Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DietPi-LetsEncrypt | Adjust ownCloud/Nextcloud CLI URL when HTTPS redirect is enabled #4353

Closed
droogi opened this issue May 6, 2021 · 22 comments
Labels
Milestone

Comments

@droogi
Copy link

droogi commented May 6, 2021

sorry i cannot code, only report...

my nextcloud 21.0.1 installation on dietpi 7.1.2 says its not well configured because of missing webnode and nodeinfo configuration. (nginx)

i added /etc/nginx/sites-dietpi/dietpi-nextcloud.conf in line 4-5 with

location ~ ^/.well-known/(?:webfinger|nodeinfo) {
return 301 /nextcloud/index.php$request_uri;
}

as you write in /.conf/dps_114/nginx.nextcloud.conf
after restarting service nginx i still have same error message in nextcloud

(in forum https://dietpi.com/phpbb/viewtopic.php?p=33770#p33770)

when i copy the complete code from dps_114 in a new nginx.nextcloud.conf i get a third safety hint:
Strict-Transport-Security" is not min. 15552000 Seconds, activation of hsts is recommended.

Do you have any advice?

Regards, droogi

@droogi droogi changed the title nextcloud webfinger/nodeinfo 7.1.2 nextcloud21.0.1 error webfinger/nodeinfo on dietpi 7.1.2 May 6, 2021
@Joulinar
Copy link
Collaborator

Joulinar commented May 6, 2021

did you checked on the nextcloud forum as I suggested on the forum?

@MichaIng
Copy link
Owner

MichaIng commented May 6, 2021

Many thanks for your report. The HSTS warning is expected as long as you didn't enable it intentionally via e.g. dietpi-letsencrypt or which whichever method you enabled HTTPS. Just note that you should only do this when you don't see a reason to allow plain HTTP connections any longer for any of your clients, as they will store the information and won't connect via HTTP any longer (which is the goal of HSTS).
EDIT: Ah sorry, I didn't read till the end. So you had HSTS enabled already but reverted it by copying whole config. But no problem, only uncomment the following line to enable the header: https://github.com/MichaIng/DietPi/blob/dev/.conf/dps_114/nginx.nextcloud.conf#L27

The webfinger and nodeinfo warnings should actually be solved. I'll have a look tomorrow.

@droogi
Copy link
Author

droogi commented May 6, 2021

@Joulinar, i tried to understand the nextcloud documentation for nginx (thats not the forum), but i get mixed up since dietpi uses not the same way how to configure nginx - sites enabled. I do not understand the syntax and do not have knowledge and experience to figure out and just tried copy and paste in hopefully the correct file.

@MichaIng
Copy link
Owner

MichaIng commented May 6, 2021

Just in case: "uncomment" means to remove the leading hash # sign from:

#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;

So it changes from a config code comment into an actual directive.

While the config has it commented by default, to work with plain HTTP setups or with HTTPS but no HSTS, we uncomment it when running dietpi-letsencrypt with HSTS option enabled.

@droogi
Copy link
Author

droogi commented May 6, 2021

@MichaIng, when using the dps_114 original complete code i was able to uncomment this line, but still have the webfinger/nodeinfo issue. thanks for explanation. (offtopic: i just renewed letsencrypt certificate, but i had to open port 80 on router which is usually not forwarded, so no automatic renewals possible?)

@Joulinar
Copy link
Collaborator

Joulinar commented May 6, 2021

letsencrypt requires port 80 to be open to obtain the certificate

@MichaIng
Copy link
Owner

MichaIng commented May 7, 2021

Yes. With HTTPS redirect enabled there is also no reason to keep port 80 closed. Read the statement of Let's Encrypt about this: https://letsencrypt.org/docs/allow-port-80/

@MichaIng
Copy link
Owner

MichaIng commented May 7, 2021

Strange, I cannot replicate the issue. Installed Nextcloud + Nginx on a clean DietPi Buster image and the redirects solve the warnings as expected.

If it doesn't work in your case, please provide your Nginx config via nginx -T, but be sure to remove all identifying things like domains/hostnames and such.

@droogi
Copy link
Author

droogi commented May 7, 2021

Hello MichaIng,
i also tried to copy the 3 lines to /etc/nginx/sites-dietpi/dietpi-dav_redirect.conf, but no success. (i used the redirect in one conf-file only and left the other conf-file untouched).
to be sure: the error is described in nextcloud 21.0.1, Admin Account, settings-overview-Security & setup warnings :
Your web server is not properly set up to resolve "/.well-known/webfinger ....../nodeinfo
nginx.conf.log

@MichaIng
Copy link
Owner

MichaIng commented May 7, 2021

Strange, tested another time and it really works here OOTB. Also the method matches 100% the one from Nextcloud docs (where I just recently helped updating). Can you please run the following from the command line:

curl -IL https://your.domain.org/.well-known/webfinger/test

@droogi
Copy link
Author

droogi commented May 7, 2021

when i run the the command i get this result:
webfingertest.log
when i change to curl -IL https://your.domain.org/nextcloud/.well-known/webfinger/test the second result:
webfingertest2.log

@MichaIng
Copy link
Owner

MichaIng commented May 7, 2021

So the redirect is done as intended. Of course the final access fails, as it you cannot authenticate via curl, only the first redirect is relevant.

Strange that the Nextcloud admin panel shows it otherwise. Did you try to restart the webserver and PHP and clear the browser cache as well to rule that all out?

systemctl restart nginx
systemctl restart php7.3-fpm

And CTRL+F5 to reload the page in browser.

@droogi
Copy link
Author

droogi commented May 7, 2021

i always restarted nginx, (also restarted dietpi), now i also restarted php7.3-fpm, cleared cache in firefox and chrome, reloaded page, still get the warning.
So you think its an nextcloud warning error?

@MichaIng
Copy link
Owner

MichaIng commented Jun 2, 2021

Is this still an issue? Whatever I do, I cannot replicate it, so it is neither a general bug in Nextcloud, not on our config. All configs and tests (aside of the admin panel) look correct and have exactly expected results. So I'm puzzled.

@droogi
Copy link
Author

droogi commented Jun 2, 2021

I updated to 21.0.2 stable about 2 weeks ago, nextcloud still displays webfinger / nodeinfo error message.
I updated dietpi from 7.1.2 to 7.2.3 today, nextcloud still displays webfinger / nodeinfo error message.

Since i am using Nextcloud only private for me and my family, and the installation and connected devices work well, its no problem for me. I do not have any disadvantages when the message is displayed.

If you were interested to solve, i could give you an account/ssh, but i am fine when its not solved.
Thanks for your support.

@MichaIng
Copy link
Owner

MichaIng commented Sep 1, 2021

Looping through old open issues. Another attempt: In /var/www/nextcloud/config/config.php you have

'overwrite.cli.url' => 'http://localhost/nextcloud',

right?

I never though about that a HTTPS redirect means this is redirected to https://localhost/nextcloud, which fails as localhost is no valid domain for the certificate. So this needs to be changed to contain https://your.domain.org/nextcloud for CLI calls to succeed, which likely implies the webfinger/nodeinfo calls.

I'll add this to dietpi-letsencrypt, to update ownCloud and Nextcloud configs regarding this setting.

@MichaIng MichaIng added this to the v7.6 milestone Sep 1, 2021
@MichaIng MichaIng changed the title nextcloud21.0.1 error webfinger/nodeinfo on dietpi 7.1.2 DietPi-LetsEncrypt | Adjust ownCloud/Nextcloud CLI URL when HTTPS redirect is enabled Sep 1, 2021
@droogi
Copy link
Author

droogi commented Sep 2, 2021

dietpi 7.5.2 & nextcloud 22.1.1
I changed http://localhost/nextcloud (http) to https://mydomain.org/nextcloud(https) in /var/www/nextcloud/config/config.php

The warning in nextcloud is still there.

I attached my current /etc/nginx/sites-dietpi/dietpi-nextcloud.conf.
i noticed

  • Line 2-4 is not included in line 8location ^~ /nextcloud { block.

and

  • a space between ~ and ^

location ~ ^/.well-known/(?:webfinger|nodeinfo) { ..... in my config file.

diepi-nextcloud.zip

(in windows a system32/config/host has to be configured to redirect the domain to localhost, where is this done here?)

@MichaIng
Copy link
Owner

MichaIng commented Sep 2, 2021

Did you restart PHP to assure possible caches are cleared?

systemctl restart php7.3-fpm

The config is as expected:

  • The redirect is from https://mydomain.org/.well-known/webfinger to https://mydomain.org/nextcloud/index.php/.well-known/webfinger, so within the /nextcloud block the rule would never apply 😉.
  • location ~ ^/.well-known syntax means a location matching the "regular expression" (~), which starts (^) with /.well-known.
  • location ^~ /nextcloud syntax means a location which starts "literally" with /nextcloud and that no further location directive should be searched for (^~).

@MichaIng
Copy link
Owner

MichaIng commented Sep 2, 2021

Okay I tested it the other way round, and indeed overwrite.cli.url doesn't have an effect on those tests but only on the Cron job and occ (ncc) command.

Another thing you could try is to update the `.htaccess to rule out any possibly old conflicting rewrite:

ncc maintenance:update:htaccess

@droogi
Copy link
Author

droogi commented Sep 5, 2021

Thanks for the detailed explanation. I updated the `.htaccess, without success.
It seems I am the only one with this config message in nextcloud, so for me it's ok to archive/close this topic.

Next big aim for me it's to upgrade to 64 bit to get OpenOffice in nextcloud (when wireguard works) and import all certificates.

@MichaIng
Copy link
Owner

MichaIng commented Sep 5, 2021

Okay, let me keep it open to have the overwrite.cli.url change implemented into dietpi-letsencrypt, which is required to allow Cron jobs and occ commands accessing Nextcloud via HTTPS.

MichaIng added a commit that referenced this issue Sep 9, 2021
+ DietPi-LetsEncrypt | If webserver access via plain HTTP is not possible anymore (redirect or HSTS enabled), replace ownCloud/Nextcloud CLI URL with the primary domain HTTPS URL, so that cron jobs and occ/ncc commands can correctly access the ownCloud/Nextcloud instance via webserver. This may be required on other cases, but those are the first known ones: #4353
@MichaIng
Copy link
Owner

MichaIng commented Sep 9, 2021

Done: 9909a4f
Changelog: 1fda33d

I know it was not the solution for your actual issue, but it is a solution for other potential issues, e.g. in combination with apps who do check via access through the webserver. I'm still wondering how the admin panel redirect check can succeed when the invalid localhost URL is given while a HTTPS redirect or HSTS is present. There shouldn't be any other reliable way than accessing Nextcloud externally through the webserver. I'll check the related code at Nextcloud by times.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants