Trying to get ssl working

Hello. I recently followed this guide to install nextcloud on my raspberry pi 3, running rasbian 8. It seems to have installed fine. I’ve since been trying to get ssl working based on this guide, but there’s no nextcloud file in the conf-enabled folder. I’m a bit stuck. Can anyone tell me how to get ssl working? Thanks.

You can follow this guide: Full nextcloud installation guide
for nginx and PI3

This file was installed when you used the packet manager with owncloud. Nextcloud doesn’t have it but you can add this manually:
https://docs.nextcloud.com/server/9/admin_manual/installation/source_installation.html#apache-web-server-configuration

Either put this in a conf-enabled/owncloud.conf or within your ssl-vhost (normally in sites-available/ or sites-enabled/-folder -> default-ssl.conf).

Thanks for this. I now get a 404 not found notice when I visit the nextcloud page from my browser. This is a lot harder than I thought :sob:

You need to solve one error after the other…

404 could be missing permissions on the file system or in the apache-config (=denied by server configuration). Your logfile should tell you which one it is.

Okay. By logfile do you mean the error.log file? When I run sudo tail -100 /var/log/apache2/error.log.1 I get:

[Sun Aug 14 06:25:05.057509 2016] [ssl:warn] [pid 13831] AH01882: Init: this version of mod_ssl was compiled against a newer library (OpenSSL 1.0.1t  3 May 2016, version currently loaded is OpenSSL 1.0.1k 8 Jan 2015) - may result in undefined or erroneous behavior
[Sun Aug 14 06:25:05.058476 2016] [mpm_prefork:notice] [pid 13831] AH00163: Apache/2.4.10 (Raspbian) OpenSSL/1.0.1k configured -- resuming normal operations
[Sun Aug 14 06:25:05.058518 2016] [core:notice] [pid 13831] AH00094: Command line: '/usr/sbin/apache2'
[Mon Aug 15 22:10:27.870220 2016] [mpm_prefork:notice] [pid 13831] AH00169: caught SIGTERM, shutting down

There are no errors. You are sure there is no /var/log/error.log? error.log.1 is often the old rotated logfile from the previous day.

Ah sorry, yes there is an error.log file.

[Thu Aug 18 06:25:05.059669 2016] [ssl:warn] [pid 14457] AH01882: Init: this version of mod_ssl was compiled against a newer library (OpenSSL 1.0.1t  3 May 2016, version currently loaded is OpenSSL 1.0.1k 8 Jan 2015) - may result in undefined or erroneous behavior
[Thu Aug 18 06:25:05.061614 2016] [ssl:warn] [pid 14457] AH01906: bogus_host_without_reverse_dns:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Aug 18 06:25:05.061678 2016] [ssl:warn] [pid 14457] AH01909: bogus_host_without_reverse_dns:443:0 server certificate does NOT include an ID which matches the server name
[Thu Aug 18 06:25:05.062250 2016] [mpm_prefork:notice] [pid 14457] AH00163: Apache/2.4.10 (Raspbian) OpenSSL/1.0.1k configured -- resuming normal operations
[Thu Aug 18 06:25:05.062275 2016] [core:notice] [pid 14457] AH00094: Command line: '/usr/sbin/apache2'

And your access.log?

If you want to use a public certificate and avoid any browser errors, the certificate common-name should match your host name.

This doesn’t sound good. Did you compile stuff yourself or use external sources, this normally shouldn’t happen if you use the official repositories of raspbian.

I have a fork of the official VM, still in beta https://github.com/ezraholm50/NextBerry
https://cloud.waaromzomoeilijk.nl/index.php/s/OPKV9vvY1hsYRQe <- Image

Sets everything up without you having to do anything but look at the screen and answer questions.
Only need to fine tune external HD as root. Other then that it works like a charm.

From those errors I would almost think it is an incorrect configuration in regards to SSL. Could you post the virtual host config of apache?

No, I don’t think so. I followed the guide linked in my first post, which didn’t require me to compile anything.

Hi, sorry, how do I do this from terminal?

That is strange because error 404 shouldn’t be unnoticed. Are you logging to a different destination (haven’t seen anything in the tutorials you linked)?

Are some partitions full (check with df -h) or do you have other problems on the system?

Normally you should be able to print (cat) the config file. Example:

cat /etc/apache2/site-enable/default

It depends how your config file is called, it could be different than ‘default

Also the output you gave of the log file:

::1 - - [18/Aug/2016:06:52:28 +0000] "GET /nextcloud HTTP/1.1" 301 522 "-" "curl/7.38.0"

States it was a redirect it was given (code 301). Why would it redirect, and to where.

Nope, not logging in from different location. I think it worked fine before I started messing around with ssl.

Checked the partitions. I moved nextcloud to the external hd (as per first tutorial), which shows as:

/dev/sda1 1.8T 69M 1.7T 1% /disk

I will post the nextcloud.conf I created, which is when I started getting problems.

