SSL on nextcloud

niviidan · December 16, 2019, 6:42pm

Hello,
I configure nextcloud and everything work fine.
i can log my cloud from the IP and the “*****” domain
After i try to get ssl enable, my subdomain link wont work (cloud.cbtgroup.ml).

nividan@nivsrvubu:~$ service apache2 status

● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Mon 2019-12-16 19:32:55 UTC; 2min 34s ago
Process: 4593 ExecStop=/usr/sbin/apachectl stop (code=exited, status=0/SUCCESS)
Process: 4574 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)

Dec 16 19:32:55 nivsrvubu systemd[1]: Starting The Apache HTTP Server…
Dec 16 19:32:55 nivsrvubu apachectl[4574]: httpd (pid 4514) already running
Dec 16 19:32:55 nivsrvubu systemd[1]: Started The Apache HTTP Server.

my config file:

<?php
$CONFIG = array (
  'instanceid' => '*************',
  'passwordsalt' => '*************',
  'secret' => '*************',
  'trusted_domains' =>
  array (
    0 => 'localhost',
    2 => '***',
    3 => '***',
    4 => '**.**.***.***(IP)',
  ),
  'datadirectory' => '/var/www/html/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '17.0.1.1',
  'overwrite.cli.url' => 'https://**.**.***.***(IP)',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => '**********',
  'dbpassword' => '*********',
  'installed' => true,
  'maintenance' => false,
  'mail_from_address' => 'yes',
  'mail_smtpmode' => 'smtp',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_sendmailmode' => 'smtp',
  'mail_domain' => '**********',
  'mail_smtphost' => 'out.bezeqint.net',
  'mail_smtpport' => '25',
  'mail_smtpauth' => '1',
  'mail_smtpname' => '**********',
  'mail_smtppassword' => '**********',
  'twofactor_enforced' => 'true',
  'twofactor_enforced_groups' =>
  array (
  ),
  'twofactor_enforced_excluded_groups' =>
  array (
    0 => 'admin',
    1 => 'Users',
  ),
);

sites-enabled/nextcloud-le-ssl.conf:

DocumentRoot /var/www/html/nextcloud/ ServerName nextcloud
    <Directory /var/www/html/nextcloud/>
        Options +FollowSymlinks
        AllowOverride All
        Require all granted
            <IfModule mod_dav.c>
                Dav off
            </IfModule>
            SetEnv HOME /var/www/html/nextcloud
            SetEnv HTTP_HOME /var/www/html/nextcloud
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
ServerAlias ****
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/****/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/*/privkey.pem

<VirtualHost :80>
ServerAdmin nextcloud@
DocumentRoot /var/www/html/nextcloud/
ServerName nextcloud
ServerAlias ******
 <Directory /var/www/html/nextcloud/>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    allow from all
 </Directory>

 ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on

Some rewrite rules in this file were disabled on your HTTPS site,

because they have the potential to create redirection loops.

RewriteCond %{SERVER_NAME} =****

RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

sites-enabled/nextcloud.conf:

<VirtualHost *:80>
 ServerAdmin nextcloud@***
 DocumentRoot /var/www/html/nextcloud/
 ServerName nextcloud
 ServerAlias ******

 <Directory /var/www/html/nextcloud/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
 </Directory>

 ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined


RewriteEngine on
RewriteCond %{SERVER_NAME} =c*****
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

If any one can help me and find config error?
everything working fine untill I try to HTTPS my nas

eehmke · December 17, 2019, 11:03am

You need a separate

<VirtualHost :443>

for https. There you include your keys.

niviidan · December 17, 2019, 2:40pm

should i put in in the “sites-enabled/nextcloud.conf” file? after the “<VirtualHost *:80>”

Reiner_Nippes · December 17, 2019, 4:26pm

this line isn’t necessary.

no. (that is to say yes you could. but) it should be at the head of sites-enabled/nextcloud-le-ssl.conf instead.

could you post this file here again. quoted correct with three ``` at the top and end?

btw: which how to did you follow?

eehmke · December 17, 2019, 6:54pm

What Rainer said is right but it is ok to have several VirtualHost declarations in one file. They must not be separated for http (port 80) and https (port 443). It’s a matter of taste.

