Beginner friendly - Securing Owncloud Plugin (PBI) with SSL Certificates (and letsencrypt)

Status
Not open for further replies.

Mohl

Dabbler
Joined
Feb 2, 2015
Messages
13
Hi there,

first of all, a short

=== Disclaimer ===
As discussed by DrKK and Joshua Parker Ruehlig, installing Owncloud via the PBI Plugin system is neither the most performant nor the most secure way on getting OwnCloud on your Freenas-powered device. If you expect to have many users or simply value performance, go ahead and check out these excellent guides.

Also, I am going to mention several companies and projects / products in this guide. I am an independent, professional web developer with no affiliation or connection in any way, shape or form with these companies and products. There are alternatives out there to all of them, just as there are alternatives to OwnCloud - these are just my personal recommendation and/or preferences.

=== Preface ===
That said, installing OwnCloud via PBI is probably the fastest and easiest way and just gets the job done, but it still lacks an easy way to get your own (self-signed or officially signed) SSL Certs in there. This is why I am writing this guide (and also, to come back here and redo the steps myself... ;-)). Feedback is, as always, highly appreciated, so feel free to come back here and let me know if this helped or not!

This guide is split into 3 parts: Installing the PBI, getting the certificate files and putting them on the server.

=== Prerequisites ===
Before you start, make sure you meet the following prerequisites:

- Basic Unix knowledge: You should feel okay to use the shell (don't worry, every command is explained).
- Port forwarding: You should be able to forward port 80, at least temporarily, so your owncloud installation is available from outside your home network. To test it, you could use your cell phone as long as it's not connected to your wifi ;-).
- DNS: Most of you are probably going to expose the installation to the internet. If you have a static IP address, you can use that, but a name server entry is much more comfortable. I use duckdns.org as dynamic DNS Hoster due to my dynamic IP Address.

This guide was written with FreeNAS-9.10-STABLE-201605021851 and ownCloud 9.0.1 PBI. Other versions should work too, but I have not tested them - if you run into troubles, leave a comment and/or send me a PM. Especially the apache2 folder is subject to change once it gets updated - I'll try to add notes to this guide if I become aware of this.

=== Important directories ===
Apache2 root directory: /usr/pbi/owncloud-amd64/www/owncloud/
ACME-Challenge directory: /usr/pbi/owncloud-amd64/www/owncloud/.well-known/acme-challenge

Owncloud installation directory: /usr/local/www/owncloud (not needed for this guide, just for the sake of completeness)
Owncloud data directory: /media

=== Installing OwnCloud using the PBI method ===
1) Head over to the plugins tab and install the owncloud plugin - this should be quite hassle-free.

2) If you want to store your data onto another device (not inside the jail, eg. an external Hard Drive), do this before you start the jail for the first time:

2a) Go to jails, owncloud_1, Storage and mount the folder you want to use to the jails /media folder. Double check if the "Mounted?" Checkbox is ticked.

3) Start the plugin, and complete the installation by providing your credentials. There is probably a warning stating that the certificate is invalid - fixing this is the whole point of this guide ;-)

=== Getting the Certs to use letsencrypt ===
There are many ways to get a valid SSL Certificate (eg. StartSSL). For this guide, I'll stick to letsencrypt - to be exact, I'm using https://zerossl.com's Certificate Wizard, an alternative web-based letsencrypt client. A full list of can be found at https://github.com/certbot/certbot/wiki/Links . Regardless of what method you use, if you end up with a valid .crt and a .key file, you should be ready for the third part of this guide.

4) Head over to https://zerossl.com/free-ssl/#crt and enter the domains which you'll want to use (eg. http://myownlittlecloud.com ) and hit next (twice) to get the CSR and the letsencrypt key file. This is not the .key file you'll put on your server - this one is used to renew the certificates. You should absolutely save those two files and keep them in a safe place - and keep a copy outside of your owncloud... ;-)

5) Next up is the domain verification process. This is needed to prove that you actually really own the domain you try to get the certificate for, which includes you getting the ACME challenge file on your server. SSH into your owncloud jail or go to Jails Tab (the one on the top, not the sidebar), select "owncloud_1" and open the Shell (on the bottom).

6) cd into the apache2's root directory:
cd /usr/pbi/owncloud-amd64/www/owncloud/
7) create the directories for the ACME Challenge:
mkdir -p .well-known/acme-challenge
8) Change owner to the webserver's user and set permissions, so the webserver can actually serve the ACME-Challenge file:
chmod 666 .well-known/acme-challenge/
chmod 666 .well-known/
chown www .well-known/acme-challenge/
chown www .well-known/
9) Change into the newly created directories:
cd .well-known/acme-challenge
10) create the ACME-Challenge file (replace *content* and *filename* with the ones provided by zersossl, but keep the "" around the content):
echo "*ACME-CONTENT*" > *filename*
11) Make sure the files are available by clicking on the filename on zerossl, than hit next. If the check fails, you'll have to remove the file and create it anew as the filename and it's content will have changed. (rm *filename*, than go back to step 10).

