Loading
Actual behaviour
- When test a server address before logon, I get a warn about failed SSL initialization
Expected behaviour
- Expected to accept connection
Steps to reproduce
- Configure server with Let’s encrypt with secp384r1 as pubkey algorithm
- Configure nginx as following ssl options:
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_prefer_server_ciphers on;
- Check the Android app.
Environment data
Android version: 7.0
Device model: Asus ZenFone3 — Beta Tester
Stock or customized system: Official Asus Beta Tester
Nextcloud app version: Latest Nightly and Latest Play Store
Nextcloud server version: 11.0.2 Stable
Logs
adb logcat | grep GetRemoteStatusOperation
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: Connection check at https://<server>: SSL exception
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: javax.net.ssl.SSLHandshakeException: Handshake failed
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:429)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.common.network.AdvancedSslSocketFactory.verifyPeerIdentity(AdvancedSslSocketFactory.java:248)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.common.network.AdvancedSslSocketFactory.createSocket(AdvancedSslSocketFactory.java:185)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.common.OwnCloudClient.executeMethod(OwnCloudClient.java:222)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.common.OwnCloudClient.executeMethod(OwnCloudClient.java:192)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.resources.status.GetRemoteStatusOperation.tryConnection(GetRemoteStatusOperation.java:87)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.resources.status.GetRemoteStatusOperation.run(GetRemoteStatusOperation.java:192)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.common.operations.RemoteOperation.execute(RemoteOperation.java:136)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.operations.GetServerInfoOperation.run(GetServerInfoOperation.java:81)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.common.operations.RemoteOperation.execute(RemoteOperation.java:136)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.services.OperationsService$ServiceHandler.nextOperation(OperationsService.java:482)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.services.OperationsService$ServiceHandler.handleMessage(OperationsService.java:418)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at android.os.Handler.dispatchMessage(Handler.java:102)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at android.os.Looper.loop(Looper.java:159)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at android.os.HandlerThread.run(HandlerThread.java:61)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: Caused by: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0x7f666fd340: Failure in SSL library, usually a protocol error
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (external/boringssl/src/ssl/s3_pkt.c:610 0x7f666189e0:0x00000001)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO (external/boringssl/src/ssl/s3_clnt.c:764 0x7f76ceaf76:0x00000000)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: ... 20 more
testssl.sh on server
[leonardo@pruuu testssl.sh]$ ./testssl.sh --wide https://<FQDN>
###########################################################
testssl.sh 2.9dev from https://testssl.sh/dev/
(27aa257 2017-02-28 15:42:28 -- )
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
###########################################################
Using "OpenSSL 1.0.2-chacha (1.0.2i-dev)" [~183 ciphers]
on pruuu:$PWD/bin/openssl.Linux.x86_64
(built: "Jun 22 19:32:29 2016", platform: "linux-x86_64")
Start 2017-03-03 18:04:33 -->> 192.168.196.20:443 (<FQDN>) <<--
rDNS (192.168.196.20): --
Service detected: HTTP
Testing protocols via sockets except SPDY+HTTP2
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
SPDY/NPN h2, http/1.1 (advertised)
HTTP2/ALPN h2, http/1.1 (offered)
Testing ~standard cipher lists
Null Ciphers not offered (OK)
Anonymous NULL Ciphers not offered (OK)
Anonymous DH Ciphers not offered (OK)
40 Bit encryption not offered (OK)
56 Bit export ciphers not offered (OK)
Export Ciphers (general) not offered (OK)
Low (<=64 Bit) not offered (OK)
DES Ciphers not offered (OK)
"Medium" grade encryption not offered (OK)
Triple DES Ciphers not offered (OK)
High grade encryption offered (OK)
Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4
PFS is offered (OK), ciphers follow (client/browser support is important here)
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------------
xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Elliptic curves offered: prime256v1 secp384r1 secp521r1 brainpoolP384r1 brainpoolP512r1
Testing server preferences
Has server cipher order? yes (OK)
Negotiated protocol TLSv1.2
Negotiated cipher ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Cipher order
TLSv1.2: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256
h2: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256
http/1.1: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256
Testing server defaults (Server Hello)
TLS extensions (standard) "renegotiation info/#65281" "EC point formats/#11" "heartbeat/#15" "server name/#0"
"next protocol/#13172" "application layer protocol negotiation/#16"
Session Tickets RFC 5077 (none)
SSL Session ID support yes
TLS clock skew random values, no fingerprinting possible
Signature Algorithm SHA256 with RSA
Server key size ECDSA 384 bits
Fingerprint / Serial SHA1 E7B2175F930130C627396DECAC6CEED607A1BBFC / 035991A57F1159615464ACA8A03128487999
SHA256 AF546B253736AA91E29B366E557FE0C777EF5688A2004E3B6B8E53C29360529F
Common Name (CN) <FQDN>
subjectAltName (SAN) <FQDN>
Issuer Let's Encrypt Authority X3 (Let's Encrypt from US)
Trust (hostname) Ok via SAN and CN (works w/o SNI)
Chain of trust Ok
EV cert (experimental) no
Certificate Expiration 89 >= 30 days (2017-03-03 15:54 --> 2017-06-01 15:54 -0300)
# of certificates provided 2
Certificate Revocation List --
OCSP URI http://ocsp.int-x3.letsencrypt.org/
OCSP must staple No
OCSP stapling --
DNS CAA RR (experimental) --
Testing HTTP header response @ "/"
HTTP Status Code 302 Found, redirecting to "https://<FQDN>/login"
HTTP clock skew 0 sec from localtime
Strict Transport Security 182 days=15768000 s, includeSubDomains, preload
Public Key Pinning --
Server banner nginx/1.11.10
Application banner --
Cookie(s) 1 issued: 3/1 secure, 4/1 HttpOnly -- maybe better try target URL of 30x
Security headers X-Frame-Options SAMEORIGIN
X-XSS-Protection 1; mode=block
X-Content-Type-Options nosniff
Content-Security-Policy; media-src *; connect-src *
Reverse Proxy banner --
Testing vulnerabilities
Heartbleed (CVE-2014-0160) not vulnerable (OK)
CCS (CVE-2014-0224) not vulnerable (OK)
Secure Renegotiation (CVE-2009-3555) not vulnerable (OK)
Secure Client-Initiated Renegotiation not vulnerable (OK)
CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
BREACH (CVE-2013-3587) no HTTP compression (OK) - only supplied "/" tested
POODLE, SSL (CVE-2014-3566) not vulnerable (OK)
TLS_FALLBACK_SCSV (RFC 7507) No fallback possible, TLS 1.2 is the only protocol (OK)
SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)
FREAK (CVE-2015-0204) not vulnerable (OK)
DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this port (OK)
no RSA certificate, thus certificate can't be used with SSLv2 elsewhere
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected
BEAST (CVE-2011-3389) no SSL3 or TLS1 (OK)
LUCKY13 (CVE-2013-0169) not vulnerable (OK)
RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)
Testing 359 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------------
xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Running browser simulations via sockets (experimental)
Android 2.3.7 No connection
Android 4.0.4 No connection
Android 4.1.1 No connection
Android 4.2.2 No connection
Android 4.3 No connection
Android 4.4.2 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Android 5.0.0 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
Baidu Jan 2015 No connection
BingPreview Jan 2015 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Chrome 47 / OSX TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
Firefox 31.3.0ESR / Win7 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
Firefox 42 OS X TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
GoogleBot Feb 2015 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
IE 6 XP No connection
IE 7 Vista No connection
IE 8 XP No connection
IE 8-10 Win 7 No connection
IE 11 Win 7 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
IE 11 Win 8.1 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
IE 10 Win Phone 8.0 No connection
IE 11 Win Phone 8.1 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
IE 11 Win Phone 8.1 Update TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
IE 11 Win 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Edge 13 Win 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Edge 13 Win Phone 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Java 6u45 No connection
Java 7u25 No connection
Java 8u31 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
OpenSSL 0.9.8y No connection
OpenSSL 1.0.1l TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
OpenSSL 1.0.2e TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Safari 5.1.9 OS X 10.6.8 No connection
Safari 6 iOS 6.0.1 No connection
Safari 6.0.4 OS X 10.8.4 No connection
Safari 7 iOS 7.1 No connection
Safari 7 OS X 10.9 No connection
Safari 8 iOS 8.4 No connection
Safari 8 OS X 10.10 No connection
Safari 9 iOS 9 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Safari 9 OS X 10.11 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Apple ATS 9 iOS 9 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Done 2017-03-03 18:05:40 -->> 192.168.196.20:443 (<FQDN>) <<--
[leonardo@pruuu testssl.sh]$
Actual behaviour
- When test a server address before logon, I get a warn about failed SSL initialization
Expected behaviour
- Expected to accept connection
Steps to reproduce
- Configure server with Let’s encrypt with secp384r1 as pubkey algorithm
- Configure nginx as following ssl options:
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_prefer_server_ciphers on;
- Check the Android app.
Environment data
Android version: 7.0
Device model: Asus ZenFone3 — Beta Tester
Stock or customized system: Official Asus Beta Tester
Nextcloud app version: Latest Nightly and Latest Play Store
Nextcloud server version: 11.0.2 Stable
Logs
adb logcat | grep GetRemoteStatusOperation
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: Connection check at https://<server>: SSL exception
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: javax.net.ssl.SSLHandshakeException: Handshake failed
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:429)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.common.network.AdvancedSslSocketFactory.verifyPeerIdentity(AdvancedSslSocketFactory.java:248)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.common.network.AdvancedSslSocketFactory.createSocket(AdvancedSslSocketFactory.java:185)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.common.OwnCloudClient.executeMethod(OwnCloudClient.java:222)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.common.OwnCloudClient.executeMethod(OwnCloudClient.java:192)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.resources.status.GetRemoteStatusOperation.tryConnection(GetRemoteStatusOperation.java:87)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.resources.status.GetRemoteStatusOperation.run(GetRemoteStatusOperation.java:192)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.common.operations.RemoteOperation.execute(RemoteOperation.java:136)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.operations.GetServerInfoOperation.run(GetServerInfoOperation.java:81)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.lib.common.operations.RemoteOperation.execute(RemoteOperation.java:136)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.services.OperationsService$ServiceHandler.nextOperation(OperationsService.java:482)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.owncloud.android.services.OperationsService$ServiceHandler.handleMessage(OperationsService.java:418)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at android.os.Handler.dispatchMessage(Handler.java:102)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at android.os.Looper.loop(Looper.java:159)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at android.os.HandlerThread.run(HandlerThread.java:61)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: Caused by: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0x7f666fd340: Failure in SSL library, usually a protocol error
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (external/boringssl/src/ssl/s3_pkt.c:610 0x7f666189e0:0x00000001)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO (external/boringssl/src/ssl/s3_clnt.c:764 0x7f76ceaf76:0x00000000)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)
03-03 17:51:18.861 6198 6238 E GetRemoteStatusOperation: ... 20 more
testssl.sh on server
[leonardo@pruuu testssl.sh]$ ./testssl.sh --wide https://<FQDN>
###########################################################
testssl.sh 2.9dev from https://testssl.sh/dev/
(27aa257 2017-02-28 15:42:28 -- )
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
###########################################################
Using "OpenSSL 1.0.2-chacha (1.0.2i-dev)" [~183 ciphers]
on pruuu:$PWD/bin/openssl.Linux.x86_64
(built: "Jun 22 19:32:29 2016", platform: "linux-x86_64")
Start 2017-03-03 18:04:33 -->> 192.168.196.20:443 (<FQDN>) <<--
rDNS (192.168.196.20): --
Service detected: HTTP
Testing protocols via sockets except SPDY+HTTP2
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
SPDY/NPN h2, http/1.1 (advertised)
HTTP2/ALPN h2, http/1.1 (offered)
Testing ~standard cipher lists
Null Ciphers not offered (OK)
Anonymous NULL Ciphers not offered (OK)
Anonymous DH Ciphers not offered (OK)
40 Bit encryption not offered (OK)
56 Bit export ciphers not offered (OK)
Export Ciphers (general) not offered (OK)
Low (<=64 Bit) not offered (OK)
DES Ciphers not offered (OK)
"Medium" grade encryption not offered (OK)
Triple DES Ciphers not offered (OK)
High grade encryption offered (OK)
Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4
PFS is offered (OK), ciphers follow (client/browser support is important here)
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------------
xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Elliptic curves offered: prime256v1 secp384r1 secp521r1 brainpoolP384r1 brainpoolP512r1
Testing server preferences
Has server cipher order? yes (OK)
Negotiated protocol TLSv1.2
Negotiated cipher ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Cipher order
TLSv1.2: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256
h2: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256
http/1.1: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256
Testing server defaults (Server Hello)
TLS extensions (standard) "renegotiation info/#65281" "EC point formats/#11" "heartbeat/#15" "server name/#0"
"next protocol/#13172" "application layer protocol negotiation/#16"
Session Tickets RFC 5077 (none)
SSL Session ID support yes
TLS clock skew random values, no fingerprinting possible
Signature Algorithm SHA256 with RSA
Server key size ECDSA 384 bits
Fingerprint / Serial SHA1 E7B2175F930130C627396DECAC6CEED607A1BBFC / 035991A57F1159615464ACA8A03128487999
SHA256 AF546B253736AA91E29B366E557FE0C777EF5688A2004E3B6B8E53C29360529F
Common Name (CN) <FQDN>
subjectAltName (SAN) <FQDN>
Issuer Let's Encrypt Authority X3 (Let's Encrypt from US)
Trust (hostname) Ok via SAN and CN (works w/o SNI)
Chain of trust Ok
EV cert (experimental) no
Certificate Expiration 89 >= 30 days (2017-03-03 15:54 --> 2017-06-01 15:54 -0300)
# of certificates provided 2
Certificate Revocation List --
OCSP URI http://ocsp.int-x3.letsencrypt.org/
OCSP must staple No
OCSP stapling --
DNS CAA RR (experimental) --
Testing HTTP header response @ "/"
HTTP Status Code 302 Found, redirecting to "https://<FQDN>/login"
HTTP clock skew 0 sec from localtime
Strict Transport Security 182 days=15768000 s, includeSubDomains, preload
Public Key Pinning --
Server banner nginx/1.11.10
Application banner --
Cookie(s) 1 issued: 3/1 secure, 4/1 HttpOnly -- maybe better try target URL of 30x
Security headers X-Frame-Options SAMEORIGIN
X-XSS-Protection 1; mode=block
X-Content-Type-Options nosniff
Content-Security-Policy; media-src *; connect-src *
Reverse Proxy banner --
Testing vulnerabilities
Heartbleed (CVE-2014-0160) not vulnerable (OK)
CCS (CVE-2014-0224) not vulnerable (OK)
Secure Renegotiation (CVE-2009-3555) not vulnerable (OK)
Secure Client-Initiated Renegotiation not vulnerable (OK)
CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
BREACH (CVE-2013-3587) no HTTP compression (OK) - only supplied "/" tested
POODLE, SSL (CVE-2014-3566) not vulnerable (OK)
TLS_FALLBACK_SCSV (RFC 7507) No fallback possible, TLS 1.2 is the only protocol (OK)
SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)
FREAK (CVE-2015-0204) not vulnerable (OK)
DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this port (OK)
no RSA certificate, thus certificate can't be used with SSLv2 elsewhere
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected
BEAST (CVE-2011-3389) no SSL3 or TLS1 (OK)
LUCKY13 (CVE-2013-0169) not vulnerable (OK)
RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)
Testing 359 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------------
xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Running browser simulations via sockets (experimental)
Android 2.3.7 No connection
Android 4.0.4 No connection
Android 4.1.1 No connection
Android 4.2.2 No connection
Android 4.3 No connection
Android 4.4.2 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Android 5.0.0 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
Baidu Jan 2015 No connection
BingPreview Jan 2015 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Chrome 47 / OSX TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
Firefox 31.3.0ESR / Win7 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
Firefox 42 OS X TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
GoogleBot Feb 2015 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
IE 6 XP No connection
IE 7 Vista No connection
IE 8 XP No connection
IE 8-10 Win 7 No connection
IE 11 Win 7 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
IE 11 Win 8.1 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
IE 10 Win Phone 8.0 No connection
IE 11 Win Phone 8.1 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
IE 11 Win Phone 8.1 Update TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
IE 11 Win 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Edge 13 Win 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Edge 13 Win Phone 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Java 6u45 No connection
Java 7u25 No connection
Java 8u31 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
OpenSSL 0.9.8y No connection
OpenSSL 1.0.1l TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
OpenSSL 1.0.2e TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Safari 5.1.9 OS X 10.6.8 No connection
Safari 6 iOS 6.0.1 No connection
Safari 6.0.4 OS X 10.8.4 No connection
Safari 7 iOS 7.1 No connection
Safari 7 OS X 10.9 No connection
Safari 8 iOS 8.4 No connection
Safari 8 OS X 10.10 No connection
Safari 9 iOS 9 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Safari 9 OS X 10.11 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Apple ATS 9 iOS 9 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
Done 2017-03-03 18:05:40 -->> 192.168.196.20:443 (<FQDN>) <<--
[leonardo@pruuu testssl.sh]$
Содержание
По ходу инсталляции, будут настроены «pretty URLs» (ссылки без index.php в составе), кэш и настройка аутентификации через LDAP. Fail2ban (утилита против брутфорса) рассматривается в отдельной статье.
Установка и настройка системы и необходимых компонентов
Во время установки Ubuntu Server, отметить для установки SSH Server и LAMP. Выбрать автоустановку обновлений безопасности.
# Войти в режим рута sudo -i # Задать статический IP: nano /etc/network/interfaces
auto eth0 iface eth0 inet static address 192.168.1.7 netmask 255.255.255.0 gateway 192.168.1.1 dns-nameservers 192.168.1.1 dns-search workgroup
Перезагрузиться.
Зайти в систему по SSH и обновить систему целиком:
sudo -i apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y && apt-get autoremove
Установить все необходимые компоненты и, в данном случае, механизм кэширования APCu + Redis и компоненты для автогенерации favicon:
apt-get install php-zip php-xml php-gd php-json php-curl php-mbstring php-bz2 php-intl php-mcrypt php-apcu redis-server php-redis php-imagick libmagickcore-6.q16-2-extra -y
Если нужен SMB client (для подключения внешних накопителей в Nextcloud), LDAP и Midnight Commander:
apt-get install smbclient php-ldap mc -y
Клиент
# Скачать последнюю версию wget https://download.nextcloud.com/server/releases/latest.tar.bz2 # Распаковать архив в корневую папку веб-сервера tar xjf latest.tar.bz2 --strip=1 -C /var/www/html # Удалить исходный архив (если нужно) rm latest.tar.bz2 # Создать папку для пользовательских данных mkdir /var/nextcloud-data # Дать права владельца веб-серверу: chown -R www-data:www-data /var/www/html /var/nextcloud-data # Перезапустить Apache: systemctl restart apache2 # Создать базу MySQL с именем "nextcloud": mysql -u root -p -e "create database nextcloud";
Открыть браузер, зайти на веб-интерфейс (здесь: 192.168.1.7), задать логин и пароль админа, путь к папке с данными пользователей (здесь: /var/nextcloud-data) и имя БД (здесь: nextcloud). Либо настроить из командной строки:
— уточнить, можно ли тут обойтись без паролей
sudo -u www-data php /var/www/html/occ maintenance:install --database "mysql" --data-dir "/var/nextcloud-data" --database-name "nextcloud" --database-user "root" --database-pass "password" --admin-user "admin" --admin-pass "password"
Настройка
# Убрать закрывающую строку из конфига и заменить строку overwrite.cli.url на нужную. # В sed экранирование апострофа безумное - '"'"' sed -i ' /);/d /overwrite.cli.url/c '"'"'overwrite.cli.url'"'"' => '"'"'https://192.168.1.7'"'"',' /var/www/html/config/config.php # Настроить конфиг - "pretty URLs", кэширование, часовой пояс для логов и их ротацию (100 МБ) echo "'htaccess.RewriteBase' => '/', 'memcache.local' => 'OCMemcacheAPCu', 'memcache.locking' => 'OCMemcacheRedis', 'redis' => array( 'host' => 'localhost', 'port' => 6379, ), 'logtimezone' => 'Europe/Moscow', 'log_rotate_size' => 104857600, );" >> /var/www/html/config/config.php # Настроить максимальный размер файла на закачку в PHP и лимит памяти # Проверить версию PHP и путь к используемым php.ini (php --ini), например, он может быть # /etc/php/7.3/fpm/php.ini. Есть ещё # /etc/php/7.3/cli/php.ini. sed -i ' /upload_max_filesize =/c upload_max_filesize = 4G /post_max_size =/c post_max_size = 4G /memory_limit =/c memory_limit = 512M' /etc/php/7.3/apache2/php.ini # Настроить параметры opcache sed -i ' /opcache.enable=/c opcache.enable=1 /opcache.enable_cli=/c opcache.enable_cli=1 /opcache.memory_consumption=/c opcache.memory_consumption=128 /opcache.interned_strings_buffer=/c opcache.interned_strings_buffer=8 /opcache.max_accelerated_files=/c opcache.max_accelerated_files=10000 /opcache.revalidate_freq=/c opcache.revalidate_freq=1 /opcache.save_comments=/c opcache.save_comments=1' /etc/php/7.3/apache2/php.ini
Список часовых поясов для PHP
SSL, mod_env и mod_rewrite для pretty URLs
a2enmod ssl headers env rewrite && a2ensite default-ssl
Включить Strict transport security, Referrer Policy и Forward secrecy:
echo "<IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains" Header always set Referrer-Policy "no-referrer-when-downgrade" </IfModule> # Set Forward Secrecy SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder on SSLCipherSuite HIGH:!aNULL:!MD5:!3DES " >> /etc/apache2/sites-available/default-ssl.conf
Перенаправить HTTP на HTTPS
nano /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80> ServerName www.yourdomain.com Redirect / https://www.yourdomain.com/ </VirtualHost>
systemctl restart apache2
Настроить Pretty URLs
nano /etc/apache2/apache2.conf # В разделе <Directory /var/www> изменить параметр AllowOverride None на AllowOverride All # Выйти из редактора. # Обновить файл .htaccess: sudo -u www-data php /var/www/html/occ maintenance:update:htaccess # Перезапустить Apache: systemctl restart apache2
Переключить фоновые задачи на выполнение кроном
Выключить ненужные ссылки
config/config.php:
# Выключить ссылку на сброс пароля 'lost_password_link' => 'disabled', # Remove link “Get your own free account” 'simpleSignUpLink.shown' => false,
Настроить аутентификацию через LDAP
Для работы этого типа аутентификации необходимо установить компонент php-ldap, если он не был установлен ранее:
apt-get install php-ldap -y
Далее настройка производится в веб-интерфейсе админа.
Онлайн-офис
# Collabora (довольно тормозной вариант) sudo -u www-data php /var/www/html/occ app:install richdocumentscode richdocuments # OnlyOffice (ограничение в 20 соединений в бесплатной версии) sudo -u www-data php /var/www/html/occ app:install documentserver_community onlyoffice
Для OnlyOffice, добавить в /var/www/html/config/config.php:
'onlyoffice' => array ( 'verify_peer_off' => true, ), 'allow_local_remote_servers' => true,
OnlyOffice — работа через прокси: https://helpcenter.onlyoffice.com/ru/installation/docs-community-proxy.aspx
«Неизвестная ошибка» при открытии документа — нужно в конфиге Nextcloud
'overwriteprotocol' => 'https', (add) 'overwrite.cli.url' => 'https' (change)
https://github.com/nextcloud/docker/issues/975
Внешние хранилища
S3
Способ доступа — Access key
Bucket — каталог в облаке, например, Media
Hostname — s3.cloud.mts.ru
Port — 443
Region — пусто
✔ Enable SSL
✔ Enable path style
SMB (CIFS)
Host — [IP address]
Share — Files (имя общего ресурса)
Remote subfolder — Отдел продажГруппа впариванияОбмен
Domain — example.com
Обновление
# Автоматически: sudo -u www-data php /var/www/html/updater/updater.phar # Вручную: # Скачать последний релиз wget https://download.nextcloud.com/server/releases/latest.tar.bz2 # Распаковать скачанный архив в папку установки tar xjf latest.tar.bz2 --strip=1 -C /var/www/html # Дать права владельца веб-серверу: chown -R www-data:www-data /var/www/html # Включить режим обслуживания sudo -u www-data php /var/www/html/occ maintenance:mode --on # Запустить процесс обновления sudo -u www-data php /var/www/html/occ upgrade # Выключить режим обслуживания sudo -u www-data php /var/www/html/occ maintenance:mode --off
https://docs.nextcloud.com/server/latest/admin_manual/maintenance/update.html
Экспресс-обновление со сменой шлюза
ip route change default via 192.168.1.254 dev eth0 apt update && apt upgrade -y && apt autoremove -y sudo -u www-data php /var/www/html/updater/updater.phar --no-interaction ip route change default via 192.168.1.1 dev eth0
Обновление на след. мажорный релиз
# Нужно переключиться на бета-канал обновлений, обновляться, а затем переключиться обратно. sudo -u www-data php /var/www/html/cloud/occ config:system:set updater.release.channel --value=beta sudo -u www-data php /var/www/html/cloud/updater/updater.phar --no-interaction sudo -u www-data php /var/www/html/cloud/occ config:system:set updater.release.channel --value=stable
В Докере
docker exec nc-php sudo -u www-data php /var/www/html/cloud/occ config:system:set updater.release.channel --value=beta docker exec nc-php sudo -u www-data php /var/www/html/cloud/updater/updater.phar --no-interaction docker exec nc-php sudo -u www-data php /var/www/html/cloud/occ config:system:set updater.release.channel --value=stable
Обновление всех приложений
sudo -u www-data php /var/www/html/cloud/occ app:update --all # docker docker exec -uwww-data nc-php php /var/www/html/cloud/occ app:update --all
Настройка кэширования через сервер Redis
Как-то раз произошла ситуация — невозможно было стереть файл с сервера или обновить его, файл был заблокирован:
file is locked
Error transferring bva.dyndns.info/cloud/remote.php/dav/files/user/123.txt — server replied: Locked («123.txt» is locked)
В соответствующем howto советуют обнулить таблицу блокировок в базе mysql, а чтобы ситуация не повторялась, рекомендуют поставить кэширующий сервис Redis. Так как у меня уже был APCu, было решено поставить Redis для блокировок, а APCu оставить для локального кэша.
В Ubuntu это ставится просто, а в Armbian в репозитории отсутствуют соответствующие пакеты, так что пришлось их собирать из исходников.
Установить Redis
Информация устарела, в репозиториях для процессоров ARM появились собранные пакеты.
Теперь достаточно выполнить команду
apt-get install redis-server php-redis
Сборка из исходников
Настройка Nextcloud и разблокировка файлов
Конфиг Nextcloud в части кэширования нужно привести к следующему виду:
'memcache.local' => 'OCMemcacheAPCu', 'memcache.locking' => 'OCMemcacheRedis', 'redis' => array( 'host' => 'localhost', 'port' => 6379, ),
# Перевести Nextcloud в режим обслуживания: sudo -u www-data php /var/www/html/occ maintenance:mode --on # Зайти в базу "cloud" и очистить блокировки: mysql -u root -p cloud
DELETE FROM oc_file_locks WHERE 1; quit
# Вывести Nextcloud из режима обслуживания: sudo -u www-data php /var/www/html/occ maintenance:mode --off # Перезапустить Apache: systemctl restart apache2
Дополнительные материалы
Сертификаты
#Сделать папочку для сертификатов mkdir /etc/ssl/certs/nextcloud # самоподписанный сертификат на 10 лет без запроса пароля openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/certs/nextcloud/nextcloud.key -out /etc/ssl/certs/nextcloud/nextcloud.crt
nano /etc/apache2/sites-available/default-ssl.conf
SSLCertificateKeyFile /etc/ssl/certs/nextcloud/nextcloud.key SSLCertificateFile /etc/ssl/certs/nextcloud/nextcloud.crt #SSLCACertificateFile /etc/ssl/certs/nextcloud/nextcloud-int.crt
sed -i ' /SSLCertificateKeyFile/c SSLCertificateKeyFile /etc/ssl/certs/nextcloud/nextcloud.key /SSLCertificateFile/c SSLCertificateFile /etc/ssl/certs/nextcloud/nextcloud.crt' /etc/apache2/sites-available/default-ssl.conf
Импорт контактов из файла vcf
Проблема: выгруженный файл vcf с мобильника на Android 4.4 не загружается в приложение «Контакты» в Nextcloud.
Решение:
-
Открыть файл в программе tcode (в Windows), чтобы строки с кодировкой Quoted Printable перекодировались в нормальный русский текст. Это можно сделать и из командной строки:
tcode input.vcf /auto output.vcf
-
Убрать из всего файла строки ;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE
-
Строки VERSION:2.1 заменить на VERSION:3.0
-
Сохранить файл в кодировке UTF-8.
Ссылка на выгруженные контакты мобильным приложением
https://path-to-nextcloud-site.com/apps/files/?dir=/.Contacts-Backup
Полезные плагины
Плагин для Outlook
Автоудаление файлов
Снежок
Полезные команды
Включить превью офисных форматов:
nano /var/www/html/config/config.php
'preview_libreoffice_path' => '/usr/bin/libreoffice',
Удалить пользователя username вместе с его каталогом:
u=username sudo -u www-data php /var/www/html/occ user:delete $u && rm -rf /var/nextcloud-data/$u
Почистить корзину у всех пользователей
sudo -u www-data php /var/www/html/cloud/occ trashbin:cleanup --all-users
Решение проблем
Failed to connect to www.nextcloud.com
В логах куча сообщений:
GuzzleHttpExceptionConnectException: cURL error 7: Failed to connect to www.nextcloud.com port 80: Connection timed out
Сайт nexcloud.com реально бывает недоступен. Workaround — отключить проверку на наличие интернета:
echo "'has_internet_connection' => false," >> /var/www/html/config/config.php
Или не обращать внимания.
Some files have not passed the integrity check
После обновления — ошибка подписи файлов:
Some files have not passed the integrity check. Further information on how to resolve this issue can be found in the documentation. (List of invalid files… / Rescan…)
Помимо выполнения рекомендаций, убедиться, что core/signature.json актуальный.
Поломались «красивые» ссылки (без index.php)
Specified key was too long; max key length is 767 bytes
При обновлении Nexcloud ошибка:
DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_bin ENGINE = InnoDB ROW_FORMAT = compressed’: SQLSTATE[42000]: Syntax error or access violation: 1071 Specified key was too long; max key length is 767 bytes
Решение:
mysql -u root -p cloud MariaDB [cloud]> set global innodb_large_prefix=on; MariaDB [cloud]> set global innodb_file_format=Barracuda; quit sudo -u www-data php /var/www/html/occ maintenance:repair sudo -u www-data php /var/www/html/occ upgrade
The database is missing some indexes
Проверка в админке пишет: The database is missing some indexes
Решение:
sudo -u www-data php /var/www/html/occ db:add-missing-indices # В докере: docker exec -u www-data nc php occ db:add-missing-indices
Обновление прошло неуспешно, PHP грузит систему на 100%, сайт в неотключаемом maintenance mode
Отключить регулярную задачу в crontab.
# Проверить, включен ли apc cli: php -i | grep apc.enable apc.enable_cli => Off => Off apc.enabled => On => On # Если нет, то включить echo "apc.enable_cli=1" >> /etc/php/7.4/cli/php.ini # Перейти в каталог NC (обязательно!) и запустить апгрейд заново cd /var/www/html/cloud sudo -u www-data php occ upgrade
Включить регулярную задачу в crontab.
https://help.nextcloud.com/t/nextcloud-21-update-needed/108714/25
«Module php-imagick in this instance has no SVG support. For better compatibility it is recommended to install it
Your installation has no default phone region set
sudo -u www-data php /var/www/html/occ config:system:set default_phone_region --value="RU" # Докер docker exec -u www-data nc php occ config:system:set default_phone_region --value="RU"
Last background job execution ran 15 hours ago. Something seems wrong
Запустить принудительно
sudo -u www-data php -f /var/www/html/cloud/cron.php
PHP Fatal error: Out of memory (allocated 3533701120) (tried to allocate 36864 bytes) in /var/www/html/lib/private/AppFramework/Utility/SimpleContainer.php on line 133
Warning: The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. Further information can be found in the documentation.
docker exec -uwww-data nc-php php /var/www/html/cloud/occ config:system:set forwarded_for_headers 0 --value="X-Forwarded-For" # docker exec -uwww-data nc-php php /var/www/html/cloud/occ config:system:set forwarded_for_headers 1 --value="HTTP_X_FORWARDED_FOR" docker exec -uwww-data nc-php php /var/www/html/cloud/occ config:system:set trusted_proxies 0 --value=reverse-proxy # docker exec -uwww-data nc-php php /var/www/html/cloud/occ config:system:set trusted_proxies 1 --value="172.16.0.0/12"
https://github.com/nextcloud/docker/issues/800
https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html
Docker — exec: «php»: executable file not found in $PATH
После обновления контейнера PHP с версии 7.4 на 8.0 при попытке выполнить команду php occ внутри контейнера выдаётся ошибка:
OCI runtime exec failed: exec failed: unable to start container process: exec: «php»: executable file not found in $PATH: unknown
Проблема в том, что в дистрибутиве Alpine автоматически не создаётся символическая ссылка php8 → php, т. к. для php8 не готовы все пакеты. Решение: добавить в Dockerfile
ln -sf /usr/bin/php8 /usr/bin/php # -f - перезаписывать, если она уже есть (после предыдущего создания)
The __Host prefix mitigates cookie injection
Клиент виснет после начала синхронизации
Ситуация — виснет клиент практически сразу после запуска, нагружает процессор, настройки открыть невозможно, в логах ничего внятного, переустановка на разные версии, удаление служебных файлов в каталоге синхронизации ничего не даёт.
Решение:
# убить процесс Get-Process nextcloud |kill # запустить синхронизацию с помощью nextcloudcmd "$env:programfilesNextcloudnextcloudcmd.exe" --silent ` "$env:userprofileNextcloud" https://bva.dyndns.info/cloud
Затем запустить клиента, зайти в Настройки → Сеть и убрать ограничения на скорость загрузки/передачи.
https://docs.nextcloud.com/desktop/latest/advancedusage.html#nextcloud-command-line-client
Ссылки
Nextcloud is a suite of client-server software for creating and using file hosting services. This FreeNAS: Nextcloud Install with SSL article will show you how to configure your Nextcloud application securely. Nextcloud functionally is similar to Dropbox, however unlike Dropbox, Nextcloud does not offer off-premises file storage hosting. Instead, Nextcloud is free and open-source, which means that anyone is allowed to install and operate it on their own private server devices. In contrast to proprietary services like Dropbox, the open architecture allows adding functionality to the server in the form of applications and enables users to have full control of their data.
I made the switch from DropBox to NextCloud for two reasons. For a long time I was uncomfortable having my data with a big company like Dropbox who has been widely criticized for security and privacy breaches. The second reason is that there is no good implementation of DropBox for FreeNAS, at least at this point. You can sync data one way to dropbox, but there is no good way to sync two ways.
This article was originally written for FreeNAS version 11.2-U6 and has been updated for 11.3-U9. It will show you how to install Nextcloud on your FreeNAS server, secure it and then access it remotely. Following the install of Nextcloud, you will want to follow this article FreeNAS: NextCloud Access to Mount Points using External Storage and Proper Permissions which shows you how to setup external storage with proper permissions.
This is part of my ongoing series of TrueNAS and FreeNAS setup, configuration and install articles.
Installing NextCloud
The first step in this FreeNAS: Nextcloud Install with SSL article is to (surprise!) install Nextcloud, which is actually pretty simple. Just do the standard plug-in install of Nextcloud from the FreeNAS WebUI plugins tab. Click Plugins -> Available -> Nextcloud -> Three dots on the right -> Install.
Follow the instructions and once it is done a popup window will appear with critical information. Copy all of the information that is displayed in the window to a text document so we can use it later.
Make sure you are happy with the IP which will be assigned to the jail; if you change it later you have to a do a bunch of additional reconfiguration work. Once you are happy, start the jail.
Now login to to the Nextcloud WebUI page by navigating to the ip that has been assigned to your jail and you will see the following.
Create an admin username and password, and then enter the database name, user and password which you copied into a text document in the step above. Leave localhost. Click ‘Finish Setup’ and it will log into your Nextcloud server.
If you’re getting an “Access through untrusted domain” Nextcloud error message, then you will need to edit the /usr/local/www/nextcloud/config/config.php file. I use the nano text editor and you may need to install it first using pkg install nano. In this file after a line which includes ‘trusted_domains’ there will be a lines which starts with 0 =>, 1 =>,etc and you will need to put the local ip address assigned to your jail on a new line below which starts with the next subsequent number. In my case I added a line which reads: 2 => '192.168.1.127',. Pay close attention to the syntax. When you’re done, it should look something like the image below.
Save the file, exit the editor and restart your jail/plugin. You should now be able to navigate to the Nextcloud WebUI.
If, when accessing the WebUI, you aren’t prompted to create a user, you are likley going to have to do it from the command line. So head to your shell (or SSH) and complete the following steps:
- The commands have to be run as the www user so, switch to that user using:
su -m www - Create the user ‘admin’ using the OCC (Nextcloud’s command-line interface) by running:
php /usr/local/www/nextcloud/occ user:add admin - Now you need to give the user admin privileges by adding them to the admin group by running (first ‘admin’ is the group name and second is the username:
php /usr/local/www/nextcloud/occ group:adduser admin admin
You will be prompted to insert a password. Of course you can replace admin with any username you would like.
Setting Up HTTPS
Now for the securing part of this FreeNAS: Nextcloud Install with SSL article. We are now going to setup HTTPS for more secure access and so passwords are not sent plain text. So you will need to drop to a shell of your Nextcloud jail and we will create an SSL key. Once at the command prompt let’s create a directory for your SSL keys and then navigate there:
mkdir -p /usr/local/etc/ssl/nginx
cd /usr/local/etc/ssl/nginx
Generate an SSL key:
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout nextcloud.key -out nextcloud.crt
Following the command prompt instructions and enter in the location and organization information you would like to have associated with your server.
Set the correct security for you keys:
chmod 400 /usr/local/etc/ssl/nginx/nextcloud.key
Edit the nginx config file using nano /usr/local/etc/nginx/nginx.conf by after this line:
# Basic settings
# ———-
paste the following:
server {
listen 80;
listen [::]:80;
server_name [server name];
return 301 https://$server_name$request_uri;
}
It should look like what is included in the following image:
Now we need to edit the Nextcloud config file using this command:
nano /usr/local/etc/nginx/conf.d/nextcloud.conf
At the start of the file, replace:
server {
listen 80;
server_name _;
with:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name [servername];
ssl_certificate /usr/local/etc/ssl/nginx/nextcloud.crt;
ssl_certificate_key /usr/local/etc/ssl/nginx/nextcloud.key;
add_header Strict-Transport-Security “max-age=15768000; includeSubDomains; preload;”;
Save the file and that should be it. Now you can restart your Nextcload jail/plugin and login to your site using https://[ipaddress].
If things don’t work, check your error log at: /var/log/nginx/error.log
External Access
If you want to add the ability to connect externally, you will need to add the external domain or ip address to the /usr/local/www/nextcloud/config/config.php file. Edit this file using nano, and add the this line1 => 'your ip or domain name', to the file below the line which starts something like 0 => '192.168.1.203',. This line that you are looking for should have the local ip address for your server. In the example image below, I’ve entered ‘8.8.8.8’ in the spot in which you should put your external ip (or domain name, if you have one).
Save the file, exit the editor and restart your jail/plugin. You should now be able to navigate to your server from your external ip address with https://[externalipaddress].
Optional Configuration
If you want to edit the location of the data directory from default (/usr/local/www/nextcloud/data), then edit the config file by runinng:
nano /usr/local/www/nextcloud/config/config.php
and change the ‘datadirectory’ variable to the path of your choice.
Linking NextCloud to Jail Mount Points
Linking Nextcloud to the rest of your FreeNas server through mount points is probably the most powerful way to use Nextcloud. I’ve put together an article which will describe exactly how to do this, with the correct permissions: FreeNAS: NextCloud Access to Mount Points using External Storage and Proper Permissions
OK, so that’s it for this FreeNAS: Nextcloud Install with SSL article and you should now be up and running with your own cloud server using Nextcloud.
Happy Nextcloudin’
~digiMoot
Sources:
https://www.youtube.com/watch?v=QhUhZA28Xn8
https://docs.nextcloud.com/server/15/admin_manual/configuration_server/occ_command.html#user-commands-label
Liked it? Take a second to support digiMoot on Patreon!
Nextcloud имеет возможность использования бесплатного SSL-сертификата Let’s Encrypt
Это актуально если у пользователя есть свой домен или есть возможность его приобрести. А также если есть желание убрать предупреждение браузера о работе с недоверенным SSL-сертификатом. Это предупреждение возникает так как, по умолчанию, в Nextcloud используется самоподписанный SSL-сертификат выданный «самому себе», а не сертификат выданный доверенным центром сертификации, который браузеры считают надежным.
Для создания и настройки сертификата Let’s Encrypt необходимо:
1. В DNS-зоне Вашего домена создать запись типа «А» с желаемым именем сервера Nextcloud и значением IP-адреса Вашего виртуального датацентра.
Например,
Имя сервера: nextcloud.cloud4y.ru
IP-адрес: 1.1.1.1
2. Войти в консоль сервера через Панель управления облаком или с помощью SSH-клиента.
