After creating a code that:
I've encountered some difficulties adding those self-signed certificates to Nextcloud. It is not a problem to add self-signed ssl certificates for an onion domain to Nextcloud, that can be done with (simplified):
sudo cp "cert-key.pem" /var/snap/nextcloud/current/cert-key.pem
sudo cp "cert.pem" /var/snap/nextcloud/current/cert.pem
sudo cp "fullchain.pem" /var/snap/nextcloud/current/fullchain.pem
sudo /snap/bin/nextcloud.enable-https custom "/var/snap/nextcloud/current/cert.pem" "/var/snap/nextcloud/current/cert-key.pem" "/var/snap/nextcloud/current/fullchain.pem"
sudo /snap/bin/nextcloud.enable-https self-signed
sudo ufw allow 80,443/tcp
The issue is adding those externally (and automatically) generated SSL certificates, for an onion domain, to Nextcloud.
I use a single (self-signed/created) root ca certificate to create all the onion SSL certificates, because that requires me to distribute only 1 certificate to all the clients/devices. If I were to use the self-signed SSL certificates that Nextcloud generates (automatically), I would have to add another root ca to every client. This is undesirable.
I assume Nextcloud uses its own (generated) root ca to sign the self-signed SSL certificates (instead of the certificates I provide). I base this assumption on the following observations:
The output of running: sudo /snap/bin/nextcloud.enable-https self-signed
is: Generating key and self-signed certificate... done
followed by: Restarting apache... done
, even after explicitly passing it the custom/externally created SSL certificate, certificate key and fullchain.pem
(as described in the above bash snipped).
This assumption is tested, by first visiting the onion domain, which yields "self-signed certificate not trusted", e.g.:
And then adding the original root ca (that generated those externally created SSL certificates) to Brave. Then verifying that root ca is added to Brave. This verification is done by inspecting the Brave Certificate Manager at: brave://settings/certificates?search=certi
and seeing the custom self-signed root-ca in there. Next, the same error is still observed upon closing- and re-opening Firefox and going to the onion domain. (Meaning the externally created root ca was not the one that spawned the SSL certificate that is handed out by Nextcloud).
How to add a self-signed certificate for an onion domain, that was generated externally, to snap Nextcloud (such that Nextcloud uses it)?
/var/snap/nextcloud/current/
which is a permitted location.The answer was to omit the sudo /snap/bin/nextcloud.enable-https self-signed
command.
So the (simplified) solution was:
sudo cp "cert-key.pem" /var/snap/nextcloud/current/cert-key.pem
sudo cp "cert.pem" /var/snap/nextcloud/current/cert.pem
sudo cp "fullchain.pem" /var/snap/nextcloud/current/fullchain.pem
sudo /snap/bin/nextcloud.enable-https custom "/var/snap/nextcloud/current/cert.pem" "/var/snap/nextcloud/current/cert-key.pem" "/var/snap/nextcloud/current/fullchain.pem"
sudo ufw allow 80,443/tcp
This solution was verified by adding the original root ca that created those custom certificates, to Brave, visiting the accompanying onion url and verifying that it was trusted.
In essence, the self-signed
command overwrote the certificates added by the custom
command.