Describe the bug I want to enable SSL using cloudflare certificate

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

<a class="user-mention notranslate" data-hovercard-type="user" data-hover

So I'm not really familiar with cloudflare, but: <p dir=

<a class="user-mention notranslate" data-hovercard-type="user" data-hover

Keep getting 526 invalid cert error from cloudflare (full) about nextcloud-snap HOT 14 CLOSED

tholeb commented on June 12, 2024

Keep getting 526 invalid cert error from cloudflare (full)

from nextcloud-snap.

Comments (14)

kyrofa commented on June 12, 2024 1

I'm going to close this since I think it's clear this isn't an issue with the snap, but please feel free to continue discussion here, we'll help as much as we can.

from nextcloud-snap.

scubamuc commented on June 12, 2024

while this issue is out of our support scope, your config is questionable:

your local IP is not a FQDN? See Hosts & FQDN configuration

remove your local IP here.

$CONFIG = array(
'trusted_domains' => array(
'cloud.example.com',
~~'192.168.1.10:10260',~~
),

from nextcloud-snap.

tholeb commented on June 12, 2024

while this issue is out of our support scope, your config is questionable:

your local IP is not a FQDN? See Hosts & FQDN configuration

remove your local IP here.

$CONFIG = array(
'trusted_domains' => array(
'cloud.example.com',
~~'192.168.1.10:10260',~~
),

Thank you for your answer. I removed it from my config (it was more for testing purposes).

After multiple fresh installs, I can't even get it to respond to "cloud.example.com" (I get connection timed out) even though I configured it with overwritehost, overwriteprotocol, trusted_proxies, and nginx reverse proxy...

Also, I found in the wiki that you need another webserver to reverse proxy the app, can't the snap reverse proxy "itself" with its embedded apache webserver ?

I'm sorry, I'm a bit lost with all the versions of nextcloud and docs I can find online

from nextcloud-snap.

scubamuc commented on June 12, 2024

no worries, we'll get you going...

After multiple fresh installs, I can't even get it to respond to "cloud.example.com" (I get connection timed out)

surely your domain is not cloud.example.com, that is merely an example. you need a valid domain or subdomain pointing to your device. you can get your domain or subdomain from a service provider of your choice. if you don't have your own domain, turn to a dynamic DNS provider of your choice to get a valid subdomain.

Also, I found in the wiki that you need another webserver to reverse proxy the app, can't the snap reverse proxy "itself" with its embedded apache webserver ?

nope, you don't need a reverse proxy. that wiki entry is an optional suggested configuration if you are planning to run your Nextcloud behind a reverse proxy.

from nextcloud-snap.

scubamuc commented on June 12, 2024

@tholeb maybe this step by step guide will help you. its in german, but google knows german and will translate into french

from nextcloud-snap.

tholeb commented on June 12, 2024

@tholeb maybe this step by step guide will help you. its in german, but google knows german and will translate into french

Thanks a lot, i'll look into it !

from nextcloud-snap.

kyrofa commented on June 12, 2024

So I'm not really familiar with cloudflare, but:

add cert.pem, privkey.pem, chain.pem to /var/snap/nextcloud/current/nextcloud/config/

Can you clarify a bit? Where did these files come from? It sounds like they aren't valid for your domain.

from nextcloud-snap.

tholeb commented on June 12, 2024

So I'm not really familiar with cloudflare, but:

add cert.pem, privkey.pem, chain.pem to /var/snap/nextcloud/current/nextcloud/config/

Can you clarify a bit? Where did these files come from? It sounds like they aren't valid for your domain.

These files come from cloudflare's dashboard :

I created the origin cert using the dashboard, and download the key and the certificate (*.example.com and example.com), valid for 10 years.

I also downloaded the root certificate (rsa) and created the fullchain cert with the root (cat cert.pem origin.pem > fullchain.pem).

from nextcloud-snap.

kyrofa commented on June 12, 2024

I think the only way we're going to be able to help is if you share your actual domain name as well as the IP address of the server hosting the snap. I understand not wanting to make that public: would you mind emailing that info to me? Email is in my profile.

from nextcloud-snap.

tholeb commented on June 12, 2024

@tholeb maybe this step by step guide will help you. its in german, but google knows german and will translate into french

I now have a 404, I guess it's better than nothing.
No errors in apache logs.

Here is what I've done :

snap install nextcloud
snap set nextcloud ports.http=10260 ports.https=10261 (I have an nginx that does reverse proxy for other containers)
nextcloud.manual-install admin admin
nextcloud.occ config:system:set overwriteprotocol --value="https"
nextcloud.occ config:system:set overwritehost --value="cloud.example.com"
nextcloud.occ config:system:set trusted_domains 2 --value=cloud.example.com
Go to lan IP:PORT (192.168.1.10:10260 in my case), get redirected to cloud.example.com
get 404 :

Note : my cloudflare SSL config

from nextcloud-snap.

tholeb commented on June 12, 2024

I think the only way we're going to be able to help is if you share your actual domain name as well as the IP address of the server hosting the snap. I understand not wanting to make that public: would you mind emailing that info to me? Email is in my profile.

Thank you. I'll contact you.

from nextcloud-snap.

kyrofa commented on June 12, 2024

Got it.

So by visiting your IP address directly, I can see your certs, and they appear to be setup correctly, so the snap is doing what it's supposed to be doing:

Sadly I'm at a loss as to what the "Cannot GET /" message means. I suspect that's coming from cloudflare given things like this in the source of that page:

_cpo.src='/cdn-cgi/challenge-platform/scripts/jsd/main.js'

But... my lack of experience with cloudflare leads me throw up my hands at this point: I don't know what's wrong. A quick google of that ^ path leads me to believe that's a deprecated API, maybe it's been removed or something... ?

from nextcloud-snap.

tholeb commented on June 12, 2024

After a quick nextcloud.occ log:tail, I found a "error core" :

  Error   core   OCP\Files\NotFoundException: /appdata_ocxg0brxgj8m/theming/global at lib/private/Files/Node/Root.php line 206   2024-02-02T18:41:45+00:00

                  0. <<closure>>
                     OC\Files\Node\Root->get(

                     )
                  1. lib/private/Files/Node/LazyFolder.php line 74
                     call_user_func_array(

                     )
                  2. lib/private/Files/Node/LazyFolder.php line 151
                     OC\Files\Node\LazyFolder->__call(

                     )
                  3. lib/private/Files/AppData/AppData.php line 132
                     OC\Files\Node\LazyFolder->get(

                     )
                  4. apps/theming/lib/Jobs/MigrateBackgroundImages.php line 168
                     OC\Files\AppData\AppData->getFolder(

                     )
                  5. apps/theming/lib/Jobs/MigrateBackgroundImages.php line 100
                     OCA\Theming\Jobs\MigrateBackgroundImages->storeUserIdsToProcess(

                     )
                  6. apps/theming/lib/Jobs/MigrateBackgroundImages.php line 79
                     OCA\Theming\Jobs\MigrateBackgroundImages->runPreparation(

                     )
                  7. lib/public/BackgroundJob/Job.php line 81
                     OCA\Theming\Jobs\MigrateBackgroundImages->run(

                     )
                  8. lib/public/BackgroundJob/QueuedJob.php line 57
                     OCP\BackgroundJob\Job->start(

                     )
                  9. lib/public/BackgroundJob/QueuedJob.php line 47
                     OCP\BackgroundJob\QueuedJob->start(

                     )
                 10. cron.php line 152
                     OCP\BackgroundJob\QueuedJob->execute(

                     )

I also added this to my NC config, since Cloudflare proxy the request to my server, it may have an impact to accept the Cloudflare's IP I guess.

from nextcloud-snap.

tholeb commented on June 12, 2024

I tried to reverse proxy NC with nginx and it works well. I would prefer not to use nginx since there already is apache under the hood.

Here is what I've done :

snap install nextcloud
snap set nextcloud ports.http=10260 ports.https=10261
nextcloud.manual-install admin admin
nextcloud.occ config:system:set overwriteprotocol --value="https"
nextcloud.occ config:system:set trusted_domains 2 --value=cloud.example.com

(I removed the nextcloud.occ config:system:set overwritehost --value="cloud.example.com")

Then I added this file to /etc/nginx/sites-available/nextcloud :

map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

server {
    listen 80;
    listen [::]:80;

    if ($scheme = "http") {
        return 301 https://$host$request_uri;
    }

    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name cloud.example.com;

    location / {
        proxy_pass http://127.0.0.1:10260$request_uri;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Accept-Encoding "";
        proxy_set_header Host $host;
    
        client_body_buffer_size 512k;
        proxy_read_timeout 86400s;
        client_max_body_size 0;

        # Websocket
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

    location /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }

    location /.well-known/caldav {
        return 301 $scheme://$host/remote.php/dav;
    }

    ssl_certificate /etc/ssl/certs/mycert.pem;
    ssl_certificate_key /etc/ssl/private/my.key;

    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
    ssl_session_tickets off;
    

    # HSTS (ngx_http_headers_module is required)
    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
    ssl_prefer_server_ciphers on;
}

And there are no errors in the overview page (previously, I had an "insecure content" which comes from requesting http content from https endpoint).

Please, if you find a workaround using only the snap resources, feel free to @tholeb, I'll be glad to test this out.

Thanks a lot for the help.

from nextcloud-snap.

Keep getting 526 invalid cert error from cloudflare (full) about nextcloud-snap HOT 14 CLOSED

Comments (14)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent