Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot activate https with existing certificates #2681

Open
coyoteconscious opened this issue Feb 13, 2024 · 9 comments
Open

Cannot activate https with existing certificates #2681

coyoteconscious opened this issue Feb 13, 2024 · 9 comments

Comments

@coyoteconscious
Copy link

Describe the bug

When I attempt to enable https using my existing Lets-Encrypt certificates, which work without issue on my other sites, I get an error saying that the installed private key does not exist or is empty.

To Reproduce

Steps to reproduce the behavior:

  1. Copy existing certificate files to a directory accessible to Snap Nextcloud:
sudo cp -fa /etc/letsencrypt/live/werehouse.org/privkey.pem /var/snap/nextcloud/current/privkey.pem
sudo cp -fa /etc/letsencrypt/live/werehouse.org/cert.pem /var/snap/nextcloud/current/cert.pem
sudo cp -fa /etc/letsencrypt/live/werehouse.org/fullchain.pem /var/snap/nextcloud/current/chain.pem

2: Tell Nextcloud Snap to enable https

sudo /snap/bin/nextcloud.enable-https custom "/var/snap/nextcloud/current/cert.pem" "/var/snap/nextcloud/current/privkey.pem" "/var/snap/nextcloud/current/chain.pem"

3: This error occurs:

~$ sudo /snap/bin/nextcloud.enable-https custom "/var/snap/nextcloud/current/cert.pem" "/var/snap/nextcloud/current/privkey.pem" "/var/snap/nextcloud/current/chain.pem"
Installing custom certificate... done
Restarting apache... error
Certificates have been activated: using HTTPS only
Certificates appear self-signed: disabling HSTS
HTTP compression is disabled
notify_push reverse proxy is disabled
AH00526: Syntax error on line 102 of /snap/nextcloud/40228/conf/ssl.conf:
SSLCertificateKeyFile: file '/var/snap/nextcloud/40228/certs/live/privkey.pem' does not exist or is empty

Expected behavior

I expect the certificates to be installed correctly and https to be enabled.

OS/snapd/snap version

What OS and version are you running? Please also include the output of the
following commands:

Ubuntu 23.10
nextcloud 27.1.6snap1 40228 latest/stable nextcloud✓ -
snap 2.61.1
snapd 2.61.1
series 16
ubuntu 23.10
kernel 6.5.0-17-generic

Logs

snap-nextcloud-ssl-error.txt
@scubamuc
Copy link
Member

scubamuc commented Feb 13, 2024
edited

A Lets Encrypt certificate is not a custom certificate and may not be used as a custom certificate. So what you are trying to do is not possible. You cannot use an existing Lets Encrypt certificate to encrypt another site... there can only be one.

Possibly you could let the Nextcloud snap encryption service retrieve a certificate for a sub domain like cloud.mydomain.mydnsprovider.xyz and get a Lets Encrypt certificate for that sub domain, but assuming you have an existing web service on port 80 and or 443 that is not going to work.

You either need a wildcard certificate for your domain, in which case you may disable the Nextcloud snap Lets Encrypt service completely as your domain will be encrypted by an api.
or
You could use a reverse proxy and let NGINX proxy manager handle SSL termination for you, in which case you would also disable the Nextcloud snap Lets Encrypt service.

Sorry to have to say this again, but this is certainly not a Nextcloud snap issue and not a "Nextcloud snap encryption service issue" either. That's how Lets Encrypt works. Now I'm not going to point you to the Wiki this time around... and I'll stand to being corrected any time.

@scubamuc scubamuc self-assigned this Feb 13, 2024
@scubamuc
Copy link
Member

Assuming you will close the issue when you see fit?

@kyrofa
Copy link
Member

kyrofa commented Feb 13, 2024
edited

A Lets Encrypt certificate is not a custom certificate and may not be used as a custom certificate. So what you are trying to do is not possible. You cannot use an existing Lets Encrypt certificate to encrypt another site... there can only be one.

That's not necessarily true. Perhaps @coyoteconscious moved domains. However, I do question why. @coyoteconscious, if you have a domain name pointing to the snap, why not just let the snap take care of your certs via Let's Encrypt? Even if this command worked, this cert will expire in a few months and you'll have to run this command again with new certs that you obtain yourself. The snap could be doing that for you.

Regarding why this is failing, can you take a peek inside the /var/snap/nextcloud/40228/certs/live directory? Note that it should be a symlink to another. What's in there? Do those files match what you provided?

@rik-shaw
Copy link

I think this may be related, but I have a similar challenge to activate https with an existing tailscale generated cert. In this case I have the cert.crt and the cert.key but am not clear what to use for the <chain>. The tailscale cert command does register the custom tailscale ddns entry with lets-encrypt. Thus I think it is a similar question to the o/p: how to register with an existing lets-encrypt registered cert? (well in my case I also do not have a <chain> file to use, I am unclear on it).

@kyrofa
Copy link
Member

kyrofa commented Feb 16, 2024

Hey @rik-shaw, that's a valid question, but unrelated to this one. Mind opening a new issue?

@rik-shaw
Copy link

Hey @rik-shaw, that's a valid question, but unrelated to this one. Mind opening a new issue?

will do. Thanks for the quick reply.

@mikekay1
Copy link

mikekay1 commented Apr 12, 2024
edited

Hello I have having a very similar issue but a little different.

I have a wildcard certificate that I am trying to use nextcloud-snap to install from my haproxy/certbot box. I want to get away from SSL termination because the overhead is pretty crazy and ssl verification on things like email smtp are starting to not like that my backend switches to http or check verify none at the proxy.

I have cron scp copying the certs to my docker, exchange server, nextcloud, etc VM's --

I am getting the same error as OP, and there is nothing in the directory, it doesn't even exist and is write only here is my output:

mikekay@PROJECTNCLOUD:/snap/nextcloud/41512$ sudo nextcloud.enable-https custom /home/mikekay/certs/live/domain.com/cert.pem /home/mikekay/certs/live/domain.com/privk
ey.pem /home/mikekay/certs/live/domain.com/chain.pem
Installing custom certificate... done
Restarting apache... error
Certificates have been activated: using HTTPS only
Certificates appear self-signed: disabling HSTS
HTTP compression is disabled
notify_push reverse proxy is disabled
AH00526: Syntax error on line 101 of /snap/nextcloud/41512/conf/ssl.conf:
SSLCertificateFile: file '/var/snap/nextcloud/41512/certs/live/cert.pem' does not exist or is empty```

Why is it refusing to enable SSL, can I diable nginx since I already have a proxy in front? so many questions --

@scubamuc
Copy link
Member

@mikekay1, thanks for your request.
do you mind creating a new issue for this please...

@mikekay1
Copy link

Thanks for following up -- I have resolved the issue with copying to the folder certs for nextcloud certs which wasnt empty just needed sudo su, then altering permissions, then rerunning command. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@kyrofa @coyoteconscious @rik-shaw @mikekay1 @scubamuc