Some files have not passed the integrity check (double .htaccess file due to Let's Encrypt)

ruppscloudadmin · February 28, 2018, 7:09pm

Nextcloud version : 13
Operating system and version : Ubuntu server 16.04.3 LTS
Apache or nginx version : Apache 2.4.18
PHP version : 7.0.25

The issue you are facing:

Security & setup warnings

It's important for the security and performance of your instance that everything is configured correctly. To help you with that we are doing some automatic checks. Please see the Tips & Tricks section and the documentation for more information.

    Some files have not passed the integrity check. Further information on how to resolve this issue can be found in the documentation. (List of invalid files… / Rescan…)

Please double check the installation guides ↗, and check for any errors or warnings in the log.

When investigating the cause I see this:

Technical information
=====================
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.

Results
=======
- core
	- EXTRA_FILE
		- .well-known/acme-challenge/.htaccess

Raw output
==========
Array
(
    [core] => Array
        (
            [EXTRA_FILE] => Array
                (
                    [.well-known/acme-challenge/.htaccess] => Array
                        (
                            [expected] => 
                            [current] => lkjfdgpo8745pwtoisgjfoidup9yt8w45u09u86ysjro9hu5rt9jihjhsaevlfiugzkuygVra7w83385o1409q86aghho938iu4blgv8gh4oiu3hto98yaeg98yae4a9p84e9t5
                        )

                )

        )

)

Is this the first time you’ve seen this error? : N

Steps to replicate it:

go to … .com/index.php/settings/admin#security-warning page.

The output of your Nextcloud log in Admin > Logging:

Error	no app in context	issuetemplate	2018-02-28T13:53:47-0500

The output of your config.php file in /path/to/nextcloud/config (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => '',
  'passwordsalt' => '',
  'secret' => '',
  'trusted_domains' => 
  array (
    0 => '.com',
  ),
  'datadirectory' => '',
  'overwrite.cli.url' => 'https://com',
  'dbtype' => 'mysql',
  'version' => '13.0.0.14',
  'dbname' => '',
  'dbhost' => '',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => '',
  'dbpassword' => '',
  'installed' => true,
  'mail_from_address' => '',
  'mail_smtpmode' => 'smtp',
  'mail_smtpauthtype' => '',
  'mail_domain' => '',
  'mail_smtphost' => 'smtp.mailgun.org',
  'mail_smtpport' => '587',
  'mail_smtpauth' => 1,
  'mail_smtpname' => '',
  'mail_smtppassword' => '',
  'maintenance' => false,
  'memcache.local' => '\OC\Memcache\APCu',
);

I think this as ignorable error, but it can’t be ignored cause it’s always popping up to annoy me. I believe that the way my Let’s Encrypt certificates are managed is what caused this error. I’m wondering if their’s some way to get the scan to ignore that .well-known/acme-challenge/.htaccess folder and/or file.

It’s not obvoious, but I did my install in a subdomain in such a way that the nextcloud folder is not part of the URL for the system. Thus the let’s encrypt sees the root as the nextcloud subfolder and boom, I got a problem.

tflidd · March 1, 2018, 8:17pm

You can use a different directory on the file system where you map the .well-known-stuff, then you won’t get this error:

ruppscloudadmin · March 4, 2018, 8:29pm

I can’t quite envision how to use a different directory without screwing up the elaborate stuff that’s going on already. I’m in a Virtualmin created subdomain (sub-server to them) for where the NextCloud is running, and I don’t want my URL to have the .com/nextcloud/ folder in the URL. I wish I understood Apache2 better, but as of now, I don’t know how to get what I want and still comply with your suggestion.

tflidd · March 5, 2018, 7:40am

It depends on what you want to do exactly. With configuration tools, this can be a bit difficult and you should know which parts of the configuration you can change (some perhaps allow some manual addition inside the apache-vhost?), perhaps you can find something in the documentation.

If you need .well-known only for letsencrypt, you can use this globally:

(in case you use a mail server, auto-configuration could be interesting: https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration so you only should activate it in the nextcloud-vhost).

ruppscloudadmin · March 6, 2018, 9:36pm

So I gave your suggestion a whirl.
I visited your linked page and thought I could alter what they showed …

Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/

#Bypass Auth
<Directory /var/www/letsencrypt/.well-known/acme-challenge/>
Satisfy any
</Directory>

#Redirect before other rewrite rules
RewriteCond %{REQUEST_URI} /\.well\-known/acme\-challenge/
RewriteRule (.*) /.well-known/acme-challenge/$1 [L,QSA]

… with my own version of it.

I made a new “NextCloudLE” folder into /var/www/ then changed it’s ownership appropriately, and moved my .well-known folder from the DocumentRoot for my NextCloud server into it.

In my Apache2 sites-available for the port 80 and 443 .conf files I added these…

# right after ServerName directive
Alias /.well-known/acme-challenge/ /var/www/NextCloudLE/.well-known/acme-challenge/

# right before the first "<Directory ..." information
#Bypass Auth
<Directory /var/www/NextCloudLE/.well-known/acme-challenge/>
Satisfy any
</Directory>

# immediately after the "RewriteEngine on" directive
RewriteCond %{REQUEST_URI} /\.well\-known/acme\-challenge/
RewriteRule (.*) /.well-known/acme-challenge/$1 [L,QSA]

restart Apache to apply the changes and …
NO CHANGE! … lolz …
I still had to click rescan in the “Some files have not passed the integrity check. Further information on how to resolve this issue can be found in the documentation. (List of invalid files… / Rescan…)”,
statement to get the all-clear.
“All checks passed.”

Thanks very much for your help.