12) Download and save the files provided by zerossl in a safe place, and rename them to server.key and server.crt. Congrats, you have received the officially signed ssl certificate files!

=== Getting the files to the server ===
13) Backup the server.key and the server.crt file - just in case:
cd /usr/pbi/owncloud-amd64/etc/apache24
cp server.key server.key.bak
cp server.crt server.crt.bak
14) Replace the files with the .txt files you just received. If you have not set up ssh to your jail yet, you can upload them to your owncloud installation and copy them from the shell:
cp /media/*username*/files/*path/to/certificate*/server.crt /usr/pbi/owncloud-amd64/etc/apache24/server.crt
cp /media/*username*/files/*path/to/certificate*/server.key /usr/pbi/owncloud-amd64/etc/apache24/server.key​

15) Close the shell, restart the jail and enjoy :) Don't forget, feedback is appreciated!
 
Last edited:

Bill Cowger

Cadet
Joined
Aug 28, 2015
Messages
8
I am having a little trouble with step 8. When I try either chmod or chown I am getting a No such file or directory. The directory is there what am I doing or have done wrong?
 

Mohl

Dabbler
Joined
Feb 2, 2015
Messages
13
The trailing slashes / were missing - i fixed that now. If the problem persists, double check if you are in the right directory - it should be '/usr/pbi/owncloud-amd64/www/owncloud/'. Redo step 6 if you are unsure.
 

Gabi

Dabbler
Joined
Jul 21, 2016
Messages
12
Hi Mohl,
Just as Bill posted, I'm getting "No such file or directory" too when trying chmod or chown. I've double checked the directory and I followed all the steps previously described. Hope you can help me, this is the only guide I found that I can actually understand :D
 

Mohl

Dabbler
Joined
Feb 2, 2015
Messages
13
Hi Gabi,
thanks for confirming the issue!
I've updated the guide - basically, I removed the -R flag (which stands for "recursive") and split the 2 commands into 4. Oddly enough, I did not come across this issue when writing this guide...
 

Gabi

Dabbler
Joined
Jul 21, 2016
Messages
12
Hi Gabi,
thanks for confirming the issue!
I've updated the guide - basically, I removed the -R flag (which stands for "recursive") and split the 2 commands into 4. Oddly enough, I did not come across this issue when writing this guide...
Thanks Mohl! It worked like charm, but now I'm facing another issue.
I'm unable to get the check done in step 11. I've tried several times with no success. What could be causing the error during the check? Thanks again for your help, I really appreciate it :)
 

Mohl

Dabbler
Joined
Feb 2, 2015
Messages
13
Thanks Mohl! It worked like charm, but now I'm facing another issue.
I'm unable to get the check done in step 11. I've tried several times with no success. What could be causing the error during the check? Thanks again for your help, I really appreciate it :)
Have you been replacing the files after each check? Zerossl generates a new filename and a new file content each time you retry. Also, doublecheck if you have port 80 forwarded and if the server is accessible from outside your home network, eg. if you can call the server url with your phone (disable your phone's wifi connection for this ;-) )
 

Gabi

Dabbler
Joined
Jul 21, 2016
Messages
12
Have you been replacing the files after each check? Zerossl generates a new filename and a new file content each time you retry. Also, doublecheck if you have port 80 forwarded and if the server is accessible from outside your home network, eg. if you can call the server url with your phone (disable your phone's wifi connection for this ;-) )
The server is accesible from outside, BUT using a different port, I type "https://test.org:xxxx" to connect to own cloud when I'm not home. Should I config it to be using the default port in order to get the check passed or there's another way to do it?
Thanks again Mohl!
 

Mohl

Dabbler
Joined
Feb 2, 2015
Messages
13
The server is accesible from outside, BUT using a different port, I type "https://test.org:xxxx" to connect to own cloud when I'm not home. Should I config it to be using the default port in order to get the check passed or there's another way to do it?
Thanks again Mohl!

zerossl.com does only support Port 80 as far as I can tell, at least for now. Using port 80 just for the check and disabling port 80 again afterwards does work (that is exactly what I do), but the certificates have to be renewed every 3 months, so you would have to redo this procedure again for each check.
 

Gabi

Dabbler
Joined
Jul 21, 2016
Messages
12
Hi again Mohl,
I've just tried to access using port 80 and I get error 403 forbidden when doing the check. Any idea?
I think I may stop trying. Would having certificates signed make any difference regarding security? Or it is just used to avoid those annoying messages in the browser?
 

Mohl

Dabbler
Joined
Feb 2, 2015
Messages
13
Hi again Mohl,
I've just tried to access using port 80 and I get error 403 forbidden when doing the check. Any idea?
I think I may stop trying. Would having certificates signed make any difference regarding security? Or it is just used to avoid those annoying messages in the browser?
You are quite close to the end ;-) Yes, signed certificates are used encrypt the connection between the server and the browser. Without them, the data is sent without encryption, so anyone within the same Network/WiFi could grab all the data sent across the network, including files (if you upload/download them) and passwords (eg. when you login into your owncloud account).

The error itself is a little bit strange. Have you installed owncloud using the plugin method?
 

Gabi

Dabbler
Joined
Jul 21, 2016
Messages
12
You are quite close to the end ;-) Yes, signed certificates are used encrypt the connection between the server and the browser. Without them, the data is sent without encryption, so anyone within the same Network/WiFi could grab all the data sent across the network, including files (if you upload/download them) and passwords (eg. when you login into your owncloud account).

The error itself is a little bit strange. Have you installed owncloud using the plugin method?
Thanks for your help and the explanation :)
Yes, I've installed owncloud using the plugin method
 

Mohl

Dabbler
Joined
Feb 2, 2015
Messages
13
Thanks for your help and the explanation :)
Yes, I've installed owncloud using the plugin method
In this case, recheck the port forwarding settings. It looks like they are directing to a different web server - per default, the owncloud plugin should allow access to the folder. If they are okay, try the following:

cd /usr/pbi/owncloud-amd64/www/owncloud/.well-known/acme-challenge/
chmod 666 *filename*
chown www *filename*

where *filename* is the file name of the acme challenge file as provided by zerossl.
 

Gabi

Dabbler
Joined
Jul 21, 2016
Messages
12
In this case, recheck the port forwarding settings. It looks like they are directing to a different web server - per default, the owncloud plugin should allow access to the folder. If they are okay, try the following:

cd /usr/pbi/owncloud-amd64/www/owncloud/.well-known/acme-challenge/
chmod 666 *filename*
chown www *filename*

where *filename* is the file name of the acme challenge file as provided by zerossl.
Port forwarding is okay, I can access owncloud simply typing the domain given by noip. I'm going to try what you proposed, I'll report back the result
 

Gabi

Dabbler
Joined
Jul 21, 2016
Messages
12
In this case, recheck the port forwarding settings. It looks like they are directing to a different web server - per default, the owncloud plugin should allow access to the folder. If they are okay, try the following:

cd /usr/pbi/owncloud-amd64/www/owncloud/.well-known/acme-challenge/
chmod 666 *filename*
chown www *filename*

where *filename* is the file name of the acme challenge file as provided by zerossl.
Sadly It did not work, I get the same 403 error. Here's is what zerossl gives me : Invalid response from *my domain* and "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p"
 

Mohl

Dabbler
Joined
Feb 2, 2015
Messages
13
This is most certainly an permission issue - retry step 8. If the problem persists, restart the jail. If the problem still persists, I'm starting to run out of ideas - reinstalling the plugin might help. Make sure that all files are stored outside of the jail, of course, as reinstalling would wipe your data otherwise.
 

Gabi

Dabbler
Joined
Jul 21, 2016
Messages
12
This is most certainly an permission issue - retry step 8. If the problem persists, restart the jail. If the problem still persists, I'm starting to run out of ideas - reinstalling the plugin might help. Make sure that all files are stored outside of the jail, of course, as reinstalling would wipe your data otherwise.
Hi Mohl,
I tried everything but reinstalling the jail, I'll do so tomorrow. Huge thanks for your help. Tomorrow I'll report back :)

Edit: tried two times without luck, I'll try to set a vpn to access files securely instead. Thanks for your help Mohl!
 
Last edited:

JorgeLT

Cadet
Joined
Aug 31, 2016
Messages
2
Hi Mohl,

Thank you for this guide, but it seems that, as you anticipated, the apache2 folder has been changed because I can't find it in the supposed location in step 6. Indeed I can't find it anywhere.

I am using FreeNAS-9.10.1 and owncloud 9.0.4 (stable).
 
Last edited:

JorgeLT

Cadet
Joined
Aug 31, 2016
Messages
2
Ups! I was looking in the general /usr/ folder, not in the jail one. I'm working with putty, not in the web shell. The full path is this:

/mnt/dataVolume/jails/owncloud_1/usr/pbi/owncloud-amd64

After solving this isue, I have had the forbiden error when checking de verification file (step 11). This is this the message I had:

You don't have permission to access /.well-known/acme-challenge/index.html on this server.
Server unable to read htaccess file, denying access to be safe

I changed step 8 permissions to 755 and it worked.
 

CowboyAndy

Cadet
Joined
Feb 23, 2017
Messages
1
Okay, I got stuck at step 10. Do I replace "ACME-Content" with the content of the certificate request? and then filename with domain-csr as provided by zerossl (or renamed server.crt)? Just a little confused.
 
Status
Not open for further replies.
Top