Snap HTTPS + Security

P-e · March 10, 2019, 6:42pm

@Reiner_Nippes Don’t forget that i just want to secure nextcloud using https. Nothing else. I can go back when i want using my snapshot.

Reiner_Nippes · March 10, 2019, 6:46pm

you should have some lines like

[Sun Mar 10 18:26:04.397753 2019] [mpm_event:notice] [pid 4105:tid 140110011385728] AH00489: Apache/2.4.38 (Unix) OpenSSL/1.0.2g configured -- resuming normal operations

do you have certificates in the certsfolder?
ls /var/snap/nextcloud/current/certs/

P-e · March 10, 2019, 7:51pm

@Reiner_Nippes

I’ve a folder named “cerbot” with “config, log, work” inside.

Reiner_Nippes · March 10, 2019, 8:04pm

there should be a live or self-signed folder as well. if they don’t existed something went wrong with sudo nextcloud.enable-https ....

also you can check the log/letsencrypt.log for warnings/errors.

P-e · March 10, 2019, 8:18pm

@Reiner_Nippes I checked the letsencrypt.log, no errors.

Reiner_Nippes · March 11, 2019, 7:13am

just to be sure. may you rerun sudo nextcloud.enable-https letsencrypt
and look if the folder live appears in /var/snap/nextcloud/current/certs/

P-e · March 11, 2019, 11:38am

@Reiner_Nippes Hi

I’ve this :
root@debian:/home/p-e# snap set nextcloud.enable-https letsencrypt
error: invalid configuration: “letsencrypt” (want key=value)
root@debian:/home/p-e# snap set nextcloud.enable-https
error: the required argument <conf value> (at least 1 argument) was not provided

Reiner_Nippes · March 11, 2019, 12:29pm

sorry.

i forgot the - after lets.

ec2-user@:~$ sudo nextcloud.enable-https -h
Usage:
    nextcloud.enable-https -h
    Display this help message.

    nextcloud.enable-https <subcommand> [OPTIONS]
    Run the provided subcommand.

Available subcommands:
    lets-encrypt [OPTIONS]
    Obtain a certificate from Let's Encrypt and automatically keep it
    up-to-date.

    self-signed
    Generate and use a self-signed certificate. This is easier to
    setup than Let's Encrypt certificates, but will cause warnings in
    browsers.

    custom [OPTIONS]
    Use certificates generated by other means.

P-e · March 11, 2019, 12:37pm

@Reiner_Nippes

root@debian:/home/p-e# snap set nextcloud.enable-https lets-encrypt
error: invalid configuration: “lets-encrypt” (want key=value)
root@debian:/home/p-e# snap set nextcloud.enable-https -lets-encrypt
error: unknown flag `l’

and when i type -help, I don’t have the same as you.

root@debian:/home/p-e# snap set nextcloud.enable-https -help
Usage:
snap set [set-OPTIONS] …

The set command changes the provided configuration options as requested.

$ snap set snap-name username=frank password=$PASSWORD

All configuration changes are persisted at once, and only after the
snap’s configuration hook returns successfully.

Nested values may be modified via a dotted path:

$ snap set author.name=frank

[set command options]
–no-wait Do not wait for the operation to finish but just print
the change id.

[set command arguments]
: The snap to configure (e.g. hello-world)
: Configuration value (key=value)

Reiner_Nippes · March 11, 2019, 12:40pm

why that?

just

P-e · March 11, 2019, 1:43pm

Because
root@debian:/home/p-e# nextcloud.enable-https lets-encrypt
bash: nextcloud.enable-https: command not found
@Reiner_Nippes

Reiner_Nippes · March 11, 2019, 2:14pm

if there is no /snap/bin/nextcloud.enable-https there is something wrong with your machine.
or /snap/bin is missing in $PATH (checked with echo $PATH)

root@ip-172-31-52-96:~# which nextcloud.enable-https
/snap/bin/nextcloud.enable-https
root@ip-172-31-52-96:~# nextcloud.enable-https lets-encrypt
In order for Let's Encrypt to verify that you actually own the
domain(s) for which you're requesting a certificate, there are a
number of requirements of which you need to be aware:

1. In order to register with the Let's Encrypt ACME server, you must
   agree to the currently-in-effect Subscriber Agreement located
   here:

       https://letsencrypt.org/repository/

   By continuing to use this tool you agree to these terms. Please
   cancel now if otherwise.

2. You must have the domain name(s) for which you want certificates
   pointing at the external IP address of this machine.

3. Both ports 80 and 443 on the external IP address of this machine
   must point to this machine (e.g. port forwarding might need to be
   setup on your router).

Have you met these requirements? (y/n) nextcloud.enable-https

P-e · March 11, 2019, 3:54pm

YOS ! Thank you !!!

But there is still something that I don’t understand. Why is the PATH missing ?

P-e · March 11, 2019, 4:45pm

Now for the HTTPS, it’s good, but in my server, what about the encryption ? How can i protect my files server sided and how can i access to them if they are encrypted ?
Thanks

Reiner_Nippes · March 11, 2019, 5:05pm

that question goes to the snap programmers.
it’s added normally here:

/etc/profile.d/apps-bin-path.sh:# Expand $PATH to include the directory where snappy applications go.
/etc/profile.d/apps-bin-path.sh:if [ -n "${PATH##*${snap_bin_path}}" -a -n "${PATH##*${snap_bin_path}:*}" ]; then
/etc/profile.d/apps-bin-path.sh:    export PATH=$PATH:${snap_bin_path}

you can add it by putting export PATH=$PATH:/snap/bin at the end of /etc/environment

→ Encryption configuration — Nextcloud 15 Administration Manual 15 documentation

P-e · March 11, 2019, 6:02pm

@Reiner_Nippes
/etc/environment is completly blank. Is this normal ?

Do you think it’s necessary to encrypt my files ?

Reiner_Nippes · March 11, 2019, 6:15pm

who installed that server? that should not be normal.

that’s discussed here: Server encryption even worth it? - #6 by Krischan

P-e · March 11, 2019, 6:16pm

I’ve installed the server using a clean debian image.

Thanks for the link.

Reiner_Nippes · March 11, 2019, 6:38pm

on debian it’s empty. so that’s ok.

P-e · March 11, 2019, 6:51pm

Ok, i think that’s the end of the topic, thank you a lot for your help ! Have a good day/night.