HOW-TO: Let's excrypt with Nextcloud/Owncloud

[chris4795]

Hello All,

I just got the Nextcloud plug-in properly configured with the Let's Encrypt SSL Certs, so I wanted to post my How-to. I based this off the following guides:

http://aairey.github.io/owncloud-letsencrypt
https://certbot.eff.org/#freebsd-apache
First, find the jail and execute from in there:

#jls


Nextcloud for me was 1, so to execute in it I used

#jexec 1 tcsh

Then, install the certbot:

#pkg install py27-certbot


Stop Apache, start the set-up wizard, and start apache again. I choose the stand alone mode:

#service apache24 stop
#certbot certonly
#service apache24 start


Next you will need to tell Apache which files to use. If you use Owncloud, go to:

#cd /usr/pbi/owncloud-amd64/etc/apache24/extra

For Nextcloud:

#cd /usr/pbi/nextcloud-amd64/etc/apache24/extra


I backup httpd-ssl.conf so if theres an issue, I can go back to it:

#cp httpd-ssl.conf httpd-ssl.conf.backup

Edit httpd-ssl.conf (find the lines that start with those variables and alter as needed). Also, change "your.domain.org" to the domain you own:

Code:

SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile "/usr/local/etc/letsencrypt/live/your.domain.org/cert.pem"
SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/your.domain.org/privkey.pem"
SSLCACertificateFile "/usr/local/etc/letsencrypt/live/your.domain.org/chain.pem"
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
SSLCompression off

Restart apache

#service apache24 onerestart

I got the following error, I believe you can safely ignore it:

Code:

Error output from None:
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
Syntax OK
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message

Next, do a dry-run of the update:

#certbot renew --pre-hook "service apache24 stop" --post-hook "service apache24 start" --dry-run

I got that same error as above, but it ran happily.

Let's encrypt recommends running it twice a day (if it doesn't need to renew it will not shut down apache), so I added this to my crontab:

#crontab -e

Code:

45 11,23 * * * certbot renew --pre-hook "service apache24 stop" --post-hook "service apache24 start" --quiet

I believe (I'm not an expert on cron, so please forgive me if this is wrong) that the scriptt will run at 11:45 am and 11:45 PM every day to check for renewing.

Check it is there with:

#crontab -l


As of now, I do not have HSTS working on this configuration. If you know how to I would appreciate knowing how to.

 

[passmossis]

You're guide works well, just so happened to be setting up the very same thing today and was working on tracking down the appropriate file locations.

On your cron I went with a twice a month instead of a twice a day approach. The certs are good for three months so will check for an update on the 1st and 15th of each month.

Code:

45 23 1,15 * * certbot renew --pre-hook "service apache24 stop" --post-hook "service apache24 start" --quiet

Or do you update frequently to catch of DDNS updates?

 

[chris4795]

Hello,

The certbot website (i.e. the people behind Let's Encrypt) recommends twice a day, that's why I went with that. FreeNAS already has a plane in services to automatically update DDNS, so I am not worried about that.

 

[FreeN@s!]

thanks, it worked perfectly.

 

[kriegalex]

Thank you very much, this helped me save a lot of time compared to my old "self-taught how to get HTTPS" for my previous owncloud jail

 

[xTitus Maximusx]

for HSTS add this

Code:

<IfModule mod_headers.c>
	  Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
	</IfModule>

to the
/usr/pbi/nextcloud-amd64/etc/apache24/Includes/nextcloud.conf

 

[dureal99d]

Perhaps im just stupid, cause non of these tutorials work for me, i ran the command to a T but im getting no where at "httpd-ssl.conf" i edit the file but mine has non of what yours has in it.
im just confused? i just want to be able to access my client internally and externally using a secuure method. i guess im just lost on this cause i just dont get it.

 

[q_fleuren]

Perhaps im just stupid, cause non of these tutorials work for me, i ran the command to a T but im getting no where at "httpd-ssl.conf" i edit the file but mine has non of what yours has in it.
im just confused? i just want to be able to access my client internally and externally using a secuure method. i guess im just lost on this cause i just dont get it.

Did you end up with a working setup? if not pm me and ill help you out

 

[dureal99d]

Did you end up with a working setup? if not pm me and ill help you out

No i have yet to figured it out but im willing and ready to learn.

 

[jorgenGSL]

i am verry new with this and I am stuck in the wizard.
you need to fill in a domain name . so i made a free domain name and linked it throug my glabal ip and port number for https (??)
but when i fill this in in the wizard is does not work:

fault:
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

pls help
I do not know much about this

:

 

[dureal99d]

i am verry new with this and I am stuck in the wizard.
you need to fill in a domain name . so i made a free domain name and linked it throug my glabal IP and port number for https (??)
but when i fill this in in the wizard is does not work:

fault:
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

pls help
I do not know much about this

:

make sure port 80 and 443 are open on your router.

 

[danb35]

fault:
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

There's more to the error message than this--what are the next few lines above this?

This is a misleading error from certbot, as it's what's given any time validation fails. And yes, DNS issues are one possible reason, but so is firewall configuration (as @dureal99d mentions), incorrect webroot path, misconfigured webserver, etc. The text that's given above what you quoted will show what happened when they tried to validate.

 

[Zxarr]

Just got my FreeNAS 11.2 system installed and starting to set up services while data transfers. I currently use Owncloud in an ESX VM, but installed NextCloud successfully on FreeNAS, no real issues until I came to get a SSL certificate, where I found this thread... However, this is what happens:

root@nextcloud:/ # pkg install py27-certbot
Updating iocage-plugins repository catalogue...
iocage-plugins repository is up to date.
All repositories are up to date.
pkg: No packages available to install matching 'py27-certbot' have been found in the repositories

Any ideas?