.pem

You can delete (or move) the .pem and .key files afterwards:

sudo rm /var/snap/nextcloud/common/nextcloud-custom
sudo rm /var/snap/nextcloud/common/nextcloud-custom.pem
sudo rm /var/snap/nextcloud/common/nextcloud-custom.key
sudo rm /var/snap/nextcloud/common/ssleay-custom.cnf

Finally, you can take a look at the fingerprint via:

sudo openssl x509 -noout -fingerprint -sha256 -inform pem -in /var/snap/nextcloud/current/certs/custom/cert.pem