That's a pretty serious threat you're concerned with--for a MITM to be viable, the attacker would need to either spoof your local DNS, or outright take over the IP belonging to your Nextcloud jail, depending on exactly how you've configured HAProxy (i.e., whether you're proxying to a hostname or the IP address). The more viable threat is that some malicious device/code on your LAN would be sniffing the unencrypted HTTP traffic.I'm getting a bit concerned about the man-in-middle attack risk within my LAN
tls internal
.You should be able to script this from the pfSense box; it supports running specific commands after cert renewal. And you can use ssh to run arbitrary commands on a remote host--the syntax would be something likeThe copying is manually with the use of scp command via secured ssh. I have to do it again every time the LE cert is renew.
ssh root@freenas iocage exec nextcloud service caddy reload
.I'll look at that approach. It might be a bit learning curve for me. Looks like I need to make another ssh key for this purpose as my current ssh key is a PGP-based one imported into a yubikey which requries PIN every time I ssh to a server. Thank you for this excellent suggestion!You should be able to script this from the pfSense box; it supports running specific commands after cert renewal. And you can use ssh to run arbitrary commands on a remote host--the syntax would be something likessh root@freenas iocage exec nextcloud service caddy reload
.
Fancy. I use a Yubikey as a poor man's HSM for my local certificate authority:current ssh key is a PGP-based one imported into a yubikey
I'd strongly recommend looking at Smallstep's offering, then. Whether you run it on PC or Pi, use the Yubikey or not, use the TRNG or not, it's a nicely-integrated solution that can handle both TLS and SSH certs. @rvassar posted a link to that blog post about a year ago, and I thought it sounded like a fun project. I've pretty much been banging rocks together, because most of what I've done has been documented elsewhere, just not how to put it all together--but thankfully SmallStep have some pretty good support, even for freeloaders like me.I'm building a small scale CA for my own family too which starts with pure OpenSSL commands atm.
I doubt it has the security level, and it certainly doesn't have the certifications, but it does have the capability of storing the signing keys and doing the signing on the device itself, while "never" (unless it's compromised, the difficulty of which I don't know) exposing the keys themselves to anything else.I have never thought that a normal yubikey can do the work of the expensive HSM.
I thought I'd heard that some European governments do this. Here in .us, there's considerable resistance to the concept of a national ID, so...I have a dream that governments all over the world will one day issue free or low-cost digital certificates
No, their way of dealing with questions of cert validity is to use very short-lived certs--by default, a cert is only valid for 24 hours, which is much shorter than a typical OCSP response. Put differently, the existence of the cert itself is going to give a more up-to-date indication of its validity than a OCSP response. And really, not only do they not support OCSP, they don't support revocation at all (which makes the OCSP question moot).I'm wondering whether Smallstep supports OCSP?
As of right now I am using theWhen updating caddy to latest version, is the command
Code:pkg update caddy
the correct one or does the version need to be included?
caddy upgrade
It updates to 2.5.1 and now nextcloud stopped working.I'd recommend using caddy upgrade--my script doesn't install Caddy from the package.
{"level":"info","ts":1652401079.7092593,"msg":"using provided configuration","coWhat's in /var/log/caddy/caddy.log?
Just saw that. Yes i suspected as much.The complete lines would have been nice. But it looks like the same problem as noted just up-thread--delete the line from your Caddyfile that calls for common_log format (around line 10) and restart Caddy, and you'll likely be fine.