Trying to get ssl working

komred · August 11, 2016, 11:37pm

Hello. I recently followed this guide to install nextcloud on my raspberry pi 3, running rasbian 8. It seems to have installed fine. I’ve since been trying to get ssl working based on this guide, but there’s no nextcloud file in the conf-enabled folder. I’m a bit stuck. Can anyone tell me how to get ssl working? Thanks.

riegerCLOUD · August 12, 2016, 4:33am

You can follow this guide: Full nextcloud installation guide
for nginx and PI3

tflidd · August 12, 2016, 4:47pm

This file was installed when you used the packet manager with owncloud. Nextcloud doesn’t have it but you can add this manually:
https://docs.nextcloud.com/server/9/admin_manual/installation/source_installation.html#apache-web-server-configuration

Either put this in a conf-enabled/owncloud.conf or within your ssl-vhost (normally in sites-available/ or sites-enabled/-folder → default-ssl.conf).

komred · August 17, 2016, 3:30pm

Thanks for this. I now get a 404 not found notice when I visit the nextcloud page from my browser. This is a lot harder than I thought

tflidd · August 17, 2016, 3:40pm

You need to solve one error after the other…

404 could be missing permissions on the file system or in the apache-config (=denied by server configuration). Your logfile should tell you which one it is.

komred · August 17, 2016, 9:34pm

Okay. By logfile do you mean the error.log file? When I run sudo tail -100 /var/log/apache2/error.log.1 I get:

[Sun Aug 14 06:25:05.057509 2016] [ssl:warn] [pid 13831] AH01882: Init: this version of mod_ssl was compiled against a newer library (OpenSSL 1.0.1t  3 May 2016, version currently loaded is OpenSSL 1.0.1k 8 Jan 2015) - may result in undefined or erroneous behavior
[Sun Aug 14 06:25:05.058476 2016] [mpm_prefork:notice] [pid 13831] AH00163: Apache/2.4.10 (Raspbian) OpenSSL/1.0.1k configured -- resuming normal operations
[Sun Aug 14 06:25:05.058518 2016] [core:notice] [pid 13831] AH00094: Command line: '/usr/sbin/apache2'
[Mon Aug 15 22:10:27.870220 2016] [mpm_prefork:notice] [pid 13831] AH00169: caught SIGTERM, shutting down

tflidd · August 17, 2016, 10:18pm

There are no errors. You are sure there is no /var/log/error.log? error.log.1 is often the old rotated logfile from the previous day.

komred · August 18, 2016, 6:51am

Ah sorry, yes there is an error.log file.

[Thu Aug 18 06:25:05.059669 2016] [ssl:warn] [pid 14457] AH01882: Init: this version of mod_ssl was compiled against a newer library (OpenSSL 1.0.1t  3 May 2016, version currently loaded is OpenSSL 1.0.1k 8 Jan 2015) - may result in undefined or erroneous behavior
[Thu Aug 18 06:25:05.061614 2016] [ssl:warn] [pid 14457] AH01906: bogus_host_without_reverse_dns:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Aug 18 06:25:05.061678 2016] [ssl:warn] [pid 14457] AH01909: bogus_host_without_reverse_dns:443:0 server certificate does NOT include an ID which matches the server name
[Thu Aug 18 06:25:05.062250 2016] [mpm_prefork:notice] [pid 14457] AH00163: Apache/2.4.10 (Raspbian) OpenSSL/1.0.1k configured -- resuming normal operations
[Thu Aug 18 06:25:05.062275 2016] [core:notice] [pid 14457] AH00094: Command line: '/usr/sbin/apache2'

tflidd · August 18, 2016, 7:52am

And your access.log?

If you want to use a public certificate and avoid any browser errors, the certificate common-name should match your host name.

This doesn’t sound good. Did you compile stuff yourself or use external sources, this normally shouldn’t happen if you use the official repositories of raspbian.

ezraholm50 · August 18, 2016, 10:04am

I have a fork of the official VM, still in beta https://github.com/ezraholm50/NextBerry
https://cloud.waaromzomoeilijk.nl/index.php/s/OPKV9vvY1hsYRQe <- Image

Sets everything up without you having to do anything but look at the screen and answer questions.
Only need to fine tune external HD as root. Other then that it works like a charm.

X4LD1M0 · August 18, 2016, 10:11am

From those errors I would almost think it is an incorrect configuration in regards to SSL. Could you post the virtual host config of apache?

komred · August 18, 2016, 8:42pm

No, I don’t think so. I followed the guide linked in my first post, which didn’t require me to compile anything.

komred · August 18, 2016, 8:44pm

Hi, sorry, how do I do this from terminal?

tflidd · August 18, 2016, 9:26pm

That is strange because error 404 shouldn’t be unnoticed. Are you logging to a different destination (haven’t seen anything in the tutorials you linked)?

Are some partitions full (check with df -h) or do you have other problems on the system?

X4LD1M0 · August 18, 2016, 9:36pm

Normally you should be able to print (cat) the config file. Example:

cat /etc/apache2/site-enable/default

It depends how your config file is called, it could be different than ‘default’

Also the output you gave of the log file:

::1 - - [18/Aug/2016:06:52:28 +0000] "GET /nextcloud HTTP/1.1" 301 522 "-" "curl/7.38.0"

States it was a redirect it was given (code 301). Why would it redirect, and to where.

komred · August 18, 2016, 10:44pm

Nope, not logging in from different location. I think it worked fine before I started messing around with ssl.

Checked the partitions. I moved nextcloud to the external hd (as per first tutorial), which shows as:

/dev/sda1 1.8T 69M 1.7T 1% /disk

I will post the nextcloud.conf I created, which is when I started getting problems.

komred · August 18, 2016, 10:47pm

Okay, I found a file called 000-default.conf in the sites-enabled folder:

cat /etc/apache2/sites-enabled/000-default.conf

<VirtualHost *:80>
    # The ServerName directive sets the request scheme, hostname and port that
    # the server uses to identify itself. This is used when creating
    # redirection URLs. In the context of virtual hosts, the ServerName
    # specifies what hostname must appear in the request's Host: header to
    # match this virtual host. For the default virtual host (this file) this
    # value is not decisive as it is used as a last resort host regardless.
    # However, you must set it for any further virtual host explicitly.
    #ServerName www.example.com

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Also, there is a nextcloud.conf in sites-enable too:

cat /etc/apache2/sites-enabled/nextcloud.conf

#Listen 443
#uncomment and change the above only for other ports
 
 <VirtualHost 192.168.1.277:80>
RewriteEngine on
ReWriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
</VirtualHost>
 
<VirtualHost 192.168.1.277:443>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/nextcloud.pem
SSLCertificateKeyFile /etc/apache2/ssl/nextcloud.key
DocumentRoot /disk/nextcloud
 
Alias /nextcloud "/disk/nextcloud/"

<Directory /disk/nextcloud>
  Options +FollowSymlinks
  AllowOverride All

 <IfModule mod_dav.c>
  Dav off
 </IfModule>

 SetEnv HOME /disk/nextcloud
 SetEnv HTTP_HOME /disk/nextcloud

 Satisfy Any

</Directory>
 
<Directory "/disk/nextcloud/data/">
  # just in case if .htaccess gets disabled
  Require all denied
</Directory>
</VirtualHost>

Does this have anything to do with where nextcloud installed? I know the data is in external hd which is /disk/nextcloud/data.

X4LD1M0 · August 19, 2016, 7:52am

OK looking at the nextcloud.conf file it looks you have set HTTP (port 80) to redirect to HTTPS (port 443), that is good practice and no issues there.
The I can see that you have the DocumentRoot already pointing to the nextcloud folder, and then an Alias to convert /nextcloud to /disk/nextcloud. This should not be needed since you already have your virtualhost directly set to the folder of NC.
Next thing I see is that you have the certificate set and the key. Question I have is, are there no intermediate certificates required?

Still bit unclear why it is doing a redirect. Below is my Apache2 config, it has the nextcloud folder as DocumentRoot, and also a intermediate/CA certifcate is set (shown as Comodo-PositiveSSL). Try to use this config, and change the following:

ServerName
Certifcates (all that are applicable)
DocumentRoot
Directory

SetEnv (both)

<Virtualhost *:443>
CustomLog /var/log/apache2/access_241-43_nextcloud.log combined
ErrorLog /var/log/apache2/error_241-43_nextcloud.log

      ServerName <cloud domain name>

      SSLEngine on
      SSLProtocol all -SSLv2 -SSLv3
      SSLHonorCipherOrder on
      SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4  !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

      SSLCertificateFile    /etc/apache2/ssl/<certificate>.crt
      SSLCertificateKeyFile /etc/apache2/ssl/<certificate>.key
      SSLCACertificateFile  /etc/apache2/ssl/COMODO-PositiveSSL-bundle.crt

