Transit data secure encryption to remote mariadb

When i run,

mysql -u nextcloud -p -hremoteDB --ssl-cert client-cert.pem --ssl-key client-key.pem --s sl-ca ca.pem -e 'status'

remote mariadb shows status and everything looks ok.

How do i tell nextcloud where to find the certificates and how exactly do i setup the connection to the remote mariadb server?

Nextcloud version
Operating system and version Ubuntu 20.04:
Apache2 2.4.41:
PHP version 7.4:
mariadb 15.1 (10.5.8):

1 Like

Figured the first part out, forgot to configure and add the certificates into the /etc/mysql/mariadb.conf.d/50-client.cnf file.

When i entered the DB data into the browser fields and click finish setup i do see

[Warning] Access denied for user 'nextcloud'@'nextcloud.lxd' (using password: YES)

Manual login with same credentials works (see first post).

So far i also tried to modify the config.php file,

'instanceid' => 'hidden',
  'passwordsalt' => 'hidden',
  'secret' => 'secret',
  'trusted_domains' =>
  array (
    0 => '',
  'datadirectory' => '/var/www/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '',
  'overwrite.cli.url' => '',
  'dbname' => 'nextcloud',
  'dbuser' => 'nextcloud',
  'dbpassword' => ('hidden'),
  'dbhost' => '',
  'dbport' => '3306',
  'dbtableprefix' => 'oc_',

but the Data from config.php file do not show up when refreshing browser installer page, should they be showing up?

I am wondering if nextcloud can do a secure db connection, actually I doubt that,
so I recommend to use a VPN Tunnel to secure the link.

That would be terrible.
The whole setup is running on lxc containers and i thought using transit encryption and at rest encryption on mariadb-server would not hurt. Was fun figuring it out so far.

It’s been a while since i did vpn tunneling., and in case nextcloud cannot handle TLSv1.3 transit data encryption, what kind of tunnel would be best practice? Normal vpn setup, wireguard or something else?

i am seeing now parts of the DB fields filled out except the password field which remains empty and even if i enter the DB password manually and try to finish, nextcloud reports error.

SQLSTATE[HY000] [1045] Access denied for user 'nextcloud'@'nextcloud.lxd'

and mariad-server shows,

[Warning] Access denied for user 'nextcloud'@'nextcloud.lxd' (using password: YES)

Maybe it is all just a config error in mariadb client.

I do wonder what this is for in config.php, not much about it in the Manual,

'openssl' => [
        'config' => '/absolute/location/of/openssl.cnf',

maybe just for email?

I am using LXD, but i think you can add kernel modules to the container in LXC too, so adding the TUN/TAP device should be possible?

or you can put the connection into a encrypted stunnel4 if your db traffic is not that much.

Thanks for the comment, didnt had much time lately to look into this problem. I really wish though to find a way to get nextcloud to connect to the remote DB with TLS.
I can reach the remote DB just fine with the nextcloud User.

mysql  Ver 15.1 Distrib 10.5.8-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2

Connection id:          89
Current database:
Current user:           nextcloud@nextcloud.lxd
SSL:                    Cipher in use is TLS_AES_256_GCM_SHA384
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server:                 MariaDB
Server version:         10.5.8-MariaDB-1:10.5.8+maria~focal binary distribution
Protocol version:       10
Connection:    via TCP/IP
Server characterset:    utf8mb4
Db     characterset:    utf8mb4
Client characterset:    utf8
Conn.  characterset:    utf8
TCP port:               3306
Uptime:                 5 days 19 min 50 sec

Threads: 3  Questions: 162  Slow queries: 0  Opens: 116  Open tables: 110  Queries per second avg: 0.000

I do not know anything about how nexcloud connects to the db, if “mysql -unextcloud” is being run or how it connects and maybe it doesnt know where to find the certs?

Is something as simple as described here not in Nextcloud?
A simple option for TLS/SSL and another if certificate verification is wanted doesnt seem that much.

you can try if you can use a proxy like this
or another one you can connect locally unencrypted and the proxy software forwards it encrypted.

Wouldn’t the data be unencrypted on the proxy?

yes, thats why it should be running on the same host as the nextcloud and the nextcloud need to connect to to the proxy

If i understand you right then the proxy would handle the encryption to the mariaDB remote Server.

Though, i found this hidden gem but i cant get it to work,

'dbdriveroptions' => array(
        PDO::MYSQL_ATTR_SSL_CA => '/file/path/to/ca_cert.pem',

and also tried with,

'dbdriveroptions' => array(
    PDO::MYSQL_ATTR_SSL_KEY => 'path/to/client_private_key',
    PDO::MYSQL_ATTR_SSL_CERT => 'path/to/client_cert',
    PDO::MYSQL_ATTR_SSL_CA => 'path/to/server_ca_cert',

This indicates to me, with my zero knowledge of php/mysqli that there is a way and nextcloud should be able to handle it but so far access is denied by mariaDB.

Sorry. No real idea. But perhaps you can use local ssh port forwarding and no-TLS.

Ok. You need not all of them:

Thanks devnull for the support, i’ll do some other work and come back to this later, hopefully my understanding of the settings in config.php have grown till then. Nextcloud documentation also seems vague to me.