How to add *specific* self-signed SSL certificate to snap Nextcloud?
Context
After creating a code that:
- Automatically generates self-signed SSL certificates for onion domains
- Attempts to add that SSL certificate to various self-hosted services, e.g. GitLab and Nextcloud
I've encountered some difficulties adding those self-signed certificates to Nextcloud. It is not a problem to add self-signed ssl certificates for an onion domain to Nextcloud, that can be done with (simplified):
sudo cp "cert-key.pem" /var/snap/nextcloud/current/cert-key.pem
sudo cp "cert.pem" /var/snap/nextcloud/current/cert.pem
sudo cp "fullchain.pem" /var/snap/nextcloud/current/fullchain.pem
sudo /snap/bin/nextcloud.enable-https custom "/var/snap/nextcloud/current/cert.pem" "/var/snap/nextcloud/current/cert-key.pem" "/var/snap/nextcloud/current/fullchain.pem"
sudo /snap/bin/nextcloud.enable-https self-signed
sudo ufw allow 80,443/tcp
Issue
The issue is adding those externally (and automatically) generated SSL certificates, for an onion domain, to Nextcloud.
Why
I use a single (self-signed/created) root ca certificate to create all the onion SSL certificates, because that requires me to distribute only 1 certificate to all the clients/devices. If I were to use the self-signed SSL certificates that Nextcloud generates (automatically), I would have to add another root ca to every client. This is undesirable.
Assumption
I assume Nextcloud uses its own (generated) root ca to sign the self-signed SSL certificates (instead of the certificates I provide). I base this assumption on the following observations:
The output of running:
sudo /snap/bin/nextcloud.enable-https self-signedis:Generating key and self-signed certificate... donefollowed by:Restarting apache... done, even after explicitly passing it the custom/externally created SSL certificate, certificate key andfullchain.pem(as described in the above bash snipped).This assumption is tested, by first visiting the onion domain, which yields "self-signed certificate not trusted", e.g.:
And then adding the original root ca (that generated those externally created SSL certificates) to Brave. Then verifying that root ca is added to Brave. This verification is done by inspecting the Brave Certificate Manager at:
brave://settings/certificates?search=certiand seeing the custom self-signed root-ca in there. Next, the same error is still observed upon closing- and re-opening Firefox and going to the onion domain. (Meaning the externally created root ca was not the one that spawned the SSL certificate that is handed out by Nextcloud).
Question
How to add a self-signed certificate for an onion domain, that was generated externally, to snap Nextcloud (such that Nextcloud uses it)?
Note
- The onion domain is taken down, and its private key deleted.
- This is not about: "where to put the certificates (with regard to strict confinement of snap)". The certificates are stored in
/var/snap/nextcloud/current/which is a permitted location.
The answer was to omit the sudo /snap/bin/nextcloud.enable-https self-signed command.
So the (simplified) solution was:
sudo cp "cert-key.pem" /var/snap/nextcloud/current/cert-key.pem
sudo cp "cert.pem" /var/snap/nextcloud/current/cert.pem
sudo cp "fullchain.pem" /var/snap/nextcloud/current/fullchain.pem
sudo /snap/bin/nextcloud.enable-https custom "/var/snap/nextcloud/current/cert.pem" "/var/snap/nextcloud/current/cert-key.pem" "/var/snap/nextcloud/current/fullchain.pem"
sudo ufw allow 80,443/tcp
This solution was verified by adding the original root ca that created those custom certificates, to Brave, visiting the accompanying onion url and verifying that it was trusted.
In essence, the self-signed command overwrote the certificates added by the custom command.
- gitea using a normal user and https
- Node TLS Error: ca md too weak, when making request with Axios
- FATAL: could not access private key file “/etc/ssl/private/ssl-cert-snakeoil.key”: Permission denied
- TLS init_handler not getting set for Websocket++
- How to connect to MongoDB with certificate using DataGrip?
- Using ssl certificate with feign
- Install Let's Encrypt for multiple domains on same server
- Is TLS over TLS possible?
- Composer Curl error 60: SSL certificate problem: unable to get local issuer certificate
- curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
- "Unknown Publisher" on non-domain machine using AD-created code signing certificate
- Java does not trusting any SSL Certificate on Windows
- "certificate verify failed" error when installing Ruby gems on Windows
- nginx reverse proxy working with ws but not with wss
- psql: server does not support SSL, but SSL was required
- Unable to find valid certification path to requested target - error even after cert imported
- Configuring ElasticSearch SSL and Python Querying, Certificates Question
- Unable to Send Mail - javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
- Mind-boggingly Random, Intermittent SSL Verification Issues in PHP `file_get_contents` for HTTPS URLs
- Disable TLS 1.0 & 1.1 OR only use TLS 1.2 and greater in Node.js Express
- How much overhead does SSL impose?
- Bad Request - This combination of host and port requires TLS. with Spring Boot
- SSL slow. Establishing secure connection taking too long
- Cannot create developer certificate on Mac
- What does "SSLError: [SSL] PEM lib (_ssl.c:2532)" mean using the Python ssl library?
- Angular requests to ASP.NET return "Error Unknown" when under SSL/TLS certificate
- Don't understand OpenSSL_add_all_algorithms method
- SSLError: HTTPSConnectionPool with "paddleocr"
- How to install OpenSSL in windows 10?
- How to convert a private key to an RSA private key?