3. Выполнить в консоли команду:
snap run nextcloud.occ config:system:set trusted_domains 1 —value=имя_вашего_сервера
Например,
snap run nextcloud.occ config:system:set trusted_domains 1 —value=nextcloud.cloud4y.ru
4. Выполнить в консоли команду:
snap run nextcloud.enable-https lets-encrypt
После запуска команды необходимо будет:
— согласиться с требованиями установщика (y),
— ввести адрес своей электронной почты,
— ввести выбранное ранее имя сервера
5. После выполнения этих шагов можно будет заходить на сервер по имени и радоваться отсутствию предупреждений в браузере.
-
#1
I’ve followed this tutorial and had next cloud working locally until somewhere around the heading “Let’s Cache”. Now when I try and access the page locally I get this error:
Code:
192.168.1.93 sent an invalid response. Try running Windows Network Diagnostics. ERR_SSL_PROTOCOL_ERROR
The Apache log shows the following:
Code:
[Tue Nov 06 23:16:53.971634 2018] [mpm_prefork:notice] [pid 81295] AH00169: caught SIGTERM, shutting down [Tue Nov 06 23:16:54.084130 2018] [ssl:warn] [pid 81814] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache] [Tue Nov 06 23:16:54.135464 2018] [mpm_prefork:notice] [pid 81814] AH00163: Apache/2.4.35 (FreeBSD) OpenSSL/1.0.2o-freebsd PHP/7.1.22 configured -- resuming normal operations [Tue Nov 06 23:16:54.135499 2018] [core:notice] [pid 81814] AH00094: Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT'
I googled Init: Session Cache is not configured and found a suggestion to uncomment another line in the httpd.conf file which I did but without any success. Does anyone have any recommendations as to the next step I should take to try and get this working?
Thank you
Loren
dlavigne
Guest
-
#2
Were you able to figure this out?
-
#3
If not, it might be better to post on the thread for the how-to you’re following.
-
#4
I haven’t, but I also have just made a little progress in narrowing down the problem tonight. I have a feeling that its a certificate error. When I run this command:
Code:
certbot certonly --webroot -w /usr/local/www/apache24/data/nextcloud -d YOURSITE.COM
This is the error I get:
Code:
IMPORTANT NOTES: - The following errors were reported by the server: Domain: zimmvpn2.ddns.net Type: unauthorized Detail: Invalid response from http://zimmvpn2.ddns.net/.well-known/acme-challenge/FtRmYOYG6PWcQztD1DIWUHVjIsjyS94PWzk4SLbymoc: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">n<html><head>n<title>404 Not Found</title>n</head><body>n<h1>Not Found</h1>n<p" To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
-
#5
No, that isn’t a certificate error; it means that certbot is putting the challenge file in the wrong place for Let’s Encrypt to find it—or, in the alternative, Let’s Encrypt isn’t connecting to the right server in the first place.
-
#6
No, that isn’t a certificate error; it means that certbot is putting the challenge file in the wrong place for Let’s Encrypt to find it—or, in the alternative, Let’s Encrypt isn’t connecting to the right server in the first place.
Thank you!
Where do I find where the config for Let’s Encrypt or what server it’s connecting to?
-
#7
I’ve noticed after going through the tutorial that I’m not able to get to next cloud by simply entering the jail IP but I have to add /nextcloud to view the web page. Is this an indicator that there is something wrong with my configuration?
-
#8
It could be. Perhaps you should ask that question on the thread for the how-to you followed.
-
#9
@danb35 you were right a bunch of the questions that I asked were in the tutorial thread. I found a couple of mistakes that I had made and decided to recreate the jail. Now I’ve hit an error that I couldn’t find in the tutorial thread. When I restart apache24 this is the error I get:
Code:
httpd: Syntax error on line 548 of /usr/local/etc/apache24/httpd.conf: Syntax error on line 21 of /usr/local/etc/apache24/Includes/myurl.net.conf: /usr/local/etc/apache24/Includes/myurl.net.conf:21: <VirtualHost> was not closed.
Here is the conf file:
Code:
<VirtualHost *:80>
DocumentRoot "/usr/local/www/apache24/data/nextcloud"
ServerName myurl.net
RewriteEngine on
RewriteCond %{SERVER_NAME} =myurl.net
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
#ErrorLog ${APACHE_LOG_DIR}/error.log
#CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /usr/local/www/apache24/data/nextcloud/>
Options +FollowSymlinks
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /usr/local/www/apache24/data/nextcloud
SetEnv HTTP_HOME /usr/local/www/apache24/data/nextcloud
Satisfy Any
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerAdmin myemail
ServerName myurl.net
DirectoryIndex index.php
DocumentRoot /usr/local/www/apache24/data/nextcloud
SSLCertificateFile /usr/local/etc/letsencrypt/live/myurl.net/fullchain.pem
SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/myurl.net/privkey.pem
SSLEngine on
# Intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
SSLCompression off
SSLOptions +StrictRequire
<Directory /usr/local/www/apache24/data/nextcloud>
AllowOverride all
</Directory>
Any help is greatly appreciated.
-
#10
Never mind. I missed copying </VirtualHost> at the end of the 443 section. ugg
-
#11
Were you able to figure this out?
I havn’t. I have just responded to the original tutorial thread for help.
Prerequisits
You need to have completed the first two guides in this series:
-
How to install Nextcloud on a Raspberry Pi
-
Setting up Dynamic DNS for your Nextcloud server
Introduction
In this tutorial, we’ll be showing you how to create an SSL certificate for your Nexcloud server. We’ll also be doing our best to show you how to configure Port Forwarding on your home router. Port forwarding will essentially provide a path from the Internet to your Nextcloud server. Routers need to be told exactly where information needs to go. Usually, you don’t have to worry about such obstacles because 99.9% of home Internet users, only take information from services on the Internet. It’s those 0.01%, like yourselves, who need to make something inside your home, available to the Internet. This may sounds scary, however, as long as we use an SSL certificate, along with strong passwords on you Raspberry Pi and your Nextcloud user accounts, then you minimise risk.
Configuring Port Forwarding
You first need to forward ports 80 and 443 (port 80 carries unencrypted website traffic, and port 443 carries encrypted website traffic) to your Raspberry Pi. To do this, you’ll need to login to your home router’s web page. You’ll need to determine your router address to do this. It’s usually on a sticker attached to your router. It will almost always start with «192.168…» along with a username and password. Once you have these three things, open up a web browser and enter the address into the address bar. You should then be presented with a web page asking for your username and password, which you grabbed from the sticker.
Now that you’re logged into your router, you need to find the Port Forward settings page. It will usually be found under a ‘Security’ heading. Once you’ve found it, you’ll need to create two rules; one for port 80 and another for port 443.
Here’s an example of adding the port 80 rule on a Virgin home router:
Once you’ve added both rules and your router’s rebooted, you should be ready for the next step.
Creating your SSL certificate with Let’s Encrypt
You’ll first need to install ‘Certbot’:
$ sudo apt-get install python-certbot-apache
Once that’s installed you’ll need to run the following to create your certificate. You will need to enter the domain name that you setup in the previous guide:
$ sudo certbot --apache -m your@email.com -d joescloud.dynamic-dns.net -d www.joescloud.dynamic-dns.net
During the installation you may be asked which virtual host you would like to choose. Choose the option that has ‘HTTPS‘ in the third column. You may then be prompted to choose whether or not to redirect HTTP traffic; choose ‘Redirect‘.
Configuring trusted domains
You’ll now need to configure the trusted domains in your Nextcloud configuration file. To do this type the following command:
$ sudo nano /var/www/nextcloud/config/config.php
Now add the four entries which are in bold, changing them to your setup. Save the file by pressing <Ctrl> + x followed by Y and then press <Enter>.
(Don’t forget the commas at the end of each entry).
<?php
$CONFIG = array (
'instanceid' => 'ocvtfvhdwjai',
'passwordsalt' => 'O18XcdsdsdcQfFuN8AkvVf+e87',
'secret' => 'Mkk/o5h319wsdG/vl1jEZGnlZRZqJYSs9iUM',
'trusted_domains' =>
array (
0 => '192.168.0.10',
1 => 'www.joescloud.dynamic-dns.net',
3 => 'https://www.joescloud.dynamic-dns.net',
4 => 'https://joescloud.dynamic-dns.net',
),
'datadirectory' => '/media/data',
'dbtype' => 'mysql',
'version' => '18.0.3.0',
'overwrite.cli.url' => 'http://192.168.0.10/nextcloud',
'dbname' => 'nextcloud',
'dbhost' => 'localhost',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => 'nextcloud',
'dbpassword' => 'nextcloud',
'installed' => true,
);
Now is restart the Apache2 service:
$ sudo systemctl restart apache2
The certificate expires after three months, so you’ll have to create a cron job to automatically renew the certificate every month. To do this run the command below:
$ sudo crontab -e
You’ll be asked which editor to use, choose ‘nano‘. Add the following line to the bottom of this file and save the file by pressing <Ctrl> + x followed by Y and then press <Enter>:
0 1 * * * /usr/bin/certbot renew & > /dev/null
That’s it, you should now be able to visit your Nextcloud server from outside your home, by typing in your domain into a web browser, or downloading the Nextcloud app.
From the nextcloud.log
{
"reqId": "XdMKSmiSE5XqWpnRNbW8eAAAAMk",
"level": 4,
"time": "2019-11-18T21:16:58+00:00",
"remoteAddr": "192.168.1.22",
"user": "ncp",
"app": "webdav",
"method": "PUT",
"url": "\/remote.php\/webdav\/Documents\/Mobile\/Videos\/1556817465406.JPEG",
"message": {
"Exception": "Sabre\\DAV\\Exception\\BadRequest",
"Message": "Expected filesize of 48242 bytes but read (from Nextcloud client) and wrote (to Nextcloud storage) 8192 bytes. Could either be a network problem on the sending side or a problem writing to the storage on the server side.",
"Code": 0,
"Trace": [
{
"file": "\/var\/www\/nextcloud\/apps\/dav\/lib\/Connector\/Sabre\/Directory.php",
"line": 156,
"function": "put",
"class": "OCA\\DAV\\Connector\\Sabre\\File",
"type": "->",
"args": [
null
]
},
{
"file": "\/var\/www\/nextcloud\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php",
"line": 1096,
"function": "createFile",
"class": "OCA\\DAV\\Connector\\Sabre\\Directory",
"type": "->",
"args": [
"1556817465406.JPEG",
null
]
},
{
"file": "\/var\/www\/nextcloud\/3rdparty\/sabre\/dav\/lib\/DAV\/CorePlugin.php",
"line": 525,
"function": "createFile",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": [
"Documents\/Mobile\/Videos\/1556817465406.JPEG",
null,
null
]
},
{
"function": "httpPut",
"class": "Sabre\\DAV\\CorePlugin",
"type": "->",
"args": [
{
"absoluteUrl": "https:\/\/bovarde.mooo.com\/remote.php\/webdav\/Documents\/Mobile\/Videos\/1556817465406.JPEG",
"__class__": "Sabre\\HTTP\\Request"
},
{
"__class__": "Sabre\\HTTP\\Response"
}
]
},
{
"file": "\/var\/www\/nextcloud\/3rdparty\/sabre\/event\/lib\/EventEmitterTrait.php",
"line": 105,
"function": "call_user_func_array",
"args": [
[
{
"__class__": "Sabre\\DAV\\CorePlugin"
},
"httpPut"
],
[
{
"absoluteUrl": "https:\/\/bovarde.mooo.com\/remote.php\/webdav\/Documents\/Mobile\/Videos\/1556817465406.JPEG",
"__class__": "Sabre\\HTTP\\Request"
},
{
"__class__": "Sabre\\HTTP\\Response"
}
]
]
},
{
"file": "\/var\/www\/nextcloud\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php",
"line": 479,
"function": "emit",
"class": "Sabre\\Event\\EventEmitter",
"type": "->",
"args": [
"method:PUT",
[
{
"absoluteUrl": "https:\/\/bovarde.mooo.com\/remote.php\/webdav\/Documents\/Mobile\/Videos\/1556817465406.JPEG",
"__class__": "Sabre\\HTTP\\Request"
},
{
"__class__": "Sabre\\HTTP\\Response"
}
]
]
},
{
"file": "\/var\/www\/nextcloud\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php",
"line": 254,
"function": "invokeMethod",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": [
{
"absoluteUrl": "https:\/\/bovarde.mooo.com\/remote.php\/webdav\/Documents\/Mobile\/Videos\/1556817465406.JPEG",
"__class__": "Sabre\\HTTP\\Request"
},
{
"__class__": "Sabre\\HTTP\\Response"
}
]
},
{
"file": "\/var\/www\/nextcloud\/apps\/dav\/appinfo\/v1\/webdav.php",
"line": 80,
"function": "exec",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": [
]
},
{
"file": "\/var\/www\/nextcloud\/remote.php",
"line": 163,
"args": [
"\/var\/www\/nextcloud\/apps\/dav\/appinfo\/v1\/webdav.php"
],
"function": "require_once"
}
],
"File": "\/var\/www\/nextcloud\/apps\/dav\/lib\/Connector\/Sabre\/File.php",
"Line": 228,
"CustomMessage": "--"
},
"userAgent": "Mozilla\/5.0 (Android) Nextcloud-android\/3.9.0",
"version": "17.0.1.1"
}
Перейти к контенту
Actual behaviour
Working with the Owncloud app stops working suddenly, now I get the error «SSL initialization failed». I tried to delete my account in the app, now I’m not able to reconnect to my ouwncloud server with the same error: «SSL initialization failed».
The problem came up after an update of the phone’s OS (at least I think so).
The device is a Blackberry Z10 which is able to run Android apps since there is an special Android layer within the OS called Android Player.
Using the web interface of the owncloud server from within the browser on the phone works.
I’m pretty sure the problem lies in the server’s SSL configuration. But I’m not able to find the cause resp. to adjust the settings. And I haven’t access to all config data since it is a shared server.
Test on https://www.ssllabs.com/ssltest/ gives A+
Expected behaviour
Of course I would like to connect to the server using the app.
Steps to reproduce
- In the app try to add a new account
- Type in the server address: https://….
- The connection will be tested and the tests ends with the mentioned error message
Can this problem be reproduