nextcloud.enable-https custom parameters

[jubeormk1]

Hi,
I have a running snap of nextcloud 16.0.8 on a fresh ubuntu server 18.04 with a self-certificate https and I want to move to a custom certificate and I am finding confusing the custom help.

Using openssl I have generated the certificate (cert.csr and .pem), a private key (key.pem) and a public key to use in devfs2 connection.

When getting help from the command I get your information:

# nextcloud.enable-https custom -h
Usage:
    nextcloud.enable-https custom [-h -s] <cert> <key> <chain>

    Use certificates generated by other means. Note that
    the files provided to this command must be readable
    by the snap, which means they must contained in one
    of four directory trees:
      - /var/snap/nextcloud/current
      - /var/snap/nextcloud/common
      - /root/snap/nextcloud/18885
      - /root/snap/nextcloud/common

    Also note that this command will create copies of the
    files provided; if this command completes
    successfully, they can be safely removed.

    -h: Display this help message.
    -s: Enable HTTP Strict Transport Security (HSTS)
        (default is off-- leave off if self-signed).

I am new to openssl as you can probably tell, but the parameter list ** nextcloud.enable-https custom [-h -s] ** does not specify what is a chain file and I cannot find an explanation. I assume that all the files in this parameter list are .pam but I have no confirmation of that.

Could you give some insight of what the parameters are and the correct file type?

Also probably I should get a ticket for the manual because I am putting myself in this situation after being unable to find the file "mycertificate.pem" from Creating WebDAV mounts on the Linux command line: Known Issues.

I have tried to find it by without success:

# find /snap/nextcloud/ pem | grep mycertificate.pem

If I look for all the files containing pem I don't see any clear candidate for the certificate used in https

find /snap/nextcloud/ pem | grep .pem

I hope you find this issue interesting and maybe can bring some more explanations to both the help command and that particular point of the manual.

[kyrofa]

Using openssl I have generated the certificate (cert.csr and .pem), a private key (key.pem) and a public key

So are these still self-signed? If so, mind if I ask why you want to use them instead of the one the snap can generate for you?

Regardless, the "chain" is a file that allows you to specify all the CA certificates that form the certification chain of your cert. If your cert is self-signed, just re-use your own cert, e.g.:

$ nextcloud.enable-https custom cert.pem key.pem cert.pem

[gutow]

$ nextcloud.enable-https custom cert.pem key.pem cert.pem

1. This currently does not seem to work (snap nextcloud 21.0.3snap1 28403).
2. Symptoms are no connection after the apache server restart (either doing it manually or through nextcloud.enable-https custom...).
3. Reversion to the inbuilt nextcloud.enable-https self-signed does work, but leaves one with the 30 day certificate that the snap creates. I would like to generate longer lived self-signed certificates for use in a isolated network.

Any ideas on how to make this work? I believe there is an inconsistency between documentation and actual functionality.

[kyrofa]

but leaves one with the 30 day certificate that the snap creates

That's true, but it re-creates it periodically.

[gutow]

That's true, but it re-creates it periodically.

And thus the problem. My users do not appreciate the random requests to trust the new certificates. Also under MacOS (some of my users) the calendar will not just allow the user to trust the certificates. You have to manually copy them to each computer's certificate store and tell the OS that you trust them. This quickly gets to be a nuisance. As we are an isolated network, just using the tools for encrypted communications to discourage nosiness, we would like to use much longer lived certificates. The part that works as documented does not really meet our needs.

[gutow]

I found the stumbling point. The command works to replace the default self-signed certificate with my own, but only if I set the creator information for my self-signed cert exactly as is done internally. The certificate and private key must be created with the following command:

openssl req -newkey rsa:4096 -nodes -keyout key.pem -x509 -days 1825 -out cert.pem -subj "/O=Nextcloud"

Yes, I want the certificate to last 5 years (I change it more often).

So I assume the issue is what the settings are when nextcloud is operating as I have without a FQDN. If it was, I would, of course, use letsencrypt.

Maybe this info will help someone, or could be added to the instructions somewhere. The issue reflects lots of moving parts, that must all be synchronized.

An alternative, which I believe would make the snap more useful: accept a user adjustable regeneration interval for the self-signed certificate.

[github-actions]

This issue is stale because it has been without activity for 60 days. It will be closed after 7 more days of inactivity.

[Pajkastare]

I found the stumbling point. The command works to replace the default self-signed certificate with my own, but only if I set the creator information for my self-signed cert exactly as is done internally. The certificate and private key must be created with the following command:

openssl req -newkey rsa:4096 -nodes -keyout key.pem -x509 -days 1825 -out cert.pem -subj "/O=Nextcloud"

Yes, I want the certificate to last 5 years (I change it more often).

Found this after googling some related Nextcloud self-signed cert issues, and can add (yes, I see that this issue is closed) that in the latest snap (20.0.4), the self-signed certs work with the command listed above.

But - If you try to get Iphone users to install certs with a 5-year lifespan, it will not work, due to the 825 day limit in recent IOS versions. It will work, however, if you create a self-signed root CA cert, install that in the users' devices, and use the CA cert to sign new Nextcloud certs periodically.