Loading
Actual behaviour
- When test a server address before logon, I get a warn about failed SSL initialization
Expected behaviour
- Expected to accept connection
Steps to reproduce
- Configure server with Let’s encrypt with secp384r1 as pubkey algorithm
- Configure nginx as following ssl options:
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_prefer_server_ciphers on;
- Check the Android app.
Environment data
Android version: 7.0
Device model: Asus ZenFone3 — Beta Tester
Stock or customized system: Official Asus Beta Tester
Nextcloud app version: Latest Nightly and Latest Play Store
Nextcloud server version: 11.0.2 Stable
Logs
adb logcat | grep GetRemoteStatusOperation
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: Connection check at https://<server>: SSL exception
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: javax.net.ssl.SSLHandshakeException: Handshake failed
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:429)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.common.network.AdvancedSslSocketFactory.verifyPeerIdentity(AdvancedSslSocketFactory.java:248)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.common.network.AdvancedSslSocketFactory.createSocket(AdvancedSslSocketFactory.java:185)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.common.OwnCloudClient.executeMethod(OwnCloudClient.java:222)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.common.OwnCloudClient.executeMethod(OwnCloudClient.java:192)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.resources.status.GetRemoteStatusOperation.tryConnection(GetRemoteStatusOperation.java:87)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.resources.status.GetRemoteStatusOperation.run(GetRemoteStatusOperation.java:192)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.common.operations.RemoteOperation.execute(RemoteOperation.java:136)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.operations.GetServerInfoOperation.run(GetServerInfoOperation.java:81)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.common.operations.RemoteOperation.execute(RemoteOperation.java:136)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.services.OperationsService$ServiceHandler.nextOperation(OperationsService.java:482)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.services.OperationsService$ServiceHandler.handleMessage(OperationsService.java:418)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at android.os.Handler.dispatchMessage(Handler.java:102)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at android.os.Looper.loop(Looper.java:159)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at android.os.HandlerThread.run(HandlerThread.java:61)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: Caused by: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0x7f666fd340: Failure in SSL library, usually a protocol error
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (external/boringssl/src/ssl/s3_pkt.c:610 0x7f666189e0:0x00000001)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO (external/boringssl/src/ssl/s3_clnt.c:764 0x7f76ceaf76:0x00000000)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: ... 20 more
testssl.sh on server
[leonardo@pruuu testssl.sh]$ ./testssl.sh --wide https://<FQDN>
###########################################################
testssl.sh 2.9dev from https://testssl.sh/dev/
(27aa257 2017-02-28 15:42:28 -- )
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
###########################################################
Using "OpenSSL 1.0.2-chacha (1.0.2i-dev)" [~183 ciphers]
on pruuu:$PWD/bin/openssl.Linux.x86_64
(built: "Jun 22 19:32:29 2016", platform: "linux-x86_64")
Start 2017-03-03 18:04:33 -->> 192.168.196.20:443 (<FQDN>) <<--
rDNS (192.168.196.20): --
Service detected: HTTP
Testing protocols via sockets except SPDY+HTTP2
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
SPDY/NPN h2, http/1.1 (advertised)
HTTP2/ALPN h2, http/1.1 (offered)
Testing ~standard cipher lists
Null Ciphers not offered (OK)
Anonymous NULL Ciphers not offered (OK)
Anonymous DH Ciphers not offered (OK)
40 Bit encryption not offered (OK)
56 Bit export ciphers not offered (OK)
Export Ciphers (general) not offered (OK)
Low (<=64 Bit) not offered (OK)
DES Ciphers not offered (OK)
"Medium" grade encryption not offered (OK)
Triple DES Ciphers not offered (OK)
High grade encryption offered (OK)
Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4
PFS is offered (OK), ciphers follow (client/browser support is important here)
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------------
xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Elliptic curves offered: prime256v1 secp384r1 secp521r1 brainpoolP384r1 brainpoolP512r1
Testing server preferences
Has server cipher order? yes (OK)
Negotiated protocol TLSv1.2
Negotiated cipher ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Cipher order
TLSv1.2: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256
h2: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256
http/1.1: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256
Testing server defaults (Server Hello)
TLS extensions (standard) "renegotiation info/#65281" "EC point formats/#11" "heartbeat/#15" "server name/#0"
"next protocol/#13172" "application layer protocol negotiation/#16"
Session Tickets RFC 5077 (none)
SSL Session ID support yes
TLS clock skew random values, no fingerprinting possible
Signature Algorithm SHA256 with RSA
Server key size ECDSA 384 bits
Fingerprint / Serial SHA1 E7B2175F930130C627396DECAC6CEED607A1BBFC / 035991A57F1159615464ACA8A03128487999
SHA256 AF546B253736AA91E29B366E557FE0C777EF5688A2004E3B6B8E53C29360529F
Common Name (CN) <FQDN>
subjectAltName (SAN) <FQDN>
Issuer Let's Encrypt Authority X3 (Let's Encrypt from US)
Trust (hostname) Ok via SAN and CN (works w/o SNI)
Chain of trust Ok
EV cert (experimental) no
Certificate Expiration 89 >= 30 days (2017-03-03 15:54 --> 2017-06-01 15:54 -0300)
# of certificates provided 2
Certificate Revocation List --
OCSP URI http://ocsp.int-x3.letsencrypt.org/
OCSP must staple No
OCSP stapling --
DNS CAA RR (experimental) --
Testing HTTP header response @ "/"
HTTP Status Code 302 Found, redirecting to "https://<FQDN>/login"
HTTP clock skew 0 sec from localtime
Strict Transport Security 182 days=15768000 s, includeSubDomains, preload
Public Key Pinning --
Server banner nginx/1.11.10
Application banner --
Cookie(s) 1 issued: 3/1 secure, 4/1 HttpOnly -- maybe better try target URL of 30x
Security headers X-Frame-Options SAMEORIGIN
X-XSS-Protection 1; mode=block
X-Content-Type-Options nosniff
Content-Security-Policy; media-src *; connect-src *
Reverse Proxy banner --
Testing vulnerabilities
Heartbleed (CVE-2014-0160) not vulnerable (OK)
CCS (CVE-2014-0224) not vulnerable (OK)
Secure Renegotiation (CVE-2009-3555) not vulnerable (OK)
Secure Client-Initiated Renegotiation not vulnerable (OK)
CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
BREACH (CVE-2013-3587) no HTTP compression (OK) - only supplied "/" tested
POODLE, SSL (CVE-2014-3566) not vulnerable (OK)
TLS_FALLBACK_SCSV (RFC 7507) No fallback possible, TLS 1.2 is the only protocol (OK)
SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)
FREAK (CVE-2015-0204) not vulnerable (OK)
DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this port (OK)
no RSA certificate, thus certificate can't be used with SSLv2 elsewhere
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected
BEAST (CVE-2011-3389) no SSL3 or TLS1 (OK)
LUCKY13 (CVE-2013-0169) not vulnerable (OK)
RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)
Testing 359 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------------
xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Running browser simulations via sockets (experimental)
Android 2.3.7 No connection
Android 4.0.4 No connection
Android 4.1.1 No connection
Android 4.2.2 No connection
Android 4.3 No connection
Android 4.4.2 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Android 5.0.0 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
Baidu Jan 2015 No connection
BingPreview Jan 2015 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Chrome 47 / OSX TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
Firefox 31.3.0ESR / Win7 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
Firefox 42 OS X TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
GoogleBot Feb 2015 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
IE 6 XP No connection
IE 7 Vista No connection
IE 8 XP No connection
IE 8-10 Win 7 No connection
IE 11 Win 7 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
IE 11 Win 8.1 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
IE 10 Win Phone 8.0 No connection
IE 11 Win Phone 8.1 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
IE 11 Win Phone 8.1 Update TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
IE 11 Win 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Edge 13 Win 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Edge 13 Win Phone 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Java 6u45 No connection
Java 7u25 No connection
Java 8u31 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
OpenSSL 0.9.8y No connection
OpenSSL 1.0.1l TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
OpenSSL 1.0.2e TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Safari 5.1.9 OS X 10.6.8 No connection
Safari 6 iOS 6.0.1 No connection
Safari 6.0.4 OS X 10.8.4 No connection
Safari 7 iOS 7.1 No connection
Safari 7 OS X 10.9 No connection
Safari 8 iOS 8.4 No connection
Safari 8 OS X 10.10 No connection
Safari 9 iOS 9 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Safari 9 OS X 10.11 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Apple ATS 9 iOS 9 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Done 2017-03-03 18:05:40 -->> 192.168.196.20:443 (<FQDN>) <<--
[leonardo@pruuu testssl.sh]$
Go to NextCloud
Android app «SSL Initialization Failed» notifications, but uploads working fine?
