Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

FreeNAS 11 Nextcloud / Owncloud Letsencrypt SSL/TLS

Western Digital Drives - The Preferred Drives of FreeNAS and TrueNAS CORE

b4bblefish

Junior Member
Joined
Sep 15, 2017
Messages
13
This no longer works as of 11.2 since plugin jails don't allow you to install python packages:
https://www.ixsystems.com/community/threads/pkg-missing-py27-certbot.71967/

Follow this guide instead:
https://www.shogan.co.uk/home-labs/install-and-configure-nextcloud-plugin-on-freenas-with-ssl/ courtesy of EsTaF

This is a guide for setting up FreeNAS 11 using the plugin for nextcloud / owncloud. I used nextcloud, so just replace that with owncloud if you're following this since it should be basically the same.

Disclaimer: I have no idea what I'm doing so feel free to tell me what I did wrong to make this guide better.

ToDo:
  1. Figure out why TLSv1.1 and TLSv1.2 don't work, probably because of an old version of openssl that apache was compiled with
  2. Figure out why plugin jails don't start apache like a normal service and instead spawn a bunch of httpd processes and leave the status of apache24 in an unknown state
Install Plugin
Pick your poison install nextcloud / owncloud plugin from the FreeNAS GUI and then chroot into the jail in my example my storage array is called storage so: chroot /mnt/storage/jails/nextcloud_1

Setup your router's port forwarding
You will need to forward ports 80 and 443 to the ip address of your jail for nextcloud / owncloud instructions vary depending on what router you have. Also setup your domain I'll be using example.com and www.example.com as a domain for the rest of the guide.

SSL certs using letsencrypt and certbot
Code:
pkg install py27-certbot
certbot certonly

Follow the steps in certbot to configure your server and follow the wizard doing the following:
  1. Use the webroot option not standalone since you already have an apache server running available on port 80 may as well not have to shutdown your cloud to renew your certs
  2. Input BOTH example.com and www.example.com as your domains since they are two separate domains
  3. use /usr/pbi/nextcloud-amd64/www/nextcloud as your webroot. You should now have a few certs and key files of letsencrypt located at /usr/local/etc/letsencrypt/live/www.example.com
Setup cron job to check for cert renewal every 12 hours
  1. crontab -e
  2. Add 0 */12 * * * certbot renew to your cron jobs file
Update apache configs to use certs and for hardening
Some apache config work make sure to copy to a .bak file and try stopping / starting the plugin to verify it still works while doing this. I'm in the www camp and not the naked url camp so just swap the www for naked urls if you're a heathen. You should use www if you ever intend to use subdomains or something I don't know http://www.yes-www.org/why-use-www/. If you want to try to debug why the plugin doesn't start run service apache24 onestart and look at the errors.
  1. Forward all http requests to https by adding the following to /usr/pbi/nextcloud-amd64/etc/apache24/httpd.conf
    Code:
    <VirtualHost *:80>
            ServerName example.com
            Redirect permanent / https://www.example.com
    </VirtualHost>
    <VirtualHost *:80>
            ServerName www.example.com
            Redirect permanent / https://www.example.com
    </VirtualHost>
    
  2. Set the following values in /usr/pbi/nextcloud-amd64/etc/apache24/extra/httpd-ssl.conf I actually made symlinks to my certs to change the extensions, but referencing them directly is probably fine. Otherwise do something similar to http://blog.airey.be/owncloud-letsencrypt
    Code:
    SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder on
    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    
    SSLCertificateFile "/usr/local/etc/letsencrypt/live/www.example.com/cert.pem"
    SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/www.example.com/privkey.pem"
    SSLCACertificateFile "/usr/local/etc/letsencrypt/live/www.example.com/chain.pem"
    
    ServerName www.example.com
    
  3. Add the following header stuff before the last </virtualhost> to enforce https
    Code:
    #   Require https
    <IfModule mod_headers.c>
            Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>
    
  4. Add a forward to the end from your naked domain to www whatever you pick be consistent
    Code:
    <VirtualHost *:443>
            ServerName example.com
            Redirect / https://www.example.com
    </VirtualHost>
    
Restart your plugin
Congrats your done! All of the url combinations of naked domain vs www and http/https should all forward to the same address. You should now get a C rating on qualys ssllabs because TLSv1.1 and TLSv1.2 don't work https://www.ssllabs.com/ssltest/ but for our purposes I guess that's good enough.

**Bonus** Updating Nextcloud from the webpage
Once you login nextcloud may alert you there's an update and nextcloud has a web update tool which is pretty nice, but will immediately fail the file checks. This is pretty straightforward, but the certbot created a folder called .well-known in your webroot /usr/pbi/nextcloud-amd64/www/nextcloud make sure to move it out of the directory before updating or else the updater will complain about unknown files. Move the directory back when you're done.
 
Last edited:

dureal99d

Member
Joined
Aug 3, 2017
Messages
156
[QUOTE="b4bblefish, post:

Setup your website
You will need to forward ports 80 and 443 to the ip address of your jail for nextcloud / owncloud instructions vary depending on what router you have. Also setup your domain I'll be using example.com and www.example.com as a domain for the rest of the guide.

[/QUOTE]
By setup your website i assume you mean "nextcloud server"

and by domain i assume you mean the ip and or no-ip,dyns handle for which one would access server externally
 

dasis

Neophyte
Joined
Mar 7, 2019
Messages
4
I have to forward ports 80 and 443, but can't login.

Get messager


You are accessing the server from an untrusted domain.
Please contact your administrator. If you are an administrator of this instance, configure the "trusted_domains" setting in config/config.php. An example configuration is provided in config/config.sample.php.
Depending on your configuration, as an administrator you might also be able to use the button below to trust this domain.

Add "example.com" as trusted domain

Try do steps by step bet get error

[root@freenas /mnt/Data/jails/nextcloud_1]# pkg install py27-cerbot
Updating local repository catalogue...
pkg: Repository local load error: access repo file(/var/db/pkg/repo-local.sqlite) failed: No such file or directory
pkg: file:///usr/ports/packages/meta.txz: No such file or directory
repository local has no meta file, using default settings
pkg: file:///usr/ports/packages/packagesite.txz: No such file or directory
Unable to update repository local
Error updating repositories!
 

EsTaF

Member
Joined
Sep 20, 2013
Messages
130
jexec 10 /bin/csh
10 - is number of my nextcloud jail
root@nextcloud:~ # pkg update
root@nextcloud:~ # pkg search certbot
root@nextcloud:~ #
nothing.
 

EsTaF

Member
Joined
Sep 20, 2013
Messages
130
Yes, it don't.
Had bought a paid ssl cert for FreeNAS jail' one.
 
Top