Snap HTTPS + Security

@Reiner_Nippes Don’t forget that i just want to secure nextcloud using https. Nothing else. I can go back when i want using my snapshot.

you should have some lines like

[Sun Mar 10 18:26:04.397753 2019] [mpm_event:notice] [pid 4105:tid 140110011385728] AH00489: Apache/2.4.38 (Unix) OpenSSL/1.0.2g configured -- resuming normal operations

do you have certificates in the certsfolder?
ls /var/snap/nextcloud/current/certs/

@Reiner_Nippes

I’ve a folder named “cerbot” with “config, log, work” inside.

there should be a live or self-signed folder as well. if they don’t existed something went wrong with sudo nextcloud.enable-https ....

also you can check the log/letsencrypt.log for warnings/errors.

@Reiner_Nippes I checked the letsencrypt.log, no errors.

just to be sure. may you rerun sudo nextcloud.enable-https letsencrypt
and look if the folder live appears in /var/snap/nextcloud/current/certs/

@Reiner_Nippes Hi :slight_smile:

I’ve this :
root@debian:/home/p-e# snap set nextcloud.enable-https letsencrypt
error: invalid configuration: “letsencrypt” (want key=value)
root@debian:/home/p-e# snap set nextcloud.enable-https
error: the required argument <conf value> (at least 1 argument) was not provided

sorry.

i forgot the - after lets.

ec2-user@:~$ sudo nextcloud.enable-https -h
Usage:
    nextcloud.enable-https -h
    Display this help message.

    nextcloud.enable-https <subcommand> [OPTIONS]
    Run the provided subcommand.

Available subcommands:
    lets-encrypt [OPTIONS]
    Obtain a certificate from Let's Encrypt and automatically keep it
    up-to-date.

    self-signed
    Generate and use a self-signed certificate. This is easier to
    setup than Let's Encrypt certificates, but will cause warnings in
    browsers.

    custom [OPTIONS]
    Use certificates generated by other means.

@Reiner_Nippes

root@debian:/home/p-e# snap set nextcloud.enable-https lets-encrypt
error: invalid configuration: “lets-encrypt” (want key=value)
root@debian:/home/p-e# snap set nextcloud.enable-https -lets-encrypt
error: unknown flag `l’

and when i type -help, I don’t have the same as you.

root@debian:/home/p-e# snap set nextcloud.enable-https -help
Usage:
snap set [set-OPTIONS] …

The set command changes the provided configuration options as requested.

$ snap set snap-name username=frank password=$PASSWORD

All configuration changes are persisted at once, and only after the
snap’s configuration hook returns successfully.

Nested values may be modified via a dotted path:

$ snap set author.name=frank

[set command options]
–no-wait Do not wait for the operation to finish but just print
the change id.

[set command arguments]
: The snap to configure (e.g. hello-world)
: Configuration value (key=value)

why that?

just

Because
root@debian:/home/p-e# nextcloud.enable-https lets-encrypt
bash: nextcloud.enable-https: command not found
@Reiner_Nippes

if there is no /snap/bin/nextcloud.enable-https there is something wrong with your machine.
or /snap/bin is missing in $PATH (checked with echo $PATH)

root@ip-172-31-52-96:~# which nextcloud.enable-https
/snap/bin/nextcloud.enable-https
root@ip-172-31-52-96:~# nextcloud.enable-https lets-encrypt
In order for Let's Encrypt to verify that you actually own the
domain(s) for which you're requesting a certificate, there are a
number of requirements of which you need to be aware:

1. In order to register with the Let's Encrypt ACME server, you must
   agree to the currently-in-effect Subscriber Agreement located
   here:

       https://letsencrypt.org/repository/

   By continuing to use this tool you agree to these terms. Please
   cancel now if otherwise.

2. You must have the domain name(s) for which you want certificates
   pointing at the external IP address of this machine.

3. Both ports 80 and 443 on the external IP address of this machine
   must point to this machine (e.g. port forwarding might need to be
   setup on your router).

Have you met these requirements? (y/n) nextcloud.enable-https


YOS ! Thank you !!! :smiley:

But there is still something that I don’t understand. Why is the PATH missing ?

Now for the HTTPS, it’s good, but in my server, what about the encryption ? How can i protect my files server sided and how can i access to them if they are encrypted ?
Thanks :slight_smile:

that question goes to the snap programmers.
it’s added normally here:

/etc/profile.d/apps-bin-path.sh:# Expand $PATH to include the directory where snappy applications go.
/etc/profile.d/apps-bin-path.sh:if [ -n "${PATH##*${snap_bin_path}}" -a -n "${PATH##*${snap_bin_path}:*}" ]; then
/etc/profile.d/apps-bin-path.sh:    export PATH=$PATH:${snap_bin_path}

you can add it by putting export PATH=$PATH:/snap/bin at the end of /etc/environment

-> https://docs.nextcloud.com/server/15/admin_manual/configuration_files/encryption_configuration.html

@Reiner_Nippes
/etc/environment is completly blank. Is this normal ?

Do you think it’s necessary to encrypt my files ?

who installed that server? that should not be normal.

that’s discussed here: Server encryption even worth it?

I’ve installed the server using a clean debian image.

Thanks for the link. :slight_smile:

on debian it’s empty. so that’s ok.

Ok, i think that’s the end of the topic, thank you a lot for your help ! Have a good day/night. :slight_smile: