Loading
Actual behaviour
- When test a server address before logon, I get a warn about failed SSL initialization
Expected behaviour
- Expected to accept connection
Steps to reproduce
- Configure server with Let’s encrypt with secp384r1 as pubkey algorithm
- Configure nginx as following ssl options:
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_prefer_server_ciphers on;
- Check the Android app.
Environment data
Android version: 7.0
Device model: Asus ZenFone3 — Beta Tester
Stock or customized system: Official Asus Beta Tester
Nextcloud app version: Latest Nightly and Latest Play Store
Nextcloud server version: 11.0.2 Stable
Logs
adb logcat | grep GetRemoteStatusOperation
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: Connection check at https://<server>: SSL exception
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: javax.net.ssl.SSLHandshakeException: Handshake failed
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:429)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.common.network.AdvancedSslSocketFactory.verifyPeerIdentity(AdvancedSslSocketFactory.java:248)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.common.network.AdvancedSslSocketFactory.createSocket(AdvancedSslSocketFactory.java:185)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.common.OwnCloudClient.executeMethod(OwnCloudClient.java:222)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.common.OwnCloudClient.executeMethod(OwnCloudClient.java:192)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.resources.status.GetRemoteStatusOperation.tryConnection(GetRemoteStatusOperation.java:87)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.resources.status.GetRemoteStatusOperation.run(GetRemoteStatusOperation.java:192)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.common.operations.RemoteOperation.execute(RemoteOperation.java:136)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.operations.GetServerInfoOperation.run(GetServerInfoOperation.java:81)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.common.operations.RemoteOperation.execute(RemoteOperation.java:136)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.services.OperationsService$ServiceHandler.nextOperation(OperationsService.java:482)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.services.OperationsService$ServiceHandler.handleMessage(OperationsService.java:418)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at android.os.Handler.dispatchMessage(Handler.java:102)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at android.os.Looper.loop(Looper.java:159)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at android.os.HandlerThread.run(HandlerThread.java:61)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: Caused by: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0x7f666fd340: Failure in SSL library, usually a protocol error
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (external/boringssl/src/ssl/s3_pkt.c:610 0x7f666189e0:0x00000001)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO (external/boringssl/src/ssl/s3_clnt.c:764 0x7f76ceaf76:0x00000000)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: ... 20 more
testssl.sh on server
[leonardo@pruuu testssl.sh]$ ./testssl.sh --wide https://<FQDN>
###########################################################
testssl.sh 2.9dev from https://testssl.sh/dev/
(27aa257 2017-02-28 15:42:28 -- )
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
###########################################################
Using "OpenSSL 1.0.2-chacha (1.0.2i-dev)" [~183 ciphers]
on pruuu:$PWD/bin/openssl.Linux.x86_64
(built: "Jun 22 19:32:29 2016", platform: "linux-x86_64")
Start 2017-03-03 18:04:33 -->> 192.168.196.20:443 (<FQDN>) <<--
rDNS (192.168.196.20): --
Service detected: HTTP
Testing protocols via sockets except SPDY+HTTP2
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
SPDY/NPN h2, http/1.1 (advertised)
HTTP2/ALPN h2, http/1.1 (offered)
Testing ~standard cipher lists
Null Ciphers not offered (OK)
Anonymous NULL Ciphers not offered (OK)
Anonymous DH Ciphers not offered (OK)
40 Bit encryption not offered (OK)
56 Bit export ciphers not offered (OK)
Export Ciphers (general) not offered (OK)
Low (<=64 Bit) not offered (OK)
DES Ciphers not offered (OK)
"Medium" grade encryption not offered (OK)
Triple DES Ciphers not offered (OK)
High grade encryption offered (OK)
Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4
PFS is offered (OK), ciphers follow (client/browser support is important here)
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------------
xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Elliptic curves offered: prime256v1 secp384r1 secp521r1 brainpoolP384r1 brainpoolP512r1
Testing server preferences
Has server cipher order? yes (OK)
Negotiated protocol TLSv1.2
Negotiated cipher ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Cipher order
TLSv1.2: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256
h2: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256
http/1.1: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256
Testing server defaults (Server Hello)
TLS extensions (standard) "renegotiation info/#65281" "EC point formats/#11" "heartbeat/#15" "server name/#0"
"next protocol/#13172" "application layer protocol negotiation/#16"
Session Tickets RFC 5077 (none)
SSL Session ID support yes
TLS clock skew random values, no fingerprinting possible
Signature Algorithm SHA256 with RSA
Server key size ECDSA 384 bits
Fingerprint / Serial SHA1 E7B2175F930130C627396DECAC6CEED607A1BBFC / 035991A57F1159615464ACA8A03128487999
SHA256 AF546B253736AA91E29B366E557FE0C777EF5688A2004E3B6B8E53C29360529F
Common Name (CN) <FQDN>
subjectAltName (SAN) <FQDN>
Issuer Let's Encrypt Authority X3 (Let's Encrypt from US)
Trust (hostname) Ok via SAN and CN (works w/o SNI)
Chain of trust Ok
EV cert (experimental) no
Certificate Expiration 89 >= 30 days (2017-03-03 15:54 --> 2017-06-01 15:54 -0300)
# of certificates provided 2
Certificate Revocation List --
OCSP URI http://ocsp.int-x3.letsencrypt.org/
OCSP must staple No
OCSP stapling --
DNS CAA RR (experimental) --
Testing HTTP header response @ "/"
HTTP Status Code 302 Found, redirecting to "https://<FQDN>/login"
HTTP clock skew 0 sec from localtime
Strict Transport Security 182 days=15768000 s, includeSubDomains, preload
Public Key Pinning --
Server banner nginx/1.11.10
Application banner --
Cookie(s) 1 issued: 3/1 secure, 4/1 HttpOnly -- maybe better try target URL of 30x
Security headers X-Frame-Options SAMEORIGIN
X-XSS-Protection 1; mode=block
X-Content-Type-Options nosniff
Content-Security-Policy; media-src *; connect-src *
Reverse Proxy banner --
Testing vulnerabilities
Heartbleed (CVE-2014-0160) not vulnerable (OK)
CCS (CVE-2014-0224) not vulnerable (OK)
Secure Renegotiation (CVE-2009-3555) not vulnerable (OK)
Secure Client-Initiated Renegotiation not vulnerable (OK)
CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
BREACH (CVE-2013-3587) no HTTP compression (OK) - only supplied "/" tested
POODLE, SSL (CVE-2014-3566) not vulnerable (OK)
TLS_FALLBACK_SCSV (RFC 7507) No fallback possible, TLS 1.2 is the only protocol (OK)
SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)
FREAK (CVE-2015-0204) not vulnerable (OK)
DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this port (OK)
no RSA certificate, thus certificate can't be used with SSLv2 elsewhere
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected
BEAST (CVE-2011-3389) no SSL3 or TLS1 (OK)
LUCKY13 (CVE-2013-0169) not vulnerable (OK)
RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)
Testing 359 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------------
xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Running browser simulations via sockets (experimental)
Android 2.3.7 No connection
Android 4.0.4 No connection
Android 4.1.1 No connection
Android 4.2.2 No connection
Android 4.3 No connection
Android 4.4.2 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Android 5.0.0 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
Baidu Jan 2015 No connection
BingPreview Jan 2015 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Chrome 47 / OSX TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
Firefox 31.3.0ESR / Win7 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
Firefox 42 OS X TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
GoogleBot Feb 2015 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
IE 6 XP No connection
IE 7 Vista No connection
IE 8 XP No connection
IE 8-10 Win 7 No connection
IE 11 Win 7 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
IE 11 Win 8.1 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
IE 10 Win Phone 8.0 No connection
IE 11 Win Phone 8.1 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
IE 11 Win Phone 8.1 Update TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
IE 11 Win 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Edge 13 Win 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Edge 13 Win Phone 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Java 6u45 No connection
Java 7u25 No connection
Java 8u31 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
OpenSSL 0.9.8y No connection
OpenSSL 1.0.1l TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
OpenSSL 1.0.2e TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Safari 5.1.9 OS X 10.6.8 No connection
Safari 6 iOS 6.0.1 No connection
Safari 6.0.4 OS X 10.8.4 No connection
Safari 7 iOS 7.1 No connection
Safari 7 OS X 10.9 No connection
Safari 8 iOS 8.4 No connection
Safari 8 OS X 10.10 No connection
Safari 9 iOS 9 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Safari 9 OS X 10.11 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Apple ATS 9 iOS 9 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Done 2017-03-03 18:05:40 -->> 192.168.196.20:443 (<FQDN>) <<--
[leonardo@pruuu testssl.sh]$
Go to NextCloud
Android app «SSL Initialization Failed» notifications, but uploads working fine?
I’ve seen some web results for this issue, but none of them seem to have a solution (or be exactly the same issue).
I’m using Nextcloud on Ubuntu, the snap-installer version, and LetsEncrypt installed by default. HTTP/HTTPS login works fine. App login works fine. Uploads work fine 99% of the time, but occasionally I’ll get a sticky notification on upload that says ‘SSL Initialization Failed’, and uploads will continue regardless.
Anyone else seen, and resolved, this?
-
#1
I’ve followed this tutorial and had next cloud working locally until somewhere around the heading “Let’s Cache”. Now when I try and access the page locally I get this error:
Code:
192.168.1.93 sent an invalid response. Try running Windows Network Diagnostics. ERR_SSL_PROTOCOL_ERROR
The Apache log shows the following:
Code:
[Tue Nov 06 23:16:53.971634 2018] [mpm_prefork:notice] [pid 81295] AH00169: caught SIGTERM, shutting down [Tue Nov 06 23:16:54.084130 2018] [ssl:warn] [pid 81814] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache] [Tue Nov 06 23:16:54.135464 2018] [mpm_prefork:notice] [pid 81814] AH00163: Apache/2.4.35 (FreeBSD) OpenSSL/1.0.2o-freebsd PHP/7.1.22 configured -- resuming normal operations [Tue Nov 06 23:16:54.135499 2018] [core:notice] [pid 81814] AH00094: Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT'
I googled Init: Session Cache is not configured and found a suggestion to uncomment another line in the httpd.conf file which I did but without any success. Does anyone have any recommendations as to the next step I should take to try and get this working?
Thank you
Loren
dlavigne
Guest
-
#2
Were you able to figure this out?
-
#3
If not, it might be better to post on the thread for the how-to you’re following.
-
#4
I haven’t, but I also have just made a little progress in narrowing down the problem tonight. I have a feeling that its a certificate error. When I run this command:
Code:
certbot certonly --webroot -w /usr/local/www/apache24/data/nextcloud -d YOURSITE.COM
This is the error I get:
Code:
IMPORTANT NOTES: - The following errors were reported by the server: Domain: zimmvpn2.ddns.net Type: unauthorized Detail: Invalid response from http://zimmvpn2.ddns.net/.well-known/acme-challenge/FtRmYOYG6PWcQztD1DIWUHVjIsjyS94PWzk4SLbymoc: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">n<html><head>n<title>404 Not Found</title>n</head><body>n<h1>Not Found</h1>n<p" To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
-
#5
No, that isn’t a certificate error; it means that certbot is putting the challenge file in the wrong place for Let’s Encrypt to find it—or, in the alternative, Let’s Encrypt isn’t connecting to the right server in the first place.
-
#6
No, that isn’t a certificate error; it means that certbot is putting the challenge file in the wrong place for Let’s Encrypt to find it—or, in the alternative, Let’s Encrypt isn’t connecting to the right server in the first place.
Thank you!
Where do I find where the config for Let’s Encrypt or what server it’s connecting to?
-
#7
I’ve noticed after going through the tutorial that I’m not able to get to next cloud by simply entering the jail IP but I have to add /nextcloud to view the web page. Is this an indicator that there is something wrong with my configuration?
-
#8
It could be. Perhaps you should ask that question on the thread for the how-to you followed.
-
#9
@danb35 you were right a bunch of the questions that I asked were in the tutorial thread. I found a couple of mistakes that I had made and decided to recreate the jail. Now I’ve hit an error that I couldn’t find in the tutorial thread. When I restart apache24 this is the error I get:
Code:
httpd: Syntax error on line 548 of /usr/local/etc/apache24/httpd.conf: Syntax error on line 21 of /usr/local/etc/apache24/Includes/myurl.net.conf: /usr/local/etc/apache24/Includes/myurl.net.conf:21: <VirtualHost> was not closed.
Here is the conf file:
Code:
<VirtualHost *:80> DocumentRoot "/usr/local/www/apache24/data/nextcloud" ServerName myurl.net RewriteEngine on RewriteCond %{SERVER_NAME} =myurl.net RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent] #ErrorLog ${APACHE_LOG_DIR}/error.log #CustomLog ${APACHE_LOG_DIR}/access.log combined <Directory /usr/local/www/apache24/data/nextcloud/> Options +FollowSymlinks AllowOverride All <IfModule mod_dav.c> Dav off </IfModule> SetEnv HOME /usr/local/www/apache24/data/nextcloud SetEnv HTTP_HOME /usr/local/www/apache24/data/nextcloud Satisfy Any </Directory> </VirtualHost> <VirtualHost *:443> ServerAdmin myemail ServerName myurl.net DirectoryIndex index.php DocumentRoot /usr/local/www/apache24/data/nextcloud SSLCertificateFile /usr/local/etc/letsencrypt/live/myurl.net/fullchain.pem SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/myurl.net/privkey.pem SSLEngine on # Intermediate configuration, tweak to your needs SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLHonorCipherOrder on SSLCompression off SSLOptions +StrictRequire <Directory /usr/local/www/apache24/data/nextcloud> AllowOverride all </Directory>
Any help is greatly appreciated.
-
#10
Never mind. I missed copying </VirtualHost> at the end of the 443 section. ugg
-
#11
Were you able to figure this out?
I havn’t. I have just responded to the original tutorial thread for help.
Context
After setting up a self-hosted nextcloud server on Ubuntu 22.10 over a tor domain, I created a self-signed SLL certificate using the script below:
Code
This script first
- generates the certificate authority (CA) and SSL certificates, and then it adds the CA private key to:
"/usr/local/share/ca-certificates/$ca_public_key_filename"
and reloads the trusted ca certificates with:
sudo update-ca-certificates
- It also adds the SSL prublic and private key and the full chain certificate into Nextcloud.
- The
fullchain.pem
consists of the SSL certificate, followed by the CA certificate.
#!/usr/bin/env bash
# Here is the list of certificates and their description:
# First you create your own certificate authority.
CA_PRIVATE_KEY_FILENAME="ca-key.pem"
CA_PUBLIC_KEY_FILENAME="ca.pem"
# Same file as ca.pem except different file extension and content.
CA_PUBLIC_CERT_FILENAME="ca.crt"
# Then you create a SSL certificate.
SSL_PRIVATE_KEY_FILENAME="cert-key.pem"
# Then create a sign-request (for your own CA to sign your own SSL certificate)
CA_SIGN_SSL_CERT_REQUEST_FILENAME="cert.csr"
SIGNED_DOMAINS_FILENAME="extfile.cnf"
# Then create the signed public SSL cert.
SSL_PUBLIC_KEY_FILENAME="cert.pem"
# Then merge the CA and SLL cert into one.
MERGED_CA_SSL_CERT_FILENAME="fullchain.pem"
setup_tor_ssl() {
local onion_address="$1"
# Create domains accepted by certificate.
local domains
#domains="DNS:$onion_address,IP:127.0.0.1"
#domains="DNS:localhost,IP:$onion_address" # IP onion does not work
#domains="DNS:*.$onion_address" # Does not work.
#domains="DNS:$onion_address" # Does not work.
domains="DNS:localhost,DNS:$onion_address" # Works for localhost
echo "domains=$domains.end_without_space"
delete_target_files
# Generate and apply certificate.
generate_ca_cert "$CA_PRIVATE_KEY_FILENAME" "$CA_PUBLIC_KEY_FILENAME"
generate_ssl_certificate "$CA_PUBLIC_KEY_FILENAME" "$CA_PRIVATE_KEY_FILENAME" "$CA_SIGN_SSL_CERT_REQUEST_FILENAME" "$SIGNED_DOMAINS_FILENAME" "$SSL_PUBLIC_KEY_FILENAME" "$SSL_PRIVATE_KEY_FILENAME" "$domains"
verify_certificates "$CA_PUBLIC_KEY_FILENAME" "$SSL_PUBLIC_KEY_FILENAME"
merge_ca_and_ssl_certs "$SSL_PUBLIC_KEY_FILENAME" "$CA_PUBLIC_KEY_FILENAME" "$MERGED_CA_SSL_CERT_FILENAME"
install_the_ca_cert_as_a_trusted_root_ca "$CA_PUBLIC_KEY_FILENAME" "$CA_PUBLIC_CERT_FILENAME"
add_certs_to_nextcloud "$SSL_PUBLIC_KEY_FILENAME" "$SSL_PRIVATE_KEY_FILENAME" "$MERGED_CA_SSL_CERT_FILENAME"
}
generate_ca_cert() {
local ca_private_key_filename="$1"
local ca_public_key_filename="$2"
# Generate RSA
openssl genrsa -aes256 -out "$ca_private_key_filename" 4096
# Generate a public CA Cert
openssl req -new -x509 -sha256 -days 365 -key "$ca_private_key_filename" -out "$ca_public_key_filename"
}
generate_ssl_certificate() {
local ca_public_key_filename="$1"
local ca_private_key_filename="$2"
local ca_sign_ssl_cert_request_filename="$3"
local signed_domains_filename="$4"
local ssl_public_key_filename="$5"
local ssl_private_key_filename="$6"
local domains="$7"
# Example supported domains:
# DNS:your-dns.record,IP:257.10.10.1
# Create a RSA key
openssl genrsa -out "$ssl_private_key_filename" 4096
# Create a Certificate Signing Request (CSR)
openssl req -new -sha256 -subj "/CN=yourcn" -key "$ssl_private_key_filename" -out "$ca_sign_ssl_cert_request_filename"
# Create a `extfile` with all the alternative names
echo "subjectAltName=$domains" >>"$signed_domains_filename"
# optional
#echo extendedKeyUsage = serverAuth >> "$ca_sign_ssl_cert_request_filename"
# Create the public SSL certificate.
openssl x509 -req -sha256 -days 365 -in "$ca_sign_ssl_cert_request_filename" -CA "$ca_public_key_filename" -CAkey "$ca_private_key_filename" -out "$ssl_public_key_filename" -extfile "$signed_domains_filename" -CAcreateserial
}
verify_certificates() {
local ca_public_key_filename="$1"
local ssl_public_key_filename="$2"
openssl verify -CAfile "$ca_public_key_filename" -verbose "$ssl_public_key_filename"
}
merge_ca_and_ssl_certs() {
local ssl_public_key_filename="$1"
local ca_public_key_filename="$2"
local merged_ca_ssl_cert_filename="$3"
cat "$ssl_public_key_filename" >"$merged_ca_ssl_cert_filename"
cat "$ca_public_key_filename" >>"$merged_ca_ssl_cert_filename"
}
install_the_ca_cert_as_a_trusted_root_ca() {
local ca_public_key_filename="$1"
local ca_public_cert_filename="$2"
# The file in the ca-certificates dir must be of extension .crt:
openssl x509 -outform der -in "$ca_public_key_filename" -out "$ca_public_cert_filename"
# First remove any old cert if it existed.
sudo rm "/usr/local/share/ca-certificates/$ca_public_cert_filename"
sudo update-ca-certificates
# TODO: Verify target directory exists.
# On Debian & Derivatives:
#- Move the CA certificate (`"$ca_private_key_filename"`) into `/usr/local/share/ca-certificates/ca.crt`.
sudo cp "$ca_public_cert_filename" "/usr/local/share/ca-certificates/$ca_public_cert_filename"
# TODO: Verify target file exists.
# TODO: Verify target file MD5sum.
# Update the Cert Store with:
sudo update-ca-certificates
}
add_certs_to_nextcloud() {
local ssl_public_key_filename="$1"
local ssl_private_key_filename="$2"
local merged_ca_ssl_cert_filename="$3"
# First copy the files into nextcloud.
# Source: https://github.com/nextcloud-snap/nextcloud-snap/issues/256
# (see nextcloud.enable-https custom -h command).
#sudo cp ca.pem /var/snap/nextcloud/current/ca.pem
sudo cp "$ssl_public_key_filename" /var/snap/nextcloud/current/"$ssl_public_key_filename"
sudo cp "$ssl_private_key_filename" /var/snap/nextcloud/current/"$ssl_private_key_filename"
sudo cp "$merged_ca_ssl_cert_filename" /var/snap/nextcloud/current/"$merged_ca_ssl_cert_filename"
# CLI sudo /snap/bin/nextcloud.enable-https custom Says:
sudo /snap/bin/nextcloud.enable-https custom "/var/snap/nextcloud/current/$ssl_public_key_filename" "/var/snap/nextcloud/current/$ssl_private_key_filename" "/var/snap/nextcloud/current/$merged_ca_ssl_cert_filename"
}
delete_target_files() {
rm "$CA_PRIVATE_KEY_FILENAME"
rm "$CA_PUBLIC_CERT_FILENAME"
rm "$CA_PUBLIC_KEY_FILENAME"
rm "$SSL_PRIVATE_KEY_FILENAME"
rm "$CA_SIGN_SSL_CERT_REQUEST_FILENAME"
rm "$SIGNED_DOMAINS_FILENAME"
rm "$SSL_PUBLIC_KEY_FILENAME"
rm "$MERGED_CA_SSL_CERT_FILENAME"
sudo rm "/usr/local/share/ca-certificates/$CA_PUBLIC_KEY_FILENAME"
sudo rm "/usr/local/share/ca-certificates/$CA_PUBLIC_CERT_FILENAME"
sudo rm "/var/snap/nextcloud/current/$SSL_PUBLIC_KEY_FILENAME"
sudo rm "/var/snap/nextcloud/current/$SSL_PRIVATE_KEY_FILENAME"
sudo rm "/var/snap/nextcloud/current/$MERGED_CA_SSL_CERT_FILENAME"
}
Output
The output of this script can be read as:
$src/main.sh -h
domains=DNS:some_onion.onion,IP:127.0.0.1.end_without_space
rm: cannot remove 'ca.pem': No such file or directory
rm: cannot remove 'cert.csr': No such file or directory
rm: cannot remove 'extfile.cnf': No such file or directory
rm: cannot remove 'cert.pem': No such file or directory
rm: cannot remove 'fullchain.pem': No such file or directory
rm: cannot remove '/usr/local/share/ca-certificates/ca.pem': No such file or directory
Generating RSA private key, 4096 bit long modulus (2 primes)
................................................................................................................................................................................++++
...................................................................................................................................................................................................................................++++
e is 65537 (0x010001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:so
State or Province Name (full name) [Some-State]:state3
Locality Name (eg, city) []:locality3
Organization Name (eg, company) [Internet Widgits Pty Ltd]:org3
Organizational Unit Name (eg, section) []:orgunit3
Common Name (e.g. server FQDN or YOUR name) []:cn3
Email Address []:email3@email.com
Generating RSA private key, 4096 bit long modulus (2 primes)
...................................................................++++
.............................................++++
e is 65537 (0x010001)
Signature ok
subject=CN = yourcn
Getting CA Private Key
Enter pass phrase for ca-key.pem:
cert.pem: OK
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
Processing triggers for ca-certificates-java (20220719) ...
done.
Updating Mono key store
Mono Certificate Store Sync - version 6.8.0.105
Populate Mono certificate store from a concatenated list of certificates.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.
Importing into legacy system store:
I already trust 124, your new list has 124
Import process completed.
Importing into BTLS system store:
I already trust 124, your new list has 124
Import process completed.
Done
done.
Installing custom certificate... done
Restarting apache... done
Error Message
After running the script successfully, I can manually import the ca.crt
into brave at: brave://settings/certificates This ensures https works for https://localhost:81 . However, when I open the tor browser in brave, and visit the some_onion.onion
it returns:
This site can’t provide a secure connection
some_onion.onion sent an invalid response.
ERR_SSL_PROTOCOL_ERROR
Question
How can I ensure the certificate is trusted on both the some_onion.onion
link, as well as on localhost?
Doubt
- I am unsure whether:
echo "subjectAltName=DNS:some_onion_link.onion"
is permitted. for an SSL certificate. I wonder why the tor version of Brave does not show why the certificate is not trusted.