Nextcloud13 iocage with Cloudflare's certificate

[twsps]

Hi,
I am currently following this guide to create Nextcloud13 in iocage: https://forums.freenas.org/index.ph...ll-checks-passed-updated-to-use-iocage.61934/
Currently I have a CDN (orange clouded) domain with cloudflare, and want to use cloudflare's TLS certificate instead of letsencrypt. How would I be able to achieve it?
Thanks.

 

[dlavigne]

Were you able to figure this out?

 

[twsps]

Were you able to figure this out?

No, I still didn't figure out how to add TLS certificate to my nextcloud end, which makes cloudflare able to run full SSL encryption. Right now it's only SSL flexible.

 

[danb35]

You should be able to use the certificate and key that Cloudflare gives you in place of the Let's Encrypt cert and key that the linked how-to describes. If that doesn't work, you're going to need to give a lot more detail about exactly what you've tried, and what happened when you did so.

 

[twsps]

You should be able to use the certificate and key that Cloudflare gives you in place of the Let's Encrypt cert and key that the linked how-to describes. If that doesn't work, you're going to need to give a lot more detail about exactly what you've tried, and what happened when you did so.

Should I still use this one?

Code:

<VirtualHost *:443>
  ServerAdmin YOUREMAIL
  ServerName YOURSITE.COM
  DirectoryIndex index.php
  DocumentRoot /usr/local/www/apache24/data/nextcloud
  SSLCertificateFile /usr/local/etc/letsencrypt/live/YOURSITE.COM/fullchain.pem
  SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/YOURSITE.COM/privkey.pem
  SSLEngine on
  # Intermediate configuration, tweak to your needs
  SSLProtocol  all -SSLv2 -SSLv3
  SSLCipherSuite  ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
  SSLHonorCipherOrder  on
  SSLCompression  off
  SSLOptions +StrictRequire
  <Directory /usr/local/www/apache24/data/nextcloud>
  AllowOverride all
  </Directory>
  <IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
  </IfModule>
  </VirtualHost>

I have a cert and key file, should I change them to .pem file extension?

 

[danb35]

Should I still use this one?

Yes, although you may want to change the cert and key locations to somewhere other than /etc/letsencrypt (since you aren't using Let's Encrypt).

I have a cert and key file, should I change them to .pem file extension?

There's no real reason to do that.

 

[twsps]

Yes, although you may want to change the cert and key locations to somewhere other than /etc/letsencrypt (since you aren't using Let's Encrypt).

There's no real reason to do that.

Got it, do I need to change this:

Code:

SSLProtocol  all -SSLv2 -SSLv3
  SSLCipherSuite  ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

Also, do I still need to do redis and apcu?
Code here:

Code:

cd
pkg install p5-Locale-gettext help2man texinfo m4 autoconf
make config-recursive install -C /usr/ports/databases/pecl-redis
make config-recursive install -C /usr/ports/devel/pecl-APCu

Thanks.

 

[danb35]

Got it, do I need to change this:

I wouldn't.

Also, do I still need to do redis and apcu?

They'd help your performance.

 

[twsps]

I wouldn't.

They'd help your performance.

But cloudflare SSL full still reports error 502

 

[danb35]

But cloudflare SSL full still reports error 502

I'm afraid my crystal ball isn't working. What do they say error 502 means? What do their logs say? What do your logs say?

 

[twsps]

I'm afraid my crystal ball isn't working. What do they say error 502 means? What do their logs say? What do your logs say?

Maybe not your crystal ball has problem, but mine :p
I did not do this part:
Now lets secure this server
SSL using Certbot:
Download/Install Certbot
pkg install py27-certbot
certbot certonly --webroot -w /usr/local/www/apache24/data/nextcloud -d YOURSITE.COM
Navigate to /usr/local/etc/apache24/httpd.conf
Code:
cd /usr/local/etc/apache24/httpd.conf

in the httpd.conf file
Find Listen 80 and add underneath Listen 443
I don't know what the below command does but it works:
nano /etc/make.conf
Then add to the 2nd line of the file
Code:
DEFAULT_VERSIONS+=php7.0

Is this required?

 

[danb35]

I did not do this part:

If you're using a different certificate, there's no reason at all to install or run certbot. You do, however, need to have Apache configured to use the cert and speak SSL. The how-to you followed should explain how to do that.

 

[twsps]

If you're using a different certificate, there's no reason at all to install or run certbot. You do, however, need to have Apache configured to use the cert and speak SSL. The how-to you followed should explain how to do that.

Is this the part where I need to enable?

Code:

LoadModule ssl_module libexec/apache24/mod_ssl.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so

I did enable this in the beginning. 502 Error reports as Bad Gateway.
I think I'm missing some settings. What do you mean by configured to use cert and speak SSL? Is it the two lines of code that I mentioned above in httpd.conf?

 

[danb35]

What do you mean by configured to use cert and speak SSL?

What part of that was unclear? In any event, it sounds like you need to do some reading of the Apache docs.

 

[twsps]

What part of that was unclear? In any event, it sounds like you need to do some reading of the Apache docs.

I think I did this part wrong in some way.
Add virtual Host info :
Navigate to: /usr/local/etc/apache24/Includes
Code:
cd /usr/local/etc/apache24/Includes

Touch file: (I used a cloud.* subdomain, if you're not using a sub, remove the 'cloud.')

$ touch YOURDOMAIN.com or org or gov.conf

$ nano YOURDOMAIN*

make your secure file in this format (simply copy and paste):
Be sure to edit the YOURSITE.COM part of the below file with your domain info
(Example) if your domain is "tocool.no-IP.org" enter that and the domain name matches your touch file name.
Code:
<VirtualHost *:80>
DocumentRoot "/usr/local/www/apache24/data/nextcloud"
ServerName YOURSITE.com
RewriteEngine on
RewriteCond %{SERVER_NAME} =YOURSITE.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
#ErrorLog ${APACHE_LOG_DIR}/error.log
#CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /usr/local/www/apache24/data/nextcloud/>
Options +FollowSymlinks
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /usr/local/www/apache24/data/nextcloud
SetEnv HTTP_HOME /usr/local/www/apache24/data/nextcloud
Satisfy Any
</Directory>
</VirtualHost>

----
I tried that if I remove <VirtualHost*:80> section, I am still able to get in my nextcloud web GUI with jailip/nextcloud
I created my file with "mydomain.com" with no .conf ending. Is this correct?

 

[twsps]

Ok, this is what I did to try out in mydomain.com file under Includes

Code:

<VirtualHost *:443>

  ServerName 192.168.2.5  

  ServerAlias 192.168.2.5

  SSLEngine on

  DocumentRoot /usr/local/www/apache24/data/nextcloud

  SSLCertificateFile /usr/local/etc/cloudflaressl/mydomain.com.crt

  SSLCertificateKeyFile /usr/local/etc/cloudflaressl/mydomain.com.key

</VirtualHost>

And it still doesn't work to access my nextcloud web gui from https://192.168.2.5/nextcloud.

p.s. 192.168.2.5 is my nextcloud jail ip

 

[twsps]

Ok, I got it working by mydomain.com.conf. Right now I'm able to access my jail using https://192.168.2.5. However, mydomain.com still gives me 502 error.

 

[twsps]

Solved. Right now I'm able to use full ssl on Cloudflare.

Thanks!

 

[guermantes]

Solved. Right now I'm able to use full ssl on Cloudflare.

Thanks!

So what did you do to solve it? Could help others if you specify that.

 

[twsps]

I believe I specified that I got it working by changing the file name ending with .conf
That's about it

Sent from my MHA-AL00 using Tapatalk