Beginner Nextcloud SSL questions

[NasKar]

Thanks to @Joshua Parker Ruehlig for this great tutorial, @cyberjock for the SSL implementation, and @KevDog for the security improvement. I'm new to this ssl stuff and would like to clarify a few things, sorry if it's to basic.
1) Chrome has

image1 in the title bar and

image2 in the detail.
Can this error can be safely ignored as my certificates server location cannot be verified as they don't come from a CA but are encrypted so are save to use?
2) I have openvpn running on port 443 so I can play with my servers remotely and nextcloud can't use the same port. Can I just change nextcloud to port 8443 in the nginx.conf and open a port on my router to get safe remote access to nextcloud?

 

[KevDog]

1. I working on a method for free implentation for SSL certs. #1 - Yes the reason behind the https: with red slash is because its a self signed certificated
2. Yes you can change the port number to anything you'd like, however usually openvpn runs over port 1193 I believe, so why not just use the default port for both implementations?

 

[NasKar]

I followed this tutorial for openvpn and he used port 443 for it.
"Router forwarding of your port of choice (in my case 10011 UDP internal to 443 UDP external)."
I don't remember why. Is there any disadvantage to running nextcloud on port 8443? Can I also forward on my router 443 TCP internal to 443 TCP external for nextcloud? I hate to mess up the openvpn which is working.

 

[KevDog]

You can run whatever ports you like, however if connecting to nextcloud externally its going to be https://<domain>/nextcloud:8443 or something like that.

 

[NasKar]

You can run whatever ports you like, however if connecting to nextcloud externally its going to be https://<domain>/nextcloud:8443 or something like that.

Assumptions:
external port =eport
internal port = 443
external domain = <domain>

I forwarded on my router from <eport> to IPofNexcloudServer to port 443 TCP
added my <domain> to /usr/local/www/nextcloud/config/config.php in the 'trusted domains' section
Now I can access nextcloud externally from https://<domain>:eport/nextcloud.

Not sure if I can use 443 as the external port so I don't have to enter :eport in the URL. Will experiment with it.

Thanks for the help.

 

[Joshua Parker Ruehlig]

Thanks to @Joshua Parker Ruehlig for this great tutorial, @cyberjock for the SSL implementation, and @KevDog for the security improvement. I'm new to this ssl stuff and would like to clarify a few things, sorry if it's to basic.
1) Chrome has

image1 in the title bar and

image2 in the detail.
Can this error can be safely ignored as my certificates server location cannot be verified as they don't come from a CA but are encrypted so are save to use?
2) I have openvpn running on port 443 so I can play with my servers remotely and nextcloud can't use the same port. Can I just change nextcloud to port 8443 in the nginx.conf and open a port on my router to get safe remote access to nextcloud?

If openvpn is running in a different jail, openvpn can run on the jail port as nginx. Different IPs:port combinations are different sockets to bind to. Now if you actually wanted to access these remotely you would need to forward ports appropriately.

 

[NasKar]

If openvpn is running in a different jail, openvpn can run on the jail port as nginx. Different IPs:port combinations are different sockets to bind to. Now if you actually wanted to access these remotely you would need to forward ports appropriately.

Yes openvpn and nextcloud are in separate jails. How does the router know were to send the traffic if both are on the same port?
My router has 443 sent to IP of openvpn server UDP and 443 sent to nextcloud server IP TCP. I have DDNS setup to point to my external IP.

 

[Joshua Parker Ruehlig]

Yes openvpn and nextcloud are in separate jails. How does the router know were to send the traffic if both are on the same port?
My router has 443 sent to IP of openvpn server UDP and 443 sent to nextcloud server IP TCP. I have DDNS setup to point to my external IP.

you likely set this is your NAT settings.

I was just letting you know what you said was not exactly right since they can run on the same port. I personally would run openvpn on its default port.

 

[NasKar]

Got nextcloud working with ssl. Would like to use certbot with the instructions from @KevDog in the tutorial mention in my first post in this thread so I can get rid of the red slash in the https://
I configured ddns service and it seems to work but I'm not sure as I'm getting errors

Code:

To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

Just to confirm the settings in Freenas ddns service:
Provider = no-ip.com
IP Server: = icanhazip.com:80 /.
Domain namne: = my_no-ip_domain.ddns.net
Username: = the username for my freenas server
Password: = the password for my freenas server
Update period: = 300

BTW I can access the nextcloud server with the url https://my_no-ip_domain.ddns.net/nextcloud

 

[KevDog]

What error are you getting exactly? The code you reference says == to fix these errors -- which errors?

 

[snaptec]

there are reasons for letting openvpn use port 443.
Ever tried from some Hotel Wifi to connect to your VPN through Port 1194? Even some ISPs block that traffic.
Port 443 works best. If Nextcloud is only for you, use it over vpn, if not, change its external port (as you might already have done).

 

[NasKar]

What error are you getting exactly? The code you reference says == to fix these errors -- which errors?

in nano /var/log/letsencrypt/letsencrypt.log

Code:

Initialized: <certbot.plugins.webroot.Authenticator object at 0x8096084d0>
Prep: True
2017-01-19 01:18:10,330:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x8096084d0> and installer None
2017-01-19 01:18:10,356:DEBUG:certbot.main:Picked account: <Account(82ce403afb596c1db5e7d4619d9d79de)>
2017-01-19 01:18:10,357:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {}
2017-01-19 01:18:10,360:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-01-19 01:18:10,578:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 352
2017-01-19 01:18:10,579:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '352', 'Expires': 'Thu, 19 Jan 2017 01:18:10 GMT', 'Boulder-Request-Id': '6tyz_Rgexxdr9ekretwkFNe6Xkwv9Spc81ySNQ55OGg', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'n$
2017-01-19 01:18:10,579:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '352', 'Expires': 'Thu, 19 Jan 2017 01:18:10 GMT', 'Boulder-Request-Id': '6tyz_Rgexxdr9ekretwkFNe6Xkwv9Spc81ySNQ55OGg', 'Strict-Transport-Security': 'max-age=60480$
2017-01-19 01:18:10,580:INFO:certbot.main:Obtaining a new certificate
2017-01-19 01:18:10,589:DEBUG:root:Requesting fresh nonce
2017-01-19 01:18:10,590:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {}
2017-01-19 01:18:10,701:DEBUG:requests.packages.urllib3.connectionpool:"HEAD /acme/new-authz HTTP/1.1" 405 0
2017-01-19 01:18:10,702:DEBUG:root:Received <Response [405]>. Headers: {'Content-Length': '91', 'Pragma': 'no-cache', 'Boulder-Request-Id': 'engRvihRu0L_QTvNY2btlZwFrH__Nuw3ErA6jbuz2nc', 'Expires': 'Thu, 19 Jan 2017 01:18:10 GMT', 'Server': 'nginx', 'Connection': 'keep$
2017-01-19 01:18:10,702:DEBUG:acme.client:Storing nonce: '\xa5Z\x08\x7f\xa1<\xac\x95z\xac {\xd6\xe4\xee\x17\\5\x02\x9d\xb6{\x07\xd8e\x9b\xc0\xc5\x82\x15\xc2K'
2017-01-19 01:18:10,703:DEBUG:acme.jose.json_util:Omitted empty fields: expires=None, status=None, challenges=None, combinations=None
2017-01-19 01:18:10,703:DEBUG:acme.client:Serialized JSON: {"identifier": {"type": "dns", "value": "<domain_name>"}, "resource": "new-authz"}
2017-01-19 01:18:10,704:DEBUG:acme.jose.json_util:Omitted empty fields: jwk=None, x5c=(), crit=(), kid=None, jku=None, typ=None, x5u=None, cty=None, x5tS256=None, x5t=None, alg=None
2017-01-19 01:18:10,706:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), nonce=None, kid=None, jku=None, typ=None, x5u=None, cty=None, x5tS256=None, x5t=None
2017-01-19 01:18:10,706:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "u_O-T2nYY3FJT2WCfDXDnJxRi3XjBI7vPe20iykX8xDuTW57OiRvY6I-ZpsB$
2017-01-19 01:18:10,866:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 201 1003
2017-01-19 01:18:10,867:DEBUG:root:Received <Response [201]>. Headers: {'Content-Length': '1003', 'Expires': 'Thu, 19 Jan 2017 01:18:10 GMT', 'Boulder-Request-Id': 'IvLotzhpwwJWKGS-VUk2V1Pw1V0cODPig2g1ThVbq1s', 'Strict-Transport-Security': 'max-age=604800', 'Server': '$
2017-01-19 01:18:10,867:DEBUG:acme.client:Storing nonce: '\x05\xcc\x05\xa9(T*PU\x8f\x7f\xa1\x87Z\x8f\xf63\xdf\xf6}\xf2\xf6j\xea@6P\xa2\xf9zY\xb6'
2017-01-19 01:18:10,867:DEBUG:acme.client:Received response <Response [201]> (headers: {'Content-Length': '1003', 'Expires': 'Thu, 19 Jan 2017 01:18:10 GMT', 'Boulder-Request-Id': 'IvLotzhpwwJWKGS-VUk2V1Pw1V0cODPig2g1ThVbq1s', 'Strict-Transport-Security': 'max-age=6048$
2017-01-19 01:18:10,868:INFO:certbot.auth_handler:Performing the following challenges:
2017-01-19 01:18:10,879:INFO:certbot.auth_handler:http-01 challenge for <domain_name>
2017-01-19 01:18:10,889:INFO:certbot.plugins.webroot:Using the webroot path /usr/local/www for all unmatched domains.
2017-01-19 01:18:10,898:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /usr/local/www/.well-known/acme-challenge
2017-01-19 01:18:10,903:DEBUG:certbot.plugins.webroot:Attempting to save validation to /usr/local/www/.well-known/acme-challenge/u-K_gu9IT___3Bd0_6w9vvAgjdI2ozbunmNoMeMUI-8
2017-01-19 01:18:10,903:INFO:certbot.auth_handler:Waiting for verification...
2017-01-19 01:18:10,949:DEBUG:acme.client:Serialized JSON: {"keyAuthorization": "u-K_gu9IT___3Bd0_6w9vvAgjdI2ozbunmNoMeMUI-8.89yJ2FJbbKxI3ee8rwC_KoT6um5OCz9i-kw0hz7ATDQ", "type": "http-01", "resource": "challenge"}
2017-01-19 01:18:10,951:DEBUG:acme.jose.json_util:Omitted empty fields: jwk=None, x5c=(), crit=(), kid=None, jku=None, typ=None, x5u=None, cty=None, x5tS256=None, x5t=None, alg=None
2017-01-19 01:18:10,953:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), nonce=None, kid=None, jku=None, typ=None, x5u=None, cty=None, x5tS256=None, x5t=None
2017-01-19 01:18:10,953:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/Q-ztqYd7P__Ka8OWCSqU4iLy4dBbB9-KCMV2bCKTT0U/516469775. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "u_O-T2$
2017-01-19 01:18:11,135:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/challenge/Q-ztqYd7P__Ka8OWCSqU4iLy4dBbB9-KCMV2bCKTT0U/516469775 HTTP/1.1" 202 335
2017-01-19 01:18:11,136:DEBUG:root:Received <Response [202]>. Headers: {'Content-Length': '335', 'Boulder-Request-Id': 'AUDKZ1QlXgkoxy9GkDp7XGE-elZ1_c3MX_HpcUYTtR0', 'Expires': 'Thu, 19 Jan 2017 01:18:11 GMT', 'Server': 'nginx', 'Cache-Control': 'max-age=0, no-cache, n$
2017-01-19 01:18:11,136:DEBUG:acme.client:Storing nonce: "\xbb\x14Ve'\xba\xf8O\x9b\x18\x16\x10\xa4\x17\xce(2\x04\xaa\x01\xe4\xce\xde\xc2\xeaS\xb1\x8b\x18\xccD)"
2017-01-19 01:18:11,137:DEBUG:acme.client:Received response <Response [202]> (headers: {'Content-Length': '335', 'Boulder-Request-Id': 'AUDKZ1QlXgkoxy9GkDp7XGE-elZ1_c3MX_HpcUYTtR0', 'Expires': 'Thu, 19 Jan 2017 01:18:11 GMT', 'Server': 'nginx', 'Cache-Control': 'max-ag$
2017-01-19 01:18:14,138:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/Q-ztqYd7P__Ka8OWCSqU4iLy4dBbB9-KCMV2bCKTT0U. args: (), kwargs: {}
2017-01-19 01:18:14,222:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/Q-ztqYd7P__Ka8OWCSqU4iLy4dBbB9-KCMV2bCKTT0U HTTP/1.1" 200 1110
2017-01-19 01:18:14,223:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '1110', 'Expires': 'Thu, 19 Jan 2017 01:18:14 GMT', 'Boulder-Request-Id': '0wBXlAyZKid9fI9gC98I1H0pK7btMAbsNJu-kz_8BMo', 'Strict-Transport-Security': 'max-age=604800', 'Server': '$
2017-01-19 01:18:14,223:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '1110', 'Expires': 'Thu, 19 Jan 2017 01:18:14 GMT', 'Boulder-Request-Id': '0wBXlAyZKid9fI9gC98I1H0pK7btMAbsNJu-kz_8BMo', 'Strict-Transport-Security': 'max-age=6048$
2017-01-19 01:18:17,239:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/Q-ztqYd7P__Ka8OWCSqU4iLy4dBbB9-KCMV2bCKTT0U. args: (), kwargs: {}
2017-01-19 01:18:17,331:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/Q-ztqYd7P__Ka8OWCSqU4iLy4dBbB9-KCMV2bCKTT0U HTTP/1.1" 200 1623
2017-01-19 01:18:17,331:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '1623', 'Expires': 'Thu, 19 Jan 2017 01:18:17 GMT', 'Boulder-Request-Id': 'D7a9qrTVR53W2qxVWsVdlqrDVIleCDsHFqEn1gKIcQQ', 'Strict-Transport-Security': 'max-age=604800', 'Server': '$
2017-01-19 01:18:17,332:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '1623', 'Expires': 'Thu, 19 Jan 2017 01:18:17 GMT', 'Boulder-Request-Id': 'D7a9qrTVR53W2qxVWsVdlqrDVIleCDsHFqEn1gKIcQQ', 'Strict-Transport-Security': 'max-age=6048$
2017-01-19 01:18:17,333:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:


Domain: <domain_name>
Type:   connection
Detail: Could not connect to <domain_name>

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are prevent$
2017-01-19 01:18:17,333:INFO:certbot.auth_handler:Cleaning up challenges
2017-01-19 01:18:17,343:DEBUG:certbot.plugins.webroot:Removing /usr/local/www/.well-known/acme-challenge/u-K_gu9IT___3Bd0_6w9vvAgjdI2ozbunmNoMeMUI-8
2017-01-19 01:18:17,343:DEBUG:certbot.plugins.webroot:All challenges cleaned up, removing /usr/local/www/.well-known/acme-challenge
2017-01-19 01:18:17,344:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 11, in <module>
	load_entry_point('certbot==0.9.3', 'console_scripts', 'certbot')()
  File "/usr/local/lib/python2.7/site-packages/certbot/main.py", line 776, in main
	return config.func(config, plugins)
  File "/usr/local/lib/python2.7/site-packages/certbot/main.py", line 563, in obtain_cert
	action, _ = _auth_from_domains(le_client, config, domains, lineage)
  File "/usr/local/lib/python2.7/site-packages/certbot/main.py", line 100, in _auth_from_domains
	lineage = le_client.obtain_and_enroll_certificate(domains)
  File "/usr/local/lib/python2.7/site-packages/certbot/client.py", line 281, in obtain_and_enroll_certificate
	certr, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/local/lib/python2.7/site-packages/certbot/client.py", line 253, in obtain_certificate
	self.config.allow_subset_of_names)
  File "/usr/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 78, in get_authorizations
	self._respond(resp, best_effort)
  File "/usr/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 135, in _respond
	self._poll_challenges(chall_update, best_effort)
  File "/usr/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 199, in _poll_challenges
	raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. <domain_name> (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to <domain_name>

there are reasons for letting openvpn use port 443.
Ever tried from some Hotel Wifi to connect to your VPN through Port 1194? Even some ISPs block that traffic.
Port 443 works best. If Nextcloud is only for you, use it over vpn, if not, change its external port (as you might already have done).

That's a good idea. It seems that both are working on port 443 not sure why.

 

[KevDog]

I'm just going to take a wild shot here and go with this error:
To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are prevent$

 

[NasKar]

I'm just going to take a wild shot here and go with this error:
To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are prevent$

It turns out that I need to open port 80 to the ip address of the nexcloud server on my router to get it to work. I had only 443 open.

 

[KevDog]

I'm glad you got it figured out!!