More important, the actual files should be in sites-available. Then you enable them by command a2enssite. This creates a symbolic link in sites-enabled.

niviidan · December 17, 2019, 11:11pm

This is my file:
nextcloud-le-ssl.conf

@nivsrvubu:~$ sudo nano /etc/apache2/sites-enabled/nextcloud-le-ssl.conf
   <IfModule mod_ssl.c>
    <VirtualHost *:443>
        DocumentRoot /var/www/html/nextcloud/
        ServerName ***


        <Directory /var/www/html/nextcloud/>
            Options +FollowSymlinks
            AllowOverride All
            Require all granted
                <IfModule mod_dav.c>
                    Dav off
                </IfModule>
                SetEnv HOME /var/www/html/nextcloud
                SetEnv HTTP_HOME /var/www/html/nextcloud
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

ServerAlias ***
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/*****/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/****/privkey.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
Module mod_ssl.c>
    <VirtualHost *:80>
     ServerAdmin nextcloud@***
     DocumentRoot /var/www/html/nextcloud/
     ServerName ***

     <Directory /var/www/html/nextcloud/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
     </Directory>

     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined


RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.

# RewriteCond %{SERVER_NAME} =***
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>
</IfModule>

I use the guide:

Ubuntu Server 18.04 Administration Guide Part 08 - Setting up SSL/TLS with Let’s Encrypt

eehmke · December 17, 2019, 11:23pm

Seems to work (I checked your login site). Next you might want to redirect the http site to the https site.

Also you might want to edit your post, not to share your URL to the world. You might get spam or floods of login attempts. Set up a strong password, even better activate two-factor authentication.

niviidan · December 17, 2019, 11:29pm

Ty for the help and the tip,
Can you help me with a guide to “redirect the http site to the https site.”, i tryid to do it but it didn’t work for me

eehmke · December 17, 2019, 11:42pm

Just replace your *80 VirtualHost by this:

<VirtualHost *:80>
    ServerName "your server name"
    ServerAdmin "your email address"

    Redirect permanent / https://"your server name"/

</VirtualHost>

Replace “your server name” including the quotes with your actual server name.
Maybe you have to enable the alias module.
sudo a2enmod alias
Restart apache2.

niviidan · December 17, 2019, 11:50pm

I did it as you say (I alredy tryid this way)
I get the massage:
“ERR_TOO_MANY_REDIRECTS”
when i try to go in now.

nextcloud-le-ssl.conf file:

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        DocumentRoot /var/www/html/nextcloud/
        ServerName ******


        <Directory /var/www/html/nextcloud/>
            Options +FollowSymlinks
            AllowOverride All
            Require all granted
                <IfModule mod_dav.c>
                    Dav off
                </IfModule>
                SetEnv HOME /var/www/html/nextcloud
                SetEnv HTTP_HOME /var/www/html/nextcloud
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

ServerAlias *******
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/*******/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/******/privkey.pem
</VirtualHost>
</IfModule>
<VirtualHost *:80>
    ServerName ******
    ServerAdmin ******

    Redirect permanent / https://******

</VirtualHost>

And again ty for the help

niviidan · December 18, 2019, 12:08am

I remove the “Redirect permanent / h”
to get the site back to work, now it is going to https but it is on " Apache2 Ubuntu Default Page" and not my nextcloud

eehmke · December 18, 2019, 12:08am

Are there other config files enabled in /etc/apache2/sites-enabled ? There should be only symlinks to files in /etc/apache2/sites-available, and the two you mentioned here should be the only ones.

And try to clean up your config file. The IfModule declarations should not be outside of the VirtualHost declarations.

eehmke · December 18, 2019, 12:14am

See my other answer. Disable the default page by command

sudo a2dissite “config file of default site”

Did you check the content of the sites-enabled folder? Are there only symlinks? One of the first posts in this thread suggested otherwise, that’s why I stick to this point.

sudo ls -l /etc/apache2/sites-enabled

What does this show?

niviidan · December 18, 2019, 12:14am

nividan@nivsrvubu:~$ sudo a2dissite
Your choices are: nextcloud-le-ssl nextcloud
Which site(s) do you want to disable (wildcards ok)?

