How can a person use their own SSL cert in the nextcloud snap? I had generated self-signed thinking I could juts replace them - but no go. (read only Filesystem). We have a corporate wildcard we want to use.
I completely intended for you to be able to do this, but a bug in some migration code will eat the certs you place there, so I'll add explicit support to the enable-https tool for this.
that would be great. This is literally a showstopper for me to deploy.
Yeah easy fix, I'll make a release today.
I've got this complete, but I've hit a slight snag: I'm not sure how to best hand your files off to a confined application. I need to do a bit of research and I'll release tomorrow.
Alright I've worked around the snag; I have one last question: Would you want HSTS enabled in such a situation? Are your certs self-signed?
Meh... I suppose it should be optional either way.
@bashfulrobot please take a look at #201 (no need to necessarily review the code, but look over the description and make sure it solves your needs). Once you give the OK I'll merge and you can test it out.
Hello. I want to use nextcloud on my work's intranet using _https_ but I can't expose the server to the internet for letsencrypt to challenge port 80/443. However, I can still obtain certificates manually using the _dns-01 challenge_ but the problem is I cannot put them inside the snap (read only filesystem). I think #201 solves the problem for me. I am looking forward to test your code! Thanks :smiley:
@kyrofa - I'll review and get back to you shortly.
Alright I've worked around the snag; I have one last question: Would you want HSTS enabled in such a situation? Are your certs self-signed?
The certs are not self-signed in my case (a wildcard from a commercial CA). I would prefer to support HSTS if possible as a more secure option is always better,
@kyrofa - https://github.com/nextcloud/nextcloud-snap/pull/201 seems to cover my use case. So long as I can get those certificates and keys in there. Shoulld be good.
Thanks @kapcom01 and @bashfulrobot. I've merged the PR, which means this is now available in the candidate channel: sudo snap install --candidate nextcloud. If you could give this a try for me, make sure it works for you, I'd certainly appreciate it. It'll be contained in the next release.
I copyied the cert files in /var/snap/nextcloud/current/certs/custom/
and then
sudo nextcloud.enable-https custom -s cert.pem privkey.pem chain.pem
It worked for me, thanks! :smiley:
kapcom01 You copied _which_ cert files into /var/snap/nextcloud/current/certs/custom? Did you copy the pem files or crt files or what?
@zogness I haven't used this snap for 2 years but reading my previous comment it seems that the files you need to copy are cert.pem, privkey.pem and chain.pem.
After uploading the cert.pem privkey.pem chain.pem files to /var/snap/nextcloud/current/certs/custom/ and running sudo nextcloud.enable-https custom -s cert.pem privkey.pem chain.pem without any errors nextcloud is still using the default cert after a reboot. Am i missing a step?
I was handed a bunch of crt files that turned out to be pem files. Our registrar's system did not rename them properly. Case closed.
Ok, so I use Ionos and it gave me a bunch of .cer files.
I renamed them according to the script naming convention. the SSL Cert was renamed from "long.cert.name.cer" to "cert.pem" and the same with the Key.
The Intermediate files downloaded, just used one of them and renamed it "chain.pem."
I put all the files in /var/snap/nextcloud/#####/certs/live
I ran this script: nextcloud.enable-https custom -s cert.pem privkey.pem chain.pem
Boom, it worked. Deleted the files for security and it's still secure.
@kyrofa Why is the certificate files copied? Couldn't they be just symlinked? Because this way, we have to run this command again when the certificates are updated.
To make it clearer, I have a Let's Encrypt certificate that is using DNS-1 Challenge. I've automated its renewal and I'd like to just symlink this certificate to use in NextCloud.
@kyrofa Why is the certificate files copied? Couldn't they be just symlinked? Because this way, we have to run this command again when the certificates are updated.
To make it clearer, I have a Let's Encrypt certificate that is using DNS-1 Challenge. I've automated its renewal and I'd like to just symlink this certificate to use in NextCloud.
In my own testing, a symlink just didn't work. Apache wouldn't start. But when I copied the certs, it worked fine. But I don't know enough about snap to find the actual error message.
You can use a symlink, but it _must be a symlink to a location accessible by the snap_. Confinement follows symlinks.
Well if you can't change the location where certbot saves the pem files, and snap doesn't have access to the location where certbot saves them, then symlinks just won't work.
I ended up adding a post hook to copy the files.
Most helpful comment
I copyied the cert files in
/var/snap/nextcloud/current/certs/custom/and then
sudo nextcloud.enable-https custom -s cert.pem privkey.pem chain.pemIt worked for me, thanks! :smiley: