Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to enable-https with a tailscale cert? #2684

Closed
rik-shaw opened this issue Feb 16, 2024 · 7 comments
Closed

How to enable-https with a tailscale cert? #2684

rik-shaw opened this issue Feb 16, 2024 · 7 comments

Comments

@rik-shaw
Copy link

rik-shaw commented Feb 16, 2024
edited
Loading

Describe the bug

I would like to use nextcloud only exposed to the world via a tailscale network and a tailscale cert but am unable to understand how to enable it.

To Reproduce

Steps to reproduce the behavior:

  • Reference: https://tailscale.com/kb/1153/enabling-https
  • Short summary: Cert for tailscale client obtained using tailscale cert myname.ts.net command. This creates local cert.pem and key.pem files, and registers myname.ts.net with Let's Encrypt.
  • In attempting to use the nextcloud.enable-https custom command, I can enter the first 2 parameters for the .crt and .key files, but I don't have a chain.pem file for the 3rd parameter. This may be a tailscale issue, but it seems that it may just be a lack of understanding on my part?

OS/snapd/snap version

Ubuntu 22.04

$ snap list nextcloud 
Name       Version      Rev    Tracking       Publisher   Notes
nextcloud  27.1.6snap1  40228  latest/stable  nextcloud✓  -

$ snap version
snap    2.61.1
snapd   2.61.1
series  16
ubuntu  22.04
kernel  6.5.0-18-generic

Logs

Here is the output I am receiving when attempting to use the FQDN as the chain which obviously doesn't work:

$ sudo nextcloud.enable-https custom cert.pem key.pem myname.ts.net
Installing custom certificate... done
Restarting apache... error
Certificates have been activated: using HTTPS only
Certificates appear self-signed: disabling HSTS
HTTP compression is disabled
notify_push reverse proxy is disabled
AH00526: Syntax error on line 103 of /snap/nextcloud/40228/conf/ssl.conf:
SSLCertificateChainFile: file '/var/snap/nextcloud/40228/certs/live/chain.pem' does not exist or is empty

Thank you for any advice.
@kyrofa
Copy link
Member

kyrofa commented Feb 16, 2024

It may be that tailscale is only giving you the fullchain cert. Open up your .crt file. Do you see multiple "BEGIN CERTIFICATE"/"END CERTIFICATE" lines indicating that your cert is actually several certs?

@rik-shaw
Copy link
Author

It may be that tailscale is only giving you the fullchain cert. Open up your .crt file. Do you see multiple "BEGIN CERTIFICATE"/"END CERTIFICATE" lines indicating that your cert is actually several certs?

Thank you so much for a quick reply. As you may guess, I am not very well versed in how all this happens. But, YES, in the cert.pem file there are 2 blocks of BEGIN and END certificate entries. So does that imply that what I have is the chain and I should simply repeat its use as the 3rd parameter like this:

sudo nextcloud.enable-https custom cert.pem key.pem cert.pem

I will attempt that and report back.

@kyrofa
Copy link
Member

kyrofa commented Feb 16, 2024
edited
Loading

Not quite, the chain doesn't generally include the final cert, but that's beside the point: yes, give that a shot. We really should support not supplying a chain file, that's deprecated in Apache nowadays anyway because it now supports chained certs, like you have.

@rik-shaw
Copy link
Author

rik-shaw commented Feb 16, 2024
edited
Loading

YES I think that works! I did need to duplicate the file since it complained there was no chain.pem still. Here is the simple explanation:

$ sudo cp cert.pem chain.pem
$ sudo nextcloud.enable-https custom cert.pem key.pem chain.pem 
Installing custom certificate... done
Restarting apache... done

And I can now access nextcloud from a browser this way with no complaint about not being https etc:

https://myname.ts.net/

I will link to this issue for others that have been having the same issues. Thank you for the suggestion.

@rik-shaw
Copy link
Author

Closing, thanks again!

@kyrofa
Copy link
Member

kyrofa commented Feb 16, 2024

Excellent. Okay, while it's true that this issue is unrelated to the other one, I'll share the same word of caution. Let's Encrypt certificates are designed to be automatically renewed. Operating under that assumption means they can make their certs valid for very short timespans: 90 days. By manually loading those certs into Nextcloud, you're signing yourself for manually loading new certs in every 90 days or so or they will expire.

@rik-shaw
Copy link
Author

Excellent. Okay, while it's true that this issue is unrelated to the other one, I'll share the same word of caution. Let's Encrypt certificates are designed to be automatically renewed. Operating under that assumption means they can make their certs valid for very short timespans: 90 days. By manually loading those certs into Nextcloud, you're signing yourself for manually loading new certs in every 90 days or so or they will expire.

Yes, understood. I will have to see how much pain this is, not sure if I can whip up a simple script with cron to take care of renewal? I see tailscale referencing "caddy" which can run on the server as well to manage this, but I am a bit out of my league (I am sure you will understand more than me :-) https://tailscale.com/kb/1190/caddy-certificates

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kyrofa @rik-shaw