Questions about OwnCloud

[MenacingM]

I've installed the OwnCloud PBI from the PlugIn Repo and I'm interested in setting up SSL up properly.

Not sure where to start though. Would be helpful if someone could assist with these questions:

1. [ANSWERED] Does the OwnCloud jail have it's own webserver? If so, which is it? If not, how do I make modifications for OwnCloud in a jail?

Apparently it is using Apache. After poking around in the jail I found the following path:

Code:

/mnt/ztank/jails/owncloud_1/usr/pbi/owncloud-amd64/etc/apache22/httpd.conf

So I at least now have a starting point.

2. This is probably dependent on the previous question but I've read I need to update to the latest version of PHP 5.3 for OwnCloud as well as installing several other PHP dependencies. Some direction on this would be appreciated.

3. [PARTIALLY ANSWERED] As mentioned previously, I would like to install and setup SSL properly so I could use ownCloud client sync outside of my network somewhat securely. As of right now I can't run the sync client with SSL. Any guidance on this would be appreciated. Though I think I could manage getting it installed myself if I have answers to my 1st question.

Without setting the hostname and other fields within the WebGUI under SYSTEM -> SETTINGS -> SSL, the ownCloud plugin will deploy with an SSL certificate missing required fields, thereby breaking sync client with SSL functionality.


It turns out the SSL Certificate in the jail is unrelated to the System SSL Cert. Bug accepted and change should be committed in next update of plugin

Thanks to anyone who might be abled to shed light onto these quandaries.

-M

 

[MenacingM]

To follow up on this, I setup OwnCloud using the installation method from the PlugIns repository. While I am able to sync with my Mac and Linux clients by specifying a preceding http (not specifying a prefix defaults to https) before the server address, I am unable to sync with Windows clients even without SSL. This error seems to be occurring due to a missed field in the signing of the self signed cert installed with the package. The error reads:

CSync Processing Step Update Failed
Backend Message: Server Certificate was missing commonName attribute in Subject Name.

Can anyone shed some light on how to self sign the cert for the jailed Owncloud plugin? Or is this something that should occur outside of the jail?

I found some info in the forums about how to self sign the SSL cert but it was from a guide before ownCloud was available as a package:

http://forums.freenas.org/threads/installing-owncloud.14347/#post-73501

 

[jgreco]

That's not so much a missed field as potentially reasonable paranoia. An SSL certificate is only supposed to be good for identifying a particular host, which gets wired into the certificate as the commonName. Depending on what it did to acquire a "self-signed cert":

1) If it came with the package, that's just overall bad since it isn't giving you much security at all

2) If it was created on the fly by the package, it implies that the hostname wasn't set up correctly during the process ("fix it" and try again)

Not having seen the OwnCloud plugin, I have no idea.

To set it up properly is a bit tricky. One correct avenue would be to acquire a root CA signed cert from a common SSL provider. Some of them are dirt cheap if you know where to look. The downside is that you have to be updating with a new cert every year. So those of us in the biz often set up our own private root CA for internal use and then issue certs more reasonably (plus: for free). This involves teaching the client about your new root CA, which isn't hard. Then you just issue out certs for as many years as you reasonably expect a service to need. For a service like OwnCloud where you don't have random strangers needing to connect, this is close to ideal.

 

[MenacingM]

jgreco,

Raising the question for a "proper SSL configuration," was a bit vague on my part. I am well aware of obtaining certs from cert authorities, CSR requests and the like; although I have not done it just yet in FreeNAS, I can't imagine it is terribly different than any other server I have done so with. Still, it would be valuable to revisit this topic in another guide or forum. Also, even though a self signed cert does not provide a high level of security, it is much better than plain text/no ssl for users hoping to sync data remotely.

Now, back to our regularly scheduled programing.

The reason I started this post is to address an issue in functionality in the OwnCloud plugin for FreeNAS. I was under the impression that FreeNAS was meant to bring the power of Unix/ZFS to the somewhat tech savvy, something previously reserved for neck beards, hackers, and elite admins.

As such, I raise these questions because my first attempt to configure ownCloud seemingly was working until Sync clients were setup, this is when I ran into these issues. For example, the windows ownCloud client will not sync without SSL enabled. With SSL enabled it yields the error mentioned above. Now, I have discovered I did in fact miss a step in my configuration of FreeNAS.

Without setting the hostname and other fields within the WebGUI under SYSTEM -> SETTINGS -> SSL will install an SSL certificate missing required fields thereby breaking functionality.

It turns out the SSL Certificate in the jail is unrelated to the System SSL Cert. Bug accepted and change should be committed in next update of plugin

I have since posted a bug report with my findings in the hopes that a preinstall check can be implemented to ensure these fields are populated to ensure a seamless install experience for novice users.

Now I will attempt to repair my fudged plugin install and will report back or post a guide with my findings.

Cheers all!

 

[MenacingM]

Ok all I think I've got it.

SSH into your FreeNAS and do the following:

Code:

jls
 
  JID  IP Address      Hostname                      Path
    6  -              owncloud_1                /mnt/ztank/jails/owncloud_1

Based on the JID of your Owncloud Jail, do the following:

Code:

jexec 6 /bin/tcsh
 
cd /usr/pbi/owncloud-amd64/etc/apache22/
 
openssl req -new -x509 -days 3650 -nodes -out owncloud.crt -keyout owncloud.key

Answer the questions and set common name to your intended FQDN. You should now have a owncloud.crt and owncloud.key file

Code:

ee /usr/pbi/owncloud-amd64/etc/apache22/extra/httpd-ssl.conf

Now look in the file for the text below and replace server with owncloud

Code:

SSLCertificateFile "/usr/pbi/owncloud-amd64/etc/apache22/server.crt"
 
SSLCertificateKeyFile "/usr/pbi/owncloud-amd64/etc/apache22/server.key"

OPTIONAL: Set your hostname by issuing the following from with your jail:

Code:

hostname whatever.wherever.com

NOTE: If you want this change to be persistent, you must make the change in the jails /etc/rc.conf

Restart Apache and you should be good to go.

Code:

/usr/local/etc/rc.d/apache22 restart

 

[Daniel Andersson]

So for us who doesnt tweak kernels for living, will SSL be included in next version out of the box?

 

[jgreco]

So for us who doesnt tweak kernels for living, will SSL be included in next version out of the box?

None of what MenacingM described doing was anything above basic sysadmin level, and with the possible exception of the jail manipulation stuff, is easily found on the web. I don't think any of it is anywhere near as complicated as "tweak kernels for living".

Good job MM, I'm familiar with walking into a foreign software environment and having to look at things in both a client and server environment in order to figure out what broke and arrive at a relatively trivial-seeming fix.

As for "included in next version", I'm assuming that's what

Bug accepted and change should be committed in next update of plugin

means.

 

[MenacingM]

Once I figured out the parts that made it work, there was enough info on the web to piece this together. A bit of trial and error combined with leaning on my experience, I figured it out. Took me longer than I'd like to admit, as my Apache knowledge needed brushing up. I could script most of this together, but as the next release will have it fixed, I don't see the point.

When it comes to Open Source, I like to post in the forums as sometimes you get lucky and get help. If not, at least your experience learning/figuring it out is posted and could potentially help others.

I've received some invaluable help from the guys over at the PFSense forums. They've got a great community, and I hope the same becomes true of FreeNAS.

Hope this has helped some of you guys out. Don't be intimidated, it really is simple if you follow it step by step. If something isn't clear, ask.