-
Notifications
You must be signed in to change notification settings - Fork 117
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add support for client certificates #640
Comments
Wouldn't that be something that should be set globally in the server for requests in general? |
Sorry I have no idea how or why Nextcloud is using requests to itself. We are using Nextcloud for years and this issue only appeared right after enabling this app. Enabling this 'globally in the server' sounds perfect to me. |
Ok i was confusing something here. Why would Nextcloud need a client certificate to to requests to Collabora? The collabora server should just be reachable without authentication since otherwise it will also fail for public share links. |
Well it is confusing but Nexcloud does make requests to itself. And I really mean to itself. Not to a collabora server instance. Since we have setup the reverse proxy like the docs say and added SSLRequire for a client certificate when Nextcloud does a request to itself Apache checks for a valid client certificate. |
Did you set the requirement for the whole apache server or just the Nextcloud virtual host? Also SSLRequire is not related to client certificates, it should be more something like SSLVerifyClient. You could also specify |
We use
This is on the Virtualhost serving Nextcloud and Collabora. Please mail me 'wdehoog at exalondelft.nl' so I can give you stuff from our log file. |
Can you share your apache config? This seems to be a setup issue, as the client certificate should not be required for accessing collabora. |
With help from some posts on the nextcloud forum I am beginning to see how this could indeed be solved by having another setup. The client certificate verification could be done by a proxy used from outside while nextcloud accesses itself using a virtualhost only accessible from the inside. But then I have to mess with more containers then I'd like to since all components will have to connect to the same dns name but on another ip-address. Still the easiest way for me is adding a client certificate to the requests Nextcloud is doing on itself. I have pasted one line of our logfile that made me think I needed to add a client certificate to the nextcloud requests: https://pastebin.com/DrFetrqF |
Yes, the error shows that connecting to https://office.xxx.xxx/hosting/discovery fails. The proxy should not require a client certificate for your office.xxx domain. There should be no additional containers needed. Just make sure to configure your apahe to just require the cert for the nextcloud domain. |
We only have one address accessible from outside: office.xxx.xxx. Both nextcloud as well as collabora reside there. So we do need to have the proxy verify the client certificate. I guess by closing the issue you mean you don't want to add client certificates to nextclouds internal requests. Anyway thanks for looking into it. |
Yes, there is no authentication needed for collabora and we usually try to keep the settings at a minimum in nextcloud. |
You might be able to add a sslverifyclient none setting specially for the lool endpoints, but you need checkout the apache docs for details about that. |
Describe the bug
We have a nextcloud server running together with a reverse proxy (both under the same apache) and a collabora docker instance. All on the same server.
Our server requires client certificates. Sometimes nextcloud code does a https request on the server. The request will fail since it does not use the correct client certificate.
Expected behavior
There should be a way to have it use a client certificate when sending requests.
Server details
nextcloud 16.0.3
Ubuntu 18.04.1 LTS
apache 2.4
I added a RequestOption in /var/www/nextcloud/lib/private/Http/Client/Client.php
'cert' => '/var/www/nextcloud/config/cloud-user-all.pem',
and it seems to do the trick. It would be nice to have this as a configurable option.
The text was updated successfully, but these errors were encountered: