nextcloud 12.3 accessible over http, but getting error connecting via https

[cunningorb]

I followed @dureal99d guide on installing nextcloud manually: https://forums.freenas.org/index.ph...3-on-freenas-11-with-all-checks-passed.58634/

With that I successfully connected to my nextcloud via http from cell phone not on my local network. I followed the guide to the letter including the section regarding self-signing cert through certbot commands. I have done this several times and noted that no errors were reported and the location is correct.

My router was already port forwarding requests for port 80 to my jail's IP. I added port forwarding for port 443 as well to the same IP.

The Issue: When I point my browser to https://mydomain.com from any computer or device I receive an error. In IE the error says I'm using invalid TLS security settings. In Chrome it says ERR_SSL_PROTOCOL_ERROR. I have also tried from local network https://my.jail's.IP.Address and my.jail's.IP.Address:443 but received the same error.

I checked and re-checked every file related to the guide for accuracy and cross-referenced with this site: https://docs.nextcloud.com/server/12/admin_manual/configuration_server/harden_server.html
* httpd.conf
* .htaccess
* mydomain*
* fullchain.pem
* privkey.pem

I've seen someone giving some advice related to ssl issues @danb35 as well as a few others. Much appreciated to the whole community for the knowledge sharing.

In short: Why can't I visit my nextcloud installation via HTTPS?

Extra links:
https://forums.freenas.org/index.ph...th-all-checks-passed.58634/page-6#post-436673
https://forums.freenas.org/index.ph...th-all-checks-passed.58634/page-6#post-437022

My Mood:

 

[Jailer]

Certbot does not issue self signed SSL certificates, it issues certificates from Letsencrypt. For the certificate to be issued it must resolve to a valid domain. Do you have a valid domain?

 

[Nick2253]

In IE the error says I'm using invalid TLS security settings. In Chrome it says ERR_SSL_PROTOCOL_ERROR.

These errors typically indicate either a problem with the certificate, or a problem with the SSL versions.

You can run Chrome to ignore certificate errors. This is super useful for troubleshooting, since you can get a look at the actual certificate without jumping through a bunch of hoops: https://superuser.com/a/1036062/114127

 

[danb35]

In Chrome it says ERR_SSL_PROTOCOL_ERROR.

I'm thinking this means your server is trying to do http over port 443--the SSL/TLS engine isn't turned on.

 

[cunningorb]

Certbot does not issue self signed SSL certificates, it issues certificates from Letsencrypt. For the certificate to be issued it must resolve to a valid domain. Do you have a valid domain?

Yes, I bought a domain and the A record points to my public IP.

These errors typically indicate either a problem with the certificate, or a problem with the SSL versions.

You can run Chrome to ignore certificate errors. This is super useful for troubleshooting, since you can get a look at the actual certificate without jumping through a bunch of hoops: https://superuser.com/a/1036062/114127

I tried this, however despite running Chrome that way the same error persists: ERR_SSL_PROTOCOL_ERROR. I googled to make sure I was loading Chrome in the prescribed mode correctly and I was.

I'm thinking this means your server is trying to do http over port 443--the SSL/TLS engine isn't turned on.

Are you referring to something like what's mentioned in this post here? https://forums.freenas.org/index.ph...nextcloud-owncloud-letsencrypt-ssl-tls.57797/
I checked httpd-ssl.conf and found this:
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on

Thanks for the fast response!

Edit: Should I start this over from the beginning? Maybe go the ports route and skip all the manual stuff?

 

[LotLits]

@cunningorb I've rebuilt my nextcloud jail multiple times (including on Tuesday). I kept quite a few notes so it's pretty easy to do now. For your SSL issue, below are the steps I saved so maybe they'll help you (doesn't include generation of certs). Below is I think all that's needed for SSL configuration-wise.

--------------------------
/usr/local/etc/apache24/httpd.conf
Uncomment the "ServerName" line, replacing the fqdn with the jail's IP or name

find Listen 80 and add below Listen 443

Uncomment the rewrite_module and ssl_module lines

After the following line:

LoadModule php7_module libexec/apache24/libphp7.so
Add the following:

<IfModule php7_module>
<FilesMatch "\.(php|phps|php7|phtml)$">
SetHandler php7-script
</FilesMatch>
DirectoryIndex index.php
</IfModule>
After the following:

<IfModule mime_module>
Add the following:

AddType application/x-httpd-php-source .phps
AddType application/x-httpd-php .php
-------------------------

Are you sure you uncommented the ssl_module line AND added the Port 443?

It might make sense to post up your httpd.conf file and apache include .config file (you can just hide the ServerName line and any other line that might be sensitive).

 

[cunningorb]

Guys thanks for the help. I had to take a break from this project but I will take another crack at it in the next few days and post my results.