Okay, I found a file called 000-default.conf in the sites-enabled folder:

cat /etc/apache2/sites-enabled/000-default.conf

<VirtualHost *:80>
    # The ServerName directive sets the request scheme, hostname and port that
    # the server uses to identify itself. This is used when creating
    # redirection URLs. In the context of virtual hosts, the ServerName
    # specifies what hostname must appear in the request's Host: header to
    # match this virtual host. For the default virtual host (this file) this
    # value is not decisive as it is used as a last resort host regardless.
    # However, you must set it for any further virtual host explicitly.
    #ServerName www.example.com

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Also, there is a nextcloud.conf in sites-enable too:

cat /etc/apache2/sites-enabled/nextcloud.conf

#Listen 443
#uncomment and change the above only for other ports
 
 <VirtualHost 192.168.1.277:80>
RewriteEngine on
ReWriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
</VirtualHost>
 
<VirtualHost 192.168.1.277:443>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/nextcloud.pem
SSLCertificateKeyFile /etc/apache2/ssl/nextcloud.key
DocumentRoot /disk/nextcloud
 
Alias /nextcloud "/disk/nextcloud/"

<Directory /disk/nextcloud>
  Options +FollowSymlinks
  AllowOverride All

 <IfModule mod_dav.c>
  Dav off
 </IfModule>

 SetEnv HOME /disk/nextcloud
 SetEnv HTTP_HOME /disk/nextcloud

 Satisfy Any

</Directory>
 
<Directory "/disk/nextcloud/data/">
  # just in case if .htaccess gets disabled
  Require all denied
</Directory>
</VirtualHost>

Does this have anything to do with where nextcloud installed? I know the data is in external hd which is /disk/nextcloud/data.

OK looking at the nextcloud.conf file it looks you have set HTTP (port 80) to redirect to HTTPS (port 443), that is good practice and no issues there.
The I can see that you have the DocumentRoot already pointing to the nextcloud folder, and then an Alias to convert /nextcloud to /disk/nextcloud. This should not be needed since you already have your virtualhost directly set to the folder of NC.
Next thing I see is that you have the certificate set and the key. Question I have is, are there no intermediate certificates required?

Still bit unclear why it is doing a redirect. Below is my Apache2 config, it has the nextcloud folder as DocumentRoot, and also a intermediate/CA certifcate is set (shown as Comodo-PositiveSSL). Try to use this config, and change the following:

  • ServerName

  • Certifcates (all that are applicable)

  • DocumentRoot

  • Directory

  • SetEnv (both)

    <Virtualhost *:443>
    CustomLog /var/log/apache2/access_241-43_nextcloud.log combined
    ErrorLog /var/log/apache2/error_241-43_nextcloud.log

          ServerName <cloud domain name>
    
          SSLEngine on
          SSLProtocol all -SSLv2 -SSLv3
          SSLHonorCipherOrder on
          SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4  !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
    
          SSLCertificateFile    /etc/apache2/ssl/<certificate>.crt
          SSLCertificateKeyFile /etc/apache2/ssl/<certificate>.key
          SSLCACertificateFile  /etc/apache2/ssl/COMODO-PositiveSSL-bundle.crt
    
          DocumentRoot /var/www/nextcloud
    
          <Directory /var/www/nextcloud/>
            Options +FollowSymlinks
            AllowOverride All
            <IfModule mod_dav.c>
              Dav off
            </IfModule>
            SetEnv HOME /var/www/nextcloud
            SetEnv HTTP_HOME /var/www/nextcloud
          </Directory>
    
          Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    

Also in the NC config.php file check if the following settings are in there, and if they reflect the correct values:

  'overwritehost' => '<cloud domain name>',
  'overwriteprotocol' => 'https',
  'overwritewebroot' => '/',
  'overwritecondaddr' => '^192\\.168\\.7\\.241$',

[quote=“StephanW, post:18, topic:2281, full:true”]
Next thing I see is that you have the certificate set and the key. Question I have is, are there no intermediate certificates required? [/quote]

I did this per 2nd tutorial:

  1. Create self signed ssl certificate. Fill the info as you wish. I’ve made the certificate valid for 10 years (3650 days).

# openssl req -new -x509 -days 3650 -nodes -out /etc/apache2/ssl/owncloud.pem -keyout /etc/apache2/ssl/owncloud.key

(I changed owncloud to nextcloud.)

  1. How do I find my server name? There isn’t one in my current nextcloud.config file.
  2. My DocumentRoot and Directory seem to be the same. Is that right? I have the nextcloud data folder in /disk, but another location, /var/www/html/nextcloud, has other nextcloud files in it. Should both locations appear somewhere in my config file?
  3. Also relates to the above. Your SetEnv point to /var/www/nextcloud. I have this directory too, should I change it from /disk/nextcloud?

Also in the NC config.php file check if the following settings are in there, and if they reflect the correct values:

  'overwritehost' => '<cloud domain name>',
  'overwriteprotocol' => 'https',
  'overwritewebroot' => '/',
  'overwritecondaddr' => '^192\\.168\\.7\\.241$',

I don’t see these entries in my nextcloud config.php:

cat /var/www/html/nextcloud/config/config.php
<?php
$CONFIG = array (
  'trusted_domains' => 
  array (
    0 => '192.168.1.277',
  ),
  'datadirectory' => '/disk/nextcloud/data',
  'overwrite.cli.url' => 'http://192.168.1.277/nextcloud',
  'dbtype' => 'sqlite3',
  'version' => '9.0.53.0',
  'logtimezone' => 'UTC',
  'installed' => true,
);

OK since you don’t use real domain names and use self-signed certificates you don’t have those additional lines I mentioned.

So to summaries it, if I have this correct about the information you gave me:

  1. /var/www/nextcloud is where NC application is installed. This is where the apache config should direct to.
  2. /disk/nextcloud is where you store you actual data, this needs to be set in the config.php file.

I hope this helps you further to sort you problem out.