I’ve seen some web results for this issue, but none of them seem to have a solution (or be exactly the same issue).
I’m using Nextcloud on Ubuntu, the snap-installer version, and LetsEncrypt installed by default. HTTP/HTTPS login works fine. App login works fine. Uploads work fine 99% of the time, but occasionally I’ll get a sticky notification on upload that says ‘SSL Initialization Failed’, and uploads will continue regardless.
Anyone else seen, and resolved, this?
-
#1
I’ve followed this tutorial and had next cloud working locally until somewhere around the heading “Let’s Cache”. Now when I try and access the page locally I get this error:
Code:
192.168.1.93 sent an invalid response. Try running Windows Network Diagnostics. ERR_SSL_PROTOCOL_ERROR
The Apache log shows the following:
Code:
[Tue Nov 06 23:16:53.971634 2018] [mpm_prefork:notice] [pid 81295] AH00169: caught SIGTERM, shutting down [Tue Nov 06 23:16:54.084130 2018] [ssl:warn] [pid 81814] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache] [Tue Nov 06 23:16:54.135464 2018] [mpm_prefork:notice] [pid 81814] AH00163: Apache/2.4.35 (FreeBSD) OpenSSL/1.0.2o-freebsd PHP/7.1.22 configured -- resuming normal operations [Tue Nov 06 23:16:54.135499 2018] [core:notice] [pid 81814] AH00094: Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT'
I googled Init: Session Cache is not configured and found a suggestion to uncomment another line in the httpd.conf file which I did but without any success. Does anyone have any recommendations as to the next step I should take to try and get this working?
Thank you
Loren
dlavigne
Guest
-
#2
Were you able to figure this out?
-
#3
If not, it might be better to post on the thread for the how-to you’re following.
-
#4
I haven’t, but I also have just made a little progress in narrowing down the problem tonight. I have a feeling that its a certificate error. When I run this command:
Code:
certbot certonly --webroot -w /usr/local/www/apache24/data/nextcloud -d YOURSITE.COM
This is the error I get:
Code:
IMPORTANT NOTES: - The following errors were reported by the server: Domain: zimmvpn2.ddns.net Type: unauthorized Detail: Invalid response from http://zimmvpn2.ddns.net/.well-known/acme-challenge/FtRmYOYG6PWcQztD1DIWUHVjIsjyS94PWzk4SLbymoc: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">n<html><head>n<title>404 Not Found</title>n</head><body>n<h1>Not Found</h1>n<p" To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
-
#5
No, that isn’t a certificate error; it means that certbot is putting the challenge file in the wrong place for Let’s Encrypt to find it—or, in the alternative, Let’s Encrypt isn’t connecting to the right server in the first place.
-
#6
No, that isn’t a certificate error; it means that certbot is putting the challenge file in the wrong place for Let’s Encrypt to find it—or, in the alternative, Let’s Encrypt isn’t connecting to the right server in the first place.
Thank you!
Where do I find where the config for Let’s Encrypt or what server it’s connecting to?
-
#7
I’ve noticed after going through the tutorial that I’m not able to get to next cloud by simply entering the jail IP but I have to add /nextcloud to view the web page. Is this an indicator that there is something wrong with my configuration?
-
#8
It could be. Perhaps you should ask that question on the thread for the how-to you followed.
-
#9
@danb35 you were right a bunch of the questions that I asked were in the tutorial thread. I found a couple of mistakes that I had made and decided to recreate the jail. Now I’ve hit an error that I couldn’t find in the tutorial thread. When I restart apache24 this is the error I get:
Code:
httpd: Syntax error on line 548 of /usr/local/etc/apache24/httpd.conf: Syntax error on line 21 of /usr/local/etc/apache24/Includes/myurl.net.conf: /usr/local/etc/apache24/Includes/myurl.net.conf:21: <VirtualHost> was not closed.
Here is the conf file:
Code:
<VirtualHost *:80>
DocumentRoot "/usr/local/www/apache24/data/nextcloud"
ServerName myurl.net
RewriteEngine on
RewriteCond %{SERVER_NAME} =myurl.net
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
#ErrorLog ${APACHE_LOG_DIR}/error.log
#CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /usr/local/www/apache24/data/nextcloud/>
Options +FollowSymlinks
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /usr/local/www/apache24/data/nextcloud
SetEnv HTTP_HOME /usr/local/www/apache24/data/nextcloud
Satisfy Any
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerAdmin myemail
ServerName myurl.net
DirectoryIndex index.php
DocumentRoot /usr/local/www/apache24/data/nextcloud
SSLCertificateFile /usr/local/etc/letsencrypt/live/myurl.net/fullchain.pem
SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/myurl.net/privkey.pem
SSLEngine on
# Intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
SSLCompression off
SSLOptions +StrictRequire
<Directory /usr/local/www/apache24/data/nextcloud>
AllowOverride all
</Directory>
Any help is greatly appreciated.
-
#10
Never mind. I missed copying </VirtualHost> at the end of the 443 section. ugg
-
#11
Were you able to figure this out?
I havn’t. I have just responded to the original tutorial thread for help.
Nextcloud имеет возможность использования бесплатного SSL-сертификата Let’s Encrypt
Это актуально если у пользователя есть свой домен или есть возможность его приобрести. А также если есть желание убрать предупреждение браузера о работе с недоверенным SSL-сертификатом. Это предупреждение возникает так как, по умолчанию, в Nextcloud используется самоподписанный SSL-сертификат выданный «самому себе», а не сертификат выданный доверенным центром сертификации, который браузеры считают надежным.
Для создания и настройки сертификата Let’s Encrypt необходимо:
1. В DNS-зоне Вашего домена создать запись типа «А» с желаемым именем сервера Nextcloud и значением IP-адреса Вашего виртуального датацентра.
Например,
Имя сервера: nextcloud.cloud4y.ru
IP-адрес: 1.1.1.1
2. Войти в консоль сервера через Панель управления облаком или с помощью SSH-клиента.
3. Выполнить в консоли команду:
snap run nextcloud.occ config:system:set trusted_domains 1 —value=имя_вашего_сервера
Например,
snap run nextcloud.occ config:system:set trusted_domains 1 —value=nextcloud.cloud4y.ru
4. Выполнить в консоли команду:
snap run nextcloud.enable-https lets-encrypt
После запуска команды необходимо будет:
— согласиться с требованиями установщика (y),
— ввести адрес своей электронной почты,
— ввести выбранное ранее имя сервера
5. После выполнения этих шагов можно будет заходить на сервер по имени и радоваться отсутствию предупреждений в браузере.
Loading
Nextcloud не отправляет письма. При попытке отправить тестовое письмо получаем ошибку:
«stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed at /var/www/nextcloud/3rdparty/swiftmailer/swiftmailer/lib/classes/Swift/Transport/StreamBuffer.php#94»
Проблема в самоподписанном сертификате. По умолчанию Nextcloud живет в идеальном мире в котором все сертификаты заверены доверенными УЦ) Галочки «доверять всем сертификатам» в настройках нет, значит… We need to go deeper
Открываем текстовым редактором /nextcloud/lib/private/Mail/Mailer.php (обычно полный путь «/var/www/nextcloud/lib/private/Mail/Mailer.php»), находим блок настроек отправки(ориентировочно 250-257 строки):
$transport = new Swift_SmtpTransport();
$transport->setTimeout($this->config->getSystemValue('mail_smtptimeout', 10));
$transport->setHost($this->config->getSystemValue('mail_smtphost', '127.0.0.1'));
$transport->setPort($this->config->getSystemValue('mail_smtpport', 25));
if ($this->config->getSystemValue('mail_smtpauth', false)) {
$transport->setUsername($this->config->getSystemValue('mail_smtpname', ''));
$transport->setPassword($this->config->getSystemValue('mail_smtppassword', ''));
$transport->setAuthMode($this->config->getSystemValue('mail_smtpauthtype', 'LOGIN'));и добавляем новой строкой:
$transport->setStreamOptions(array('ssl' => array('allow_self_signed' => true, 'verify_peer' => false)));Этой строчкой мы разрешаем принимать самоподписанные сертификаты. После этого отправка почты будет работать.
