I have installed Nexcloupi on a Raspberry PI 4 8gb.
I have to say that I’m not a programmer, but a simple user
Everything works fine except if I share a link, the receiver see the browser that says the site is not secure.

So I have bought a Certificate SSl from no-ip where is hosted the external site ddns.

But now I don’t know what to do to configure. The no-ip site write to do this

and for CSR

But I don’t understand to get the value.

Even if I will be able to do the certificate how to inserti in nextcloud

My Configuraion is:

Operating system: Linux 5.10.63-v8+ #1459 SMP PREEMPT Wed Oct 6 16:42:49 BST 2021 aarch64

Webserver: Apache (fpm-fcgi)

Database: mysql 10.3.31

PHP version: 7.3.31-1~deb10u1

Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, sodium, session, standard, cgi-fcgi, mysqlnd, PDO, xml, bcmath, bz2, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, gmp, iconv, igbinary, intl, json, ldap, exif, mysqli, pdo_mysql, Phar, posix, readline, redis, shmop, SimpleXML, smbclient, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, wddx, xmlreader, xmlwriter, xsl, zip, libsmbclient, Zend OPcache

Nextcloud version: 21.0.4 - 21.0.4.1

{
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": {
        "0": "localhost",
        "22": "nextcloudpi",
        "11": "31.190.30.157",
        "3": "ldacloud.ddns.net",
        "1": "192.168.1.79",
        "14": "nextcloudpi",
        "": "ldacloud.ddns.net"
    },
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "dbtype": "mysql",
    "version": "21.0.4.1",
    "overwrite.cli.url": "https:\/\/ldacloud.ddns.net\/",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbport": "",
    "dbtableprefix": "oc_",
    "mysql.utf8mb4": true,
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true,
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "memcache.local": "\\OC\\Memcache\\Redis",
    "memcache.locking": "\\OC\\Memcache\\Redis",
    "redis": {
        "host": "***REMOVED SENSITIVE VALUE***",
        "port": 0,
        "timeout": 0,
        "password": "***REMOVED SENSITIVE VALUE***"
    },
    "tempdirectory": "\/var\/www\/nextcloud\/data\/tmp",
    "mail_smtpmode": "sendmail",
    "mail_smtpauthtype": "LOGIN",
    "mail_from_address": "***REMOVED SENSITIVE VALUE***",
    "mail_domain": "***REMOVED SENSITIVE VALUE***",
    "preview_max_x": "2048",
    "preview_max_y": "2048",
    "jpeg_quality": "60",
    "overwriteprotocol": "https",
    "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
    "maintenance": false,
    "app_install_overwrite": [
        "printer"
    ],
    "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory"
}

Someonce can hel me?

Thanks in advance

Everything is written here, simply take openssl and generate it as described: Apache Mod SSL | Support | No-IP Knowledge Base

It is always 3 parts:

1. Private key (generate it and do not show/give to anybody)
2. CSR - Signing request you should upload it to your Certificate issuer
3. Certificate - you will get it from your Certificate issuer.

Generate Private key:

openssl genrsa -out yourdomain-example.com.key 2048

You will get your private key in file yourdomain-example.com.key.
With your Private key generate CSR:

openssl req -new -key yourdomain-example.com.key -out yourdomain-example.com.csr

# Answer Questions
Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: Your State; do not abbreviate the state or province name
Locality Name (eg, city): Your City
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Your Company Name
Organizational Unit Name (eg, section): IT
    ### Those are IMPORTANT ###
Common Name (eg. YOUR name): yourdomain-example.com
Email Address: someone@somewhere.com

Now you have 2 files:

• CSR yourdomain-example.com.csr upload it via Web Form as described in Guide
• Private Key yourdomain-example.com.key do not show it to anybody

After you will receive your Certificate, read e.g. here how to enable it with e.g. Apache2

Thanks gas85 you just cut a big part of my problem.
Now I have my Certificate. I have tryed to install reading the link, but I haven’t understand.
I have enabled the Header module opened ssl.conf but is totally different from mine.
Have you any other advise?
Thanks in advance

U welcome!

In guide it is shown only part of ssl.conf, you can find my example here:

and here:

Simply post your current configuration in case of questions.

Thanks gas85 thanks again. remeber that I’m not a programmer

I have stored my certificate in folder /home/pi/LDAcert
ldacloud.ddns.net.csr
ldacloud.ddns.net.key
ldacloud_ddns_net.pem-chain
ldacloud_ddns_net.der
ldacloud_ddns_net.pem
ldacloud_ddns_net.pkcs7

This is my ssl.conf

    # Pseudo Random Number Generator (PRNG):
    # Configure one or more sources to seed the PRNG of the SSL library.
    # The seed data should be of good random quality.
    # WARNING! On some platforms /dev/random blocks if not enough entropy
    # is available. This means you then cannot use the /dev/random device
    # because it would lead to very long connection times (as long as
    # it requires to make more entropy available). But usually those
    # platforms additionally provide a /dev/urandom device which doesn't
    # block. So, if available, use this one instead. Read the mod_ssl User
    # Manual for more details.
    #
    SSLRandomSeed startup builtin
    SSLRandomSeed startup file:/dev/urandom 512
    SSLRandomSeed connect builtin
    SSLRandomSeed connect file:/dev/urandom 512

    ##
    ##  SSL Global Context
    ##
    ##  All SSL configuration in this context applies both to
    ##  the main server and all SSL-enabled virtual hosts.
    ##

    #
    #   Some MIME-types for downloading Certificates and CRLs
    #
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl .crl

    #   Pass Phrase Dialog:
    #   Configure the pass phrase gathering process.
    #   The filtering dialog program (`builtin' is a internal
    #   terminal dialog) has to provide the pass phrase on stdout.
    SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase

    #   Inter-Process Session Cache:
    #   Configure the SSL Session Cache: First the mechanism 
    #   to use and second the expiring timeout (in seconds).
    #   (The mechanism dbm has known memory leaks and should not be used).
    #SSLSessionCache                 dbm:${APACHE_RUN_DIR}/ssl_scache
    SSLSessionCache         shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
    SSLSessionCacheTimeout  300

    #   Semaphore:
    #   Configure the path to the mutual exclusion semaphore the
    #   SSL engine uses internally for inter-process synchronization. 
    #   (Disabled by default, the global Mutex directive consolidates by de$
    #   this)
    #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache


    #   SSL Cipher Suite:
    #   List the ciphers that the client is permitted to negotiate. See the
    #   ciphers(1) man page from the openssl package for list of all availa$
    #   options.
    #   Enable only secure ciphers:
    SSLCipherSuite HIGH:!aNULL

    # SSL server cipher order preference:
    # Use server priorities for cipher algorithm choice.
    # Clients may prefer lower grade encryption.  You should enable this
    # option if you want to enforce stronger encryption, and can afford
    # the CPU cost, and did not override SSLCipherSuite in a way that puts
    # insecure ciphers first.
    # Default: Off
    #SSLHonorCipherOrder on

    #   The protocols to enable.
    #   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
    #   SSL v2  is no longer supported
    SSLProtocol all -SSLv3

    #   Allow insecure renegotiation with clients which do not yet support $
    #   secure renegotiation protocol. Default: Off
    #SSLInsecureRenegotiation on

    #   Whether to forbid non-SNI clients to access name based virtual host$
    #   Default: Off
    #SSLStrictSNIVHostCheck On

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

I think I have to add these lines
SSLCipherSUite "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA$

    # This TLSv1.3 only
    SSLProtocol TLSv1.3
    # To use TLSv1.2 and TLSv1.3 uncomment line below and comment one above. Please read $
    #SSLProtocol +TLSv1.2 +TLSv1.3
    SSLCompression off

    # Enable of OCSP stapling, only in httpd 2.3.3 and later 
    SSLUseStapling          on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    SSLStaplingCache        shmcb:/var/run/ocsp(128000)

After I think I should add the certificate but there isn’t the file default-ssl.conf in /etc/apache2/mods-available

Thanks again

You are on the right way!

It is usually under /etc/apache2/conf-available/. I did update the gist

Not only add, but few to replace, e.g. this one:

with from the gist:

I would say start small. Add certificates path to your default-ssl.conf , test configuration and restart apache2:

sudo apachectl configtest && sudo service apache2 restart

Then you can add more stuff to ssl.conf and continue to test it.

I have the made these modifcation
Now ssl.conf is `/etc/apache2/mods-available/ssl.conf

    # Pseudo Random Number Generator (PRNG):
    # Configure one or more sources to seed the PRNG of the SSL library.
    # The seed data should be of good random quality.
    # WARNING! On some platforms /dev/random blocks if not enough entropy
    # is available. This means you then cannot use the /dev/random device
    # because it would lead to very long connection times (as long as
    # it requires to make more entropy available). But usually those
    # platforms additionally provide a /dev/urandom device which doesn't
    # block. So, if available, use this one instead. Read the mod_ssl User
    # Manual for more details.
    #
    SSLRandomSeed startup builtin
    SSLRandomSeed startup file:/dev/urandom 512
    SSLRandomSeed connect builtin
    SSLRandomSeed connect file:/dev/urandom 512

    ##
    ##  SSL Global Context
    ##
    ##  All SSL configuration in this context applies both to
    ##  the main server and all SSL-enabled virtual hosts.
    ##

    #
    #   Some MIME-types for downloading Certificates and CRLs
    #
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl .crl

    #   Pass Phrase Dialog:
    #   Configure the pass phrase gathering process.
    #   The filtering dialog program (`builtin' is a internal
    #   terminal dialog) has to provide the pass phrase on stdout.
    SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase

    #   Inter-Process Session Cache:
    #   Configure the SSL Session Cache: First the mechanism 
    #   to use and second the expiring timeout (in seconds).
    #   (The mechanism dbm has known memory leaks and should not be used).
    #SSLSessionCache                 dbm:${APACHE_RUN_DIR}/ssl_scache
    SSLSessionCache         shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
    SSLSessionCacheTimeout  300

    #   Semaphore:
    #   Configure the path to the mutual exclusion semaphore the
    #   SSL engine uses internally for inter-process synchronization. 
    #   (Disabled by default, the global Mutex directive consolidates by de$
    #   this)
    #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache


    #   SSL Cipher Suite:
    #   List the ciphers that the client is permitted to negotiate. See the
    #   ciphers(1) man page from the openssl package for list of all availa$
    #   options.
    #   Enable only secure ciphers:
    SSLCipherSuite HIGH:!aNULL

    # SSL server cipher order preference:
    # Use server priorities for cipher algorithm choice.
    # Clients may prefer lower grade encryption.  You should enable this
    # option if you want to enforce stronger encryption, and can afford
    # the CPU cost, and did not override SSLCipherSuite in a way that puts
    # insecure ciphers first.
    # Default: Off
    #SSLHonorCipherOrder on

    #   The protocols to enable.
    #   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
    #   SSL v2  is no longer supported
    #   SSLProtocol all -SSLv3 (DISABLED FROM DEFAULT)
    SSLProtocol TLSv1.3

    #   Allow insecure renegotiation with clients which do not yet support $
    #   secure renegotiation protocol. Default: Off
    #SSLInsecureRenegotiation on

    #   Whether to forbid non-SNI clients to access name based virtual host$
    #   Default: Off
    #SSLStrictSNIVHostCheck On

    #   SSL MODIFICATION
    SSLCipherSUite "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA3$
    SSLCompression off

    # Enable of OCSP stapling, only in httpd 2.3.3 and later
    SSLUseStapling          on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    SSLStaplingCache        shmcb:/var/run/ocsp(128000)

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

The file default-ssl.conf is in the directory /etc/apache2/site-available/default-ssl modified as follow:

IfModule mod_ssl.c>

ServerAdmin webmaster@localhost

            DocumentRoot /var/www/html

            # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
            # error, crit, alert, emerg.
            # It is also possible to configure the loglevel for particular
            # modules, e.g.
            #LogLevel info ssl:warn

            ErrorLog ${APACHE_LOG_DIR}/error.log
            CustomLog ${APACHE_LOG_DIR}/access.log combined

            # For most configuration files from conf-available/, which are
            # enabled or disabled at a global level, it is possible to
            # include a line for only one particular virtual host. For example the
            # following line enables the CGI configuration for this host only
            # after it has been globally disabled with "a2disconf".
            #Include conf-available/serve-cgi-bin.conf

            #   SSL Engine Switch:
            #   Enable/Disable SSL for this virtual host.
            SSLEngine on

            #   A self-signed (snakeoil) certificate can be created by installing
            #   the ssl-cert package. See
            #   /usr/share/doc/apache2/README.Debian.gz for more info.
            #   If both key and certificate are stored in the same file, only the
            #   SSLCertificateFile directive is needed.
            #   SSLCertificateFile  /etc/ssl/certs/ssl-cert-snakeoil.pem (MOD FROM DEFAULT)
            #   SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key (MOD FROM DEFAULT)
            #   MODIFIED 
            ServerNamed ldacloud.ddns.net
            SSLEngine on

"

            #   Server Certificate Chain:
            #   Point SSLCertificateChainFile at a file containing the
            #   concatenation of PEM encoded CA certificates which form the
            #   certificate chain for the server certificate. Alternatively
            #   the referenced file can be the same as SSLCertificateFile
            #   when the CA certificates are directly appended to the server
            #   certificate for convinience.
            #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

            #   Certificate Authority (CA):
            #   Set the CA certificate verification path where to find CA
            #   certificates for client authentication or alternatively one
            #   huge file containing all of them (file must be PEM encoded)
            #   Note: Inside SSLCACertificatePath you need hash symlinks
            #                to point to the certificate files. Use the provided
            #                Makefile to update the hash symlinks after changes.
            #SSLCACertificatePath /etc/ssl/certs/
            #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

            #   Certificate Revocation Lists (CRL):
            #   Set the CA revocation path where to find CA CRLs for client
            #   authentication or alternatively one huge file containing all
            #   of them (file must be PEM encoded)
            #   Note: Inside SSLCARevocationPath you need hash symlinks
            #                to point to the certificate files. Use the provided
            #                Makefile to update the hash symlinks after changes.
            #SSLCARevocationPath /etc/apache2/ssl.crl/
            #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

            #   Client Authentication (Type):
            #   Client certificate verification type and depth.  Types are
            #   none, optional, require and optional_no_ca.  Depth is a
            #   number which specifies how deeply to verify the certificate
            #   issuer chain before deciding the certificate is not valid.
            #SSLVerifyClient require
            #SSLVerifyDepth  10

            #   SSL Engine Options:
            #   Set various options for the SSL engine.
            #   o FakeBasicAuth:
            #        Translate the client X.509 into a Basic Authorisation.  This means that
            #        the standard Auth/DBMAuth methods can be used for access control.  The
            #        user name is the `one line' version of the client's X.509 certificate.
            #        Note that no password is obtained from the user. Every entry in the user
            #        file needs this password: `xxj31ZMTZzkVA'.
            #   o ExportCertData:
            #        This exports two additional environment variables: SSL_CLIENT_CERT and
            #        SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
            #        server (always existing) and the client (only existing when client
            #        authentication is used). This can be used to import the certificates
            #        into CGI scripts.
            #   o StdEnvVars:
            #        This exports the standard SSL/TLS related `SSL_*' environment variables.
            #        Per default this exportation is switched off for performance reasons,
            #        because the extraction step is an expensive operation and is usually
            #        useless for serving static content. So one usually enables the
            #        exportation for CGI and SSI requests only.
            #   o OptRenegotiate:
            #        This enables optimized SSL connection renegotiation handling when SSL
            #        directives are used in per-directory context.
            #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
            <FilesMatch "\.(cgi|shtml|phtml|php)$">
                            SSLOptions +StdEnvVars
            </FilesMatch>
            <Directory /usr/lib/cgi-bin>
                            SSLOptions +StdEnvVars
            </Directory>

            #   SSL Protocol Adjustments:
            #   The safe and default but still SSL/TLS standard compliant shutdown
            #   approach is that mod_ssl sends the close notify alert but doesn't wait for
            #   the close notify alert from client. When you need a different shutdown
            #   approach you can use one of the following variables:
            #   o ssl-unclean-shutdown:
            #        This forces an unclean shutdown when the connection is closed, i.e. no
            #        SSL close notify alert is send or allowed to received.  This violates
            #        the SSL/TLS standard but is needed for some brain-dead browsers. Use
            #        this when you receive I/O errors because of the standard approach where
            #        mod_ssl sends the close notify alert.
            #   o ssl-accurate-shutdown:
            #        This forces an accurate shutdown when the connection is closed, i.e. a
            #        SSL close notify alert is send and mod_ssl waits for the close notify
            #        alert of the client. This is 100% SSL/TLS standard compliant, but in
            #        practice often causes hanging connections with brain-dead browsers. Use
            #        this only for browsers where you know that their SSL implementation
            #        works correctly.
            #   Notice: Most problems of broken clients are also related to the HTTP
            #   keep-alive facility, so you usually additionally want to disable
            #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
            #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
            #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
            #   "force-response-1.0" for this.
            # BrowserMatch "MSIE [2-6]" \
            #               nokeepalive ssl-unclean-shutdown \
            #               downgrade-1.0 force-response-1.0

    </VirtualHost>

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

The sintax check is correct but if check the site ldacloud.ddns.net is self-trusted domain.
I have tryed to insert in ncp.config but same rresult
So Something is wrong.
Any advise?
Thanks

I tne previuos messare these line in default-ssl.config file are missing

  #   SSLCertificateFile  /etc/ssl/certs/ssl-cert-snakeoil.pem (MOD FROM DEFAULT)
            #   SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key (MOD FROM DEFAULT)
            #   MODIFIED 
            ServerNamed ldacloud.ddns.net
            SSLEngine on
            SSLCertificateFile /home/pi/LDAcert/ldacloud_ddns_net.pem
            SSLCertificateKeyFile /home/pi/LDAcert/ldacloud.ddns.net.key
            SSLCertificateChainFile /home/pi/LDAcert/ldacloud_ddns_net.pem-chain
            #Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
            Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"

            #   Server Certificate Chain:

SOLVED
the file I have to insert the value i etc/apache2/sites-available/netcloud.config

THANKS
GAS85

Usually it work like this:

1. You keep and edit config or sites (or modules) under conf-available, sites-available…
2. Then enable this config via hard link or command a2enconf or a2ensite, etc. In the same way you can disable any conf. More commads are:

# Enable
a2enconf <file name>
a2ensite <file name>
a2enmod <file name>
# Disable
a2disconf <file name>
a2dissite <file name>
a2dismod <file name>

3. Then test config and at least reload or restart server:

sudo apachectl configtest && sudo service apache2 reload
# OR
sudo apachectl configtest && sudo service apache2 restart