This is the only 2 i got enabled

niviidan · December 18, 2019, 12:14am

nividan@nivsrvubu:~$ sudo ls -l /etc/apache2/sites-enabled
total 4
lrwxrwxrwx 1 root root 33 Dec 18 00:10 nextcloud.conf → …/sites-available/nextcloud.conf
lrwxrwxrwx 1 root root 50 Dec 14 17:04 nextcloud-le-ssl.conf → /etc/apache2/sites-available/nextcloud-le-ssl.conf
-rw-r–r-- 1 root root 1597 Dec 16 22:14 nextcloud-le-ssl.conf.save

eehmke · December 18, 2019, 12:20am

Remove the file nextcloud-le-ssl.conf.save

Check the contents of
/etc/apache2/sites-available/nextcloud.conf
/etc/apache2/sites-available/nextcloud-le-ssl.conf

Are there duplicates? When I read your other post right, both the *80 and the *443 VirtualHost are in nextcloud-le-ssl.conf. Then you can disable the nextcloud.conf by

sudo a2dissite nextcloud

Must get some sleep now. Good luck.

niviidan · December 18, 2019, 12:38am

First of all good night,

For the enabled now it's only le-ssl:
nivsrvubu:~$ sudo ls -l /etc/apache2/sites-enabled
total 0
lrwxrwxrwx 1 root root 50 Dec 14 17:04 nextcloud-le-ssl.conf -> /etc/apache2/sites-available/nextcloud-le-ssl.conf

I still getting “ERR_TOO_MANY_REDIRECTS”
and still:
“I remove the “Redirect permanent / h”
to get the site back to work, now it is going to https but it is on " Apache2 Ubuntu Default Page” and not my nextcloud"

gas85 · December 18, 2019, 9:25am

Check this out, I think you do not need to put Virtual Host for port 443 into module, but turn on SSL via SSLEngine on:

Also there you can find tutorial how to setup better TLS, or get A+ on SSLlabs, especially Lests encrypt config include is not optimal: Include /etc/letsencrypt/options-ssl-apache.conf, there you have a lot of things that basically are not needed.

niviidan · December 19, 2019, 8:34am

Ty fo the command, i have change my nextcloud-le-ssl.conf to the one you link in the commant.
I’m still stuck on the same problem, I get the massage “ERR_TOO_MANY_REDIRECTS”, if i comment out the per redirect # Redirect permanent / https://"host"/ i’m directed to https://“host” but to the “Apache2 Ubuntu Default Page” insted on my cloud

<VirtualHost "IP":80>

ServerName nextcloud
ServerAdmin "admin@host"

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

Redirect permanent / https://"host"/

</VirtualHost>

<VirtualHost "IP":443>

ServerName nextcloud
ServerAdmin "admin@host"

DocumentRoot /var/www/html/nextcloud/

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/"host"/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/"host"privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/"host"chain.pem
	
<FilesMatch "\.(cgi|shtml|phtml|php)$">
	SSLOptions +StdEnvVars
</FilesMatch>

<Directory /usr/lib/cgi-bin>
	SSLOptions +StdEnvVars
</Directory>
    
<Directory /var/www/html/nextcloud/>
	Options +FollowSymlinks
	AllowOverride All

	<IfModule mod_dav.c>
		Dav off
	</IfModule>

	SetEnv HOME /var/www/html/nextcloud
	SetEnv HTTP_HOME /var/www/html/nextcloud
</Directory>

Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
Header always set Referrer-Policy no-referrer
ErrorDocument 403 "Hmmmm... Looks it is not here xD:)"

</VirtualHost>

gas85 · December 19, 2019, 10:47am

Lets start from the scratch:

What do you have in a sites-enabled folder? Please post output from:

ls -la /etc/apache2/sites-enabled/

if nextcloud-le-ssl.confis not there, you have to enable it by command

sudo a2ensite nextcloud-le-ssl.conf

and then reload the server as in point 3.

Did you check that host and nextcloud from the lines below are the same? E.g. mydomain.com?

Redirect permanent / https://mydomain.com/

and

ServerName mydomain.com

Did you restart your apache2 after change the settings?
You can test your config before to restart the server if you have any error there by command:

apachectl configtest

Then reload the config by, e.g.:

sudo service apache2 reload

P.S. Are you using NAS? Then please check how to restart apache there.