How to install SSL on NextCloud Jails

[codyf51]

Hello,

How would I go about adding a signed certificate to my NextCloud jail? I created a signing certificate request in FreeNAS and then added the certificate, however I don't even have the option to use this to administer the web GUI. Note I specifically did not create a certificate authority. Was this a mistake? Right now my NC jail has a internally assigned SSL, but this is a pain when I want to share files with others because well the certificate is not trusted, so their browser always freaks out.

Help appreciated!

 

[Jailer]

Manual install or plugin?

 

[Joshua Parker Ruehlig]

if you are using the plugin you can replace /usr/pbi/nextcloud-amd64/etc/apache24/server.crt and server.key

 

[codyf51]

if you are using the plugin you can replace /usr/pbi/nextcloud-amd64/etc/apache24/server.crt and server.key

Thanks Joshua! It's the plugin. When I mount the location as a share I see it but write to the folder, I have permissions set wide open on the storage and share side. Any Tips? Thanks All!

 

[Joshua Parker Ruehlig]

that location is on your jail, where you should not change permissions for.
I personally would use SFTP (which uses SSH), to replace the files.

 

[codyf51]

Thanks for the tips guys. I was able to find the directory and can read over AFP. However I can't write and SFTP/ FTP does not show anything in the directory. I tried changing some permission but noting. I can't write to anything in /Nextcloud1 jail. FYI on SFTP I was using root, but I also tried a local user.

 

[Joshua Parker Ruehlig]

Thanks for the tips guys. I was able to find the directory and can read over AFP. However I can't write and SFTP/ FTP does not show anything in the directory. I tried changing some permission but noting. I can't write to anything in /Nextcloud1 jail. FYI on SFTP I was using root, but I also tried a local user.

that cert should exist in that location (in the jail) and permissions would not stop root from writing files there.

can you show the output of this command
'ls -l /usr/pbi/nextcloud-amd64/etc/apache24'

 

[codyf51]

Yeah!

[root@www ~]# ls -l /mnt/TranquilityRAID/jails/nextcloud_1/usr/pbi/nextcloud-amd
64/etc/apache24

total 231
drwxr-xr-x 2 root wheel 6 Mar 13 11:28 .AppleDB
drwxr-xr-x 2 root wheel 4 Feb 19 18:03 Includes
drwxr-xr-x 2 root wheel 3 Feb 19 18:03 envvars.d
drwxr-xr-x 2 root wheel 14 Nov 1 08:31 extra
-rw-r--r-- 1 root wheel 19549 Feb 19 18:03 httpd.conf
-rw-r--r-- 1 root wheel 13077 Nov 1 08:30 magic
-rw-r--r-- 1 root wheel 53011 Nov 1 08:30 mime.types
drwxr-xr-x 2 root wheel 3 Nov 1 08:31 modules.d
-rw-r--r-- 1 root wheel 928 Feb 19 18:03 server.crt
-rw-r--r-- 1 root wheel 887 Feb 19 18:03 server.key
-rw-r--r-- 1 root wheel 1041 Feb 19 18:03 server.key.out
[root@www ~]# ccccc

 

[Joshua Parker Ruehlig]

what you were saying earlier does not make sense with the output you just showed.

I am certain if I had SSH/SFTP access with the root to your server I could write a file to that directory.

 

[codyf51]

Wow.... I just figured it out. I was looking in the root directory rather than the jail. No wonder files were missing. Can't believe I just did that.

 

[codyf51]

So I made the CRT signing request from the FreeNAS GUI and so I just need to delete the server.crt in
mnt/TranquilityRAID/jails/nextcloud_1/usr/pbi/nextcloud-amd
64/etc/apache24 and replace it with my cat from the CA?

 

[Joshua Parker Ruehlig]

a CSR isn't the same as a cert. I believe it still needs to be signed

also you need the server.key
then restart the plugin (which will restart apache)

 

[codyf51]

Sorry I did not clarify. I created a certificate signing request within the FreeNAS Admin GUI. I've been used the request code to purchased a SSL certificate from Namecheep. I downloaded the package and their are three files domain.com.crtdomain.com_ca-bundle, and domain.com.p7b.
To install a certificate I simply should delete the existing certificate.crt and upload these files, right? Sorry for the lack of knowledge, I used to run everything in OS X server. SSL was all GUI.

 

[Joshua Parker Ruehlig]

Apache is expecting the same file naming, you should name the cert server.crt
if that crt was encrypted with a key you need to put that there as server.key

sorry, I'm not familiar with freenas' webui for creating certs... or namecheap

I personally generate my CSR on the command line using some random guide in the internet, making sure to save the key file. I then use startSSL to generate a free cert. I then concatinate startSSLs intermediate cert with my cert using the 'cat' command.

 

[q_fleuren]

if you are using the plugin you can replace /usr/pbi/nextcloud-amd64/etc/apache24/server.crt and server.key

Playing arround with this and the jail does not start after replacing the server.crt / server.key with my own server.crt /server.key x0
cert&key generated with from FN webgui already used it on multiple Nginx servers :o

Code:

 mv /media/server.key /usr/pbi/nextcloud-amd64/etc/apache24/ 

Code:

 mv /media/server.crt /usr/pbi/nextcloud-amd64/etc/apache24/ 

C270D41
16gb ecc
3x4tb z1

 

[q_fleuren]

Playing arround with this and the jail does not start after replacing the server.crt / server.key with my own server.crt /server.key x0
cert&key generated with from FN webgui already used it on multiple Nginx servers

Code:

 mv /media/server.key /usr/pbi/nextcloud-amd64/etc/apache24/ 

Code:

 mv /media/server.crt /usr/pbi/nextcloud-amd64/etc/apache24/ 

C270D41
16gb ecc
3x4tb z1

Seems you need to download both cert and key from the certificate page
if you download cert from Ca's it will not work

 

[DD4711]

/usr/pbi/nextcloud-amd64/etc/apache24/ seems not to be correct path in current nextcloud plugin (or I can't find it).

Can someone point me to the path for ssl keys and what else to do to set SSL on current Nextcloud 15 plugin jail?

Thanks a lot!