      DocumentRoot /var/www/nextcloud

      <Directory /var/www/nextcloud/>
        Options +FollowSymlinks
        AllowOverride All
        <IfModule mod_dav.c>
          Dav off
        </IfModule>
        SetEnv HOME /var/www/nextcloud
        SetEnv HTTP_HOME /var/www/nextcloud
      </Directory>

      Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"

Also in the NC config.php file check if the following settings are in there, and if they reflect the correct values:

  'overwritehost' => '<cloud domain name>',
  'overwriteprotocol' => 'https',
  'overwritewebroot' => '/',
  'overwritecondaddr' => '^192\\.168\\.7\\.241$',

komred · August 19, 2016, 3:40pm

[quote=“X4LD1M0, post:18, topic:2281, full:true”]
Next thing I see is that you have the certificate set and the key. Question I have is, are there no intermediate certificates required? [/quote]

I did this per 2nd tutorial:

Create self signed ssl certificate. Fill the info as you wish. I’ve made the certificate valid for 10 years (3650 days).

# openssl req -new -x509 -days 3650 -nodes -out /etc/apache2/ssl/owncloud.pem -keyout /etc/apache2/ssl/owncloud.key

(I changed owncloud to nextcloud.)

How do I find my server name? There isn’t one in my current nextcloud.config file.
My DocumentRoot and Directory seem to be the same. Is that right? I have the nextcloud data folder in /disk, but another location, /var/www/html/nextcloud, has other nextcloud files in it. Should both locations appear somewhere in my config file?
Also relates to the above. Your SetEnv point to /var/www/nextcloud. I have this directory too, should I change it from /disk/nextcloud?

Also in the NC config.php file check if the following settings are in there, and if they reflect the correct values:

  'overwritehost' => '<cloud domain name>',
  'overwriteprotocol' => 'https',
  'overwritewebroot' => '/',
  'overwritecondaddr' => '^192\\.168\\.7\\.241$',

I don’t see these entries in my nextcloud config.php:

cat /var/www/html/nextcloud/config/config.php
<?php
$CONFIG = array (
  'trusted_domains' => 
  array (
    0 => '192.168.1.277',
  ),
  'datadirectory' => '/disk/nextcloud/data',
  'overwrite.cli.url' => 'http://192.168.1.277/nextcloud',
  'dbtype' => 'sqlite3',
  'version' => '9.0.53.0',
  'logtimezone' => 'UTC',
  'installed' => true,
);

X4LD1M0 · August 19, 2016, 6:43pm

komred:

I did this per 2nd tutorial:[/quote]

That explains why there is no intermediate certificate. So ignore that bit. I am always used to using trusted CA certificates since my servers are also accessible on the internet.

How do I find my server name? There isn’t one in my current nextcloud.config file.

This is more if you have multiple web-servers on the same machine. You then can identify them separately so each FQDN (servername) knows what to display.

[quote]My DocumentRoot and Directory seem to be the same. Is that right? I have the nextcloud data folder in /disk, but another location, /var/www/html/nextcloud, has other nextcloud files in it. Should both locations appear somewhere in my config file?
Also relates to the above. Your SetEnv point to /var/www/nextcloud. I have this directory too, should I change it from /disk/nextcloud?[/quote]
The DocumentRoot, Directory, Setenv should be set to the source of NC, which is (if doing default install) in /var/www/nextcloud. I assume your data is located on /disk/nextcloud.
You need to remember that those are 2 different locations, where the first (/var/www/nextcloud) is where the application itself is stored and which the web-server (Apache) goes to, to display on your browser. The second (/disk/nextcloud) will be where the NC application will store its data, which is what has to be configured in config.php.

[quote]I don’t see these entries in my nextcloud config.php:

cat /var/www/html/nextcloud/config/config.php
<?php
$CONFIG = array (
‘trusted_domains’ =>
array (
0 => ‘192.168.1.277’,
),
‘datadirectory’ => ‘/disk/nextcloud/data’,
‘overwrite.cli.url’ => ‘http://192.168.1.277/nextcloud’,
‘dbtype’ => ‘sqlite3’,
‘version’ => ‘9.0.53.0’,
‘logtimezone’ => ‘UTC’,
‘installed’ => true,
);

OK since you don’t use real domain names and use self-signed certificates you don’t have those additional lines I mentioned.

So to summaries it, if I have this correct about the information you gave me:

/var/www/nextcloud is where NC application is installed. This is where the apache config should direct to.
/disk/nextcloud is where you store you actual data, this needs to be set in the config.php file.

I hope this helps you further to sort you problem out.