Self-Signed SSL For Docker Containers for IOS Calendar Integraiton

mew0717 · August 21, 2020, 7:52pm

Hi
I just installed NextCloud and MariaDB on an Ubuntu VM with Docker and it works great going to my .local domain. I would like to enable SSL so i can integrate the calendar on my iphone (and the documentation i read said that you have to have SSL to enable this).

The only SSL tutorials i can find include letsencrypt and nginx for actual domain names, but I just want to run it on my local IP for now.

I’ve tried attaching to the container, making a self-signed certificate and updating the 000-default.conf file in the available-sites folder within the docker container. When i change the *80 to *443 and restart the service, it gets caught up in an endless restart loop.

Can anyone recommend a way (or an article, or a video) to self-sign an SSL cert so i can just run the domain.local version of nextcloud and get the calendar integration working on my phone?

Much appreciated in advance.

M

KarlF12 · August 22, 2020, 1:50am

Misconfiguration of Apache is most likely the issue. If you can post your site config maybe we’ll see what’s going on.

Not many attempt this configuration because certbot is so easy to set up and gives you auto-renewing valid certificates.

The .local domain will never be internet-routable so you will be stuck accessing via IP with no possibility of using a valid cert without a name change. You’ll go through a lot of extra trouble to get it working with an invalid domain and cert.

Reiner_Nippes · August 22, 2020, 4:48pm

what excatly did you do? docker exec -u www-data nextcloud /bin/sh ?

what you should do:

follow one of how-to-create-a-selfsigned-cert listed here: create self signed certificate - Google-haku and store the cert files somewhere on your host filesystem. e.g. /etc/nextcloud
you may skip this if there are the “snakeoil-cert” file already present in the container. so this would work out of the box.
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
get a working apache config. you can’t just change *80 → *443 because you have to tell apache where to find the cert files. and you have to enable ssl for this virtual host.
put the new config file also in /etc/nextcloud
just now you have to examine the apache config inside of the container.
docker exec -u www-data nextcloud /bin/sh and search /etc for the apache config. probably you have done that already since you found the 000-default.conf file.
putting it together: assuming you used a docker compose file to start the “stack”. you have to bind the files from your host /etc/nextcloud to the according /etc/apache2-file inside the container. on a cli you would have to add e.g.:
-v /etc/nextcloud/000-default.conf:/etc/apache2/000-default.conf:ro
-v /etc/nextcloud/selfsigned.key:/etc/ssl/keys/my-selfsigned.key:ro ← and point to /etc/ssl/keys/my-selfsigned.key the vhost *443 section (SSLCertificateKeyFile /etc/ssl/keys/my-selfsigned.key)
and you have to expose the port 443 of the nextcloud in the docker-compose file. i guess only port 80 is exposed by default.

you got the idea? “creating a working ssl apache config on your host and bind it into the container.” that’s it.

to get an idea how a working apache ssl vhost config looks like it’s in this article:

if that was already clear to you please post your 000-default.conf and docker-compose file. someone might be able to help you debugging it.

mew0717 · August 23, 2020, 1:42am

Wow, really helpful direction. Thank you! I’m still not able to get this to work, but I think i followed what you’ve outlined. I suspect its something in my apache config file.

Here’s my docker compose:
> nextcloud:

        container_name: NextCloud
        image: nextcloud:latest
        ports:
          - 80:80
          - 443:443
        volumes:
          - /home/nextcloud:/var/www/html
          - /etc/nextcloud/000-default.conf:/etc/apache2/000-default.conf:ro
          - /etc/nextcloud/nextcloud.key:/etc/ssl/keys/nextcloud.key:ro
        restart: always

and here is my 000-default.conf file:

              <VirtualHost *:80>
              ServerName 192.168.7.104
              ErrorLog ${APACHE_LOG_DIR}/nextcloud-error.log
              CustomLog ${APACHE_LOG_DIR}/nextcloud-access.log combined
             # ProxyPreserveHost On
             # ProxyPass / http://127.0.0.1:8080/
             # ProxyPassReverse / http://127.0.0.1:8080/
              RewriteEngine On
              RewriteRule ^/\.well-known/carddav http://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
              RewriteRule ^/\.well-known/caldav http://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
            </VirtualHost>

            <VirtualHost *:443>
              ServerName 192.168.7.104
              ErrorLog ${APACHE_LOG_DIR}/nextcloud-error.log
              CustomLog ${APACHE_LOG_DIR}/nextcloud-access.log combined
              SSLEngine On
             # ProxyPreserveHost On
             # ProxyPass    / http://127.0.0.1:8080/
             # ProxyPassReverse / http://127.0.0.1:8080/
              # Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
              RewriteEngine On
              RewriteRule ^/\.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
              RewriteRule ^/\.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
              SSLCertificateFile      /etc/nextcloud/nextcloud.crt
              SSLCertificateKeyFile /etc/nextcloud/nextcloud.key
            </VirtualHost>

I commented out the proxy piece but also did it with the proxy's uncommented. I was unclear on what that is /does.

Any ideas?

mew0717 · August 23, 2020, 2:14am

I noticed that my config file was pointing to my local drive but i mapped the key and crt to /etc/ssl/keys and /etc/ssl/certs, respectively…

I tried updating my 000-default.conf to this, but still no luck
<VirtualHost *:443>
  ServerName 192.168.7.104
  ErrorLog ${APACHE_LOG_DIR}/nextcloud-error.log
  CustomLog ${APACHE_LOG_DIR}/nextcloud-access.log combined
  SSLEngine On
  ProxyPreserveHost On
  ProxyPass    / http://127.0.0.1:8080/
  ProxyPassReverse / http://127.0.0.1:8080/
  RewriteEngine On
  RewriteRule ^/\.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
  RewriteRule ^/\.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
  SSLCertificateFile      /etc/ssl/certs/nextcloud.crt
  SSLCertificateKeyFile /etc/ssl/keys/nextcloud.key

</VirtualHost>

Reiner_Nippes · August 23, 2020, 8:40am

mew0717:

volumes:
          - /home/nextcloud:/var/www/html
          - /etc/nextcloud/000-default.conf:/etc/apache2/000-default.conf:ro
          - /etc/nextcloud/nextcloud.key:/etc/ssl/keys/nextcloud.key:ro

Did you include also the .cert file?

If the container starts you should check docker logs NextCloud for error messages.

mew0717 · August 23, 2020, 1:47pm

I included the .crt file here: (I forgot to paste the update docker-compose.yaml file when i made the update to my conf file)

  nextcloud:
    container_name: NextCloud
    #depends_on:
    # - nginx
    image: nextcloud:latest
    ports:
      - 80:80
      - 443:443
    volumes:
      - /home/nextcloud:/var/www/html
      - /etc/nextcloud/000-default.conf:/etc/apache2/000-default.conf:ro
      - /etc/nextcloud/nextcloud.key:/etc/ssl/keys/nextcloud.key:ro
      - /etc/nextcloud/nextcloud.crt:/etc/ssl/certs/nextcloud.crt:ro
    restart: always

I dont see anything in the logs:

172.18.0.1 - - [23/Aug/2020:13:29:21 +0000] “GET /cron.php HTTP/1.1” 200 930 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36”,

172.18.0.1 - - [23/Aug/2020:13:29:21 +0000] “GET /ocs/v2.php/apps/text/workspace?path=%2F HTTP/1.1” 404 907 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36”,