b4bblefish
Dabbler
- Joined
- Sep 15, 2017
- Messages
- 15
This no longer works as of 11.2 since plugin jails don't allow you to install python packages:
https://www.ixsystems.com/community/threads/pkg-missing-py27-certbot.71967/
Follow this guide instead:
https://www.shogan.co.uk/home-labs/install-and-configure-nextcloud-plugin-on-freenas-with-ssl/ courtesy of EsTaF
This is a guide for setting up FreeNAS 11 using the plugin for nextcloud / owncloud. I used nextcloud, so just replace that with owncloud if you're following this since it should be basically the same.
Disclaimer: I have no idea what I'm doing so feel free to tell me what I did wrong to make this guide better.
ToDo:
Pick your poison install nextcloud / owncloud plugin from the FreeNAS GUI and then chroot into the jail in my example my storage array is called storage so:
Setup your router's port forwarding
You will need to forward ports 80 and 443 to the ip address of your jail for nextcloud / owncloud instructions vary depending on what router you have. Also setup your domain I'll be using example.com and www.example.com as a domain for the rest of the guide.
SSL certs using letsencrypt and certbot
Follow the steps in certbot to configure your server and follow the wizard doing the following:
Some apache config work make sure to copy to a
Congrats your done! All of the url combinations of naked domain vs www and http/https should all forward to the same address. You should now get a C rating on qualys ssllabs because TLSv1.1 and TLSv1.2 don't work https://www.ssllabs.com/ssltest/ but for our purposes I guess that's good enough.
**Bonus** Updating Nextcloud from the webpage
Once you login nextcloud may alert you there's an update and nextcloud has a web update tool which is pretty nice, but will immediately fail the file checks. This is pretty straightforward, but the certbot created a folder called
https://www.ixsystems.com/community/threads/pkg-missing-py27-certbot.71967/
Follow this guide instead:
https://www.shogan.co.uk/home-labs/install-and-configure-nextcloud-plugin-on-freenas-with-ssl/ courtesy of EsTaF
This is a guide for setting up FreeNAS 11 using the plugin for nextcloud / owncloud. I used nextcloud, so just replace that with owncloud if you're following this since it should be basically the same.
Disclaimer: I have no idea what I'm doing so feel free to tell me what I did wrong to make this guide better.
ToDo:
- Figure out why TLSv1.1 and TLSv1.2 don't work, probably because of an old version of openssl that apache was compiled with
- Figure out why plugin jails don't start apache like a normal service and instead spawn a bunch of httpd processes and leave the status of apache24 in an unknown state
Pick your poison install nextcloud / owncloud plugin from the FreeNAS GUI and then chroot into the jail in my example my storage array is called storage so:
chroot /mnt/storage/jails/nextcloud_1
Setup your router's port forwarding
You will need to forward ports 80 and 443 to the ip address of your jail for nextcloud / owncloud instructions vary depending on what router you have. Also setup your domain I'll be using example.com and www.example.com as a domain for the rest of the guide.
SSL certs using letsencrypt and certbot
Code:
pkg install py27-certbot certbot certonly
Follow the steps in certbot to configure your server and follow the wizard doing the following:
- Use the
webroot
option not standalone since you already have an apache server running available on port 80 may as well not have to shutdown your cloud to renew your certs - Input BOTH
example.com
andwww.example.com
as your domains since they are two separate domains - use
/usr/pbi/nextcloud-amd64/www/nextcloud
as your webroot. You should now have a few certs and key files of letsencrypt located at/usr/local/etc/letsencrypt/live/www.example.com
crontab -e
- Add
0 */12 * * * certbot renew
to your cron jobs file
Some apache config work make sure to copy to a
.bak
file and try stopping / starting the plugin to verify it still works while doing this. I'm in the www camp and not the naked url camp so just swap the www for naked urls if you're a heathen. You should use www if you ever intend to use subdomains or something I don't know http://www.yes-www.org/why-use-www/. If you want to try to debug why the plugin doesn't start run service apache24 onestart
and look at the errors.- Forward all http requests to https by adding the following to
/usr/pbi/nextcloud-amd64/etc/apache24/httpd.conf
Code:<VirtualHost *:80> ServerName example.com Redirect permanent / https://www.example.com </VirtualHost> <VirtualHost *:80> ServerName www.example.com Redirect permanent / https://www.example.com </VirtualHost>
- Set the following values in
/usr/pbi/nextcloud-amd64/etc/apache24/extra/httpd-ssl.conf
I actually made symlinks to my certs to change the extensions, but referencing them directly is probably fine. Otherwise do something similar to http://blog.airey.be/owncloud-letsencrypt
Code:SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS SSLCertificateFile "/usr/local/etc/letsencrypt/live/www.example.com/cert.pem" SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/www.example.com/privkey.pem" SSLCACertificateFile "/usr/local/etc/letsencrypt/live/www.example.com/chain.pem" ServerName www.example.com
- Add the following header stuff before the last
</virtualhost>
to enforce https
Code:# Require https <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" </IfModule>
- Add a forward to the end from your naked domain to www whatever you pick be consistent
Code:<VirtualHost *:443> ServerName example.com Redirect / https://www.example.com </VirtualHost>
Congrats your done! All of the url combinations of naked domain vs www and http/https should all forward to the same address. You should now get a C rating on qualys ssllabs because TLSv1.1 and TLSv1.2 don't work https://www.ssllabs.com/ssltest/ but for our purposes I guess that's good enough.
**Bonus** Updating Nextcloud from the webpage
Once you login nextcloud may alert you there's an update and nextcloud has a web update tool which is pretty nice, but will immediately fail the file checks. This is pretty straightforward, but the certbot created a folder called
.well-known
in your webroot /usr/pbi/nextcloud-amd64/www/nextcloud
make sure to move it out of the directory before updating or else the updater will complain about unknown files. Move the directory back when you're done.
Last edited: