WebAuthn & 2fA not working

SETUP:

Nextcloud 22.2.3 via docker on QNAP TS-453D NAS.

PROBLEM:

I would like to use Webauthn or at least U2F. But Nextcloud is telling me “Your browser does not support WebAuthn.” Which is not true, since I am using it on other sites, both with Firefox and Brave.

So I tried installing the “Two-Factor U2F” App. But I can’t add my Yubikey 5 NFC - there is no Firefox prompt asking for it. However, Nextcloud is telling me “You are accessing this site via an insecure connection. Browsers might therefore refuse the U2F authentication.” This is indeed correct, I have not configured any kind of secure connection, since Nextcloud is not exposed to the Internet. Is this the problem?

No https?

Can you add your yubikey under security settings?

Hi @nexthund

If the message explicitly mentions that U2F might not work without HTTPS, it could be that it is indeed so… :wink: And if you think that you don’t need HTTPS because you only use your Nextcloud in your local network, you probably don’t need 2FA either.

In your case, I think HTTPS and a reasonably secure password would make more sense than unencrypted HTTP and 2FA. If you don’t want to register a domain name, you can also use self-signed certificates. The security warnings should not be a problem as long as you only use Nextcloud locally and therefore don’t share any links with third parties… Of course, it is more elegant to use a registred domain name with signed certificates, even for purely local services. And with free wildcard certificates, you can even achieve this without making the names of each individual service public.

Unfortunately, I can’t add a Yubikey under security settings.

Yes indeed, no https. I read somewhere that it would be a lot of hassle to configure https, and since I’m just using it locally, I ignored the topic so far. I would, of course, prefer having https. Is it really that difficult to configure?

Thanks for the quick response, @bb77 and sorry about the late reply. Busy days…

Indeed https might be the culprit. :smiley:

I would very much like having https. I have spent the past month or two feeling my way into the world of Nextcloud (and also the world of docker), to see if it could replace some other services I’m using. In the beginning, I ignored https, since I read somewhere that it’s a pain to set up - and since my setup is not exposed to the Internet. But now I’m starting to like Nextcloud and https would be a great addition. How much effort is it to set up? Do I need a reverse proxy and what not?

I must admit I do not follow the last part of your response regarding wildcard certificates. Could you elaborate a little?

All certificates issued by Let’s Encrypt are transparently logged and this information can be viewed by anyone. This information includes the common name of a certificate, which reveals the domain name or subdomain of a service. This means that the sundomains can be used to draw conclusions about the services you host, even if you do not make these services accessible from the Internet. A wildcard certificate on the other hand is issued per domain name and not per subdomain. (*.yourdomain.tld) and can be used for as many subdomains as you want. E.g. cloud.yourdomain.etc, otherservice.yourdomain.tld etc… When using a wildcard certificate, only your domain name gets logged, not each individual subdomain.

That helps a lot, thank you.

I do have a few domains - some of them I use, some I don’t. For my local Nextcloud, should I use one that I am already using for an actual website or should I rather use a domain that’s unused so far?

I have never set up a certificate before. Do I need a reverse proxy and such things to get this to work?

Would you happen to have a link for a good tutorial?

That is completely up to you. I’m not a big fan of “security by obsucrity” and don’t consider the knowledge of the mere existence of a service and it’s name as a security risk per se. The bigger advantage of wildcard certs for me is clearly that it allows me to use signed certificates for my internal services in a relatively simple way.

I have a personal domain (my last name) that I only use for my “official” email and a second domain for my various selfhosted services, such as Nextcloud. The things that I only access locally, I run under nameofservice.local.mydomain.tld, for which I have set up a wildcard certificate (*.local.mydomain.tld) on my pfSense box. I then use HAProxy, also on pfSense, to access the various services from my local network. For my Nextcloud and a few other public facing services, I use cloud.mydomain.tld, otherservice.mydomain.tld etc… without wildcard, HAProxy or anything. I issue the certs with certbot directly on my Nextcloud server. It’s a manual installation on Ubuntu with Apache in a VM.

1 Like

If you are running docker(-compose) letsencrypt https with traefik reverse proxy can be setup in couple minutes… take a look at compose files I published here

there are lot of comprehensive and detailed tutorials but from this post you can pull all the settings you need to setup traefik and as many nextcloud instances as you want (I recommend you to have at least two - one for work and for testing)… just setup port forward 80/443 to your traefik container and you are done!

1 Like

Good point about having two instances! I’ll set that up before upgrading Nextcloud, whenever that becomes necessary.

Just wanted to leave a quick follow up to my original issue. Yes, it seems like the lack of an https connection was the reason I could not add WebAuthn. I’ve set that up now using Nginx Proxy Manager, Cloudflare, and a Let’s Encrypt wildcard certificate. After installing the “Two-Factor Webauthn” App from the Nextcloud store, I could finally add my YubiKeys.

The whole thing has been a bit of a ride. But I like the result. Thank you to all responders in this thread.

2 Likes