Prerequisits
You need to have completed the first two guides in this series:
-
How to install Nextcloud on a Raspberry Pi
-
Setting up Dynamic DNS for your Nextcloud server
Introduction
In this tutorial, we’ll be showing you how to create an SSL certificate for your Nexcloud server. We’ll also be doing our best to show you how to configure Port Forwarding on your home router. Port forwarding will essentially provide a path from the Internet to your Nextcloud server. Routers need to be told exactly where information needs to go. Usually, you don’t have to worry about such obstacles because 99.9% of home Internet users, only take information from services on the Internet. It’s those 0.01%, like yourselves, who need to make something inside your home, available to the Internet. This may sounds scary, however, as long as we use an SSL certificate, along with strong passwords on you Raspberry Pi and your Nextcloud user accounts, then you minimise risk.
Configuring Port Forwarding
You first need to forward ports 80 and 443 (port 80 carries unencrypted website traffic, and port 443 carries encrypted website traffic) to your Raspberry Pi. To do this, you’ll need to login to your home router’s web page. You’ll need to determine your router address to do this. It’s usually on a sticker attached to your router. It will almost always start with «192.168…» along with a username and password. Once you have these three things, open up a web browser and enter the address into the address bar. You should then be presented with a web page asking for your username and password, which you grabbed from the sticker.
Now that you’re logged into your router, you need to find the Port Forward settings page. It will usually be found under a ‘Security’ heading. Once you’ve found it, you’ll need to create two rules; one for port 80 and another for port 443.
Here’s an example of adding the port 80 rule on a Virgin home router:
Once you’ve added both rules and your router’s rebooted, you should be ready for the next step.
Creating your SSL certificate with Let’s Encrypt
You’ll first need to install ‘Certbot’:
$ sudo apt-get install python-certbot-apache
Once that’s installed you’ll need to run the following to create your certificate. You will need to enter the domain name that you setup in the previous guide:
$ sudo certbot --apache -m your@email.com -d joescloud.dynamic-dns.net -d www.joescloud.dynamic-dns.net
During the installation you may be asked which virtual host you would like to choose. Choose the option that has ‘HTTPS‘ in the third column. You may then be prompted to choose whether or not to redirect HTTP traffic; choose ‘Redirect‘.
Configuring trusted domains
You’ll now need to configure the trusted domains in your Nextcloud configuration file. To do this type the following command:
$ sudo nano /var/www/nextcloud/config/config.php
Now add the four entries which are in bold, changing them to your setup. Save the file by pressing <Ctrl> + x followed by Y and then press <Enter>.
(Don’t forget the commas at the end of each entry).
<?php
$CONFIG = array (
'instanceid' => 'ocvtfvhdwjai',
'passwordsalt' => 'O18XcdsdsdcQfFuN8AkvVf+e87',
'secret' => 'Mkk/o5h319wsdG/vl1jEZGnlZRZqJYSs9iUM',
'trusted_domains' =>
array (
0 => '192.168.0.10',
1 => 'www.joescloud.dynamic-dns.net',
3 => 'https://www.joescloud.dynamic-dns.net',
4 => 'https://joescloud.dynamic-dns.net',
),
'datadirectory' => '/media/data',
'dbtype' => 'mysql',
'version' => '18.0.3.0',
'overwrite.cli.url' => 'http://192.168.0.10/nextcloud',
'dbname' => 'nextcloud',
'dbhost' => 'localhost',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => 'nextcloud',
'dbpassword' => 'nextcloud',
'installed' => true,
);
Now is restart the Apache2 service:
$ sudo systemctl restart apache2
The certificate expires after three months, so you’ll have to create a cron job to automatically renew the certificate every month. To do this run the command below:
$ sudo crontab -e
You’ll be asked which editor to use, choose ‘nano‘. Add the following line to the bottom of this file and save the file by pressing <Ctrl> + x followed by Y and then press <Enter>:
0 1 * * * /usr/bin/certbot renew & > /dev/null
That’s it, you should now be able to visit your Nextcloud server from outside your home, by typing in your domain into a web browser, or downloading the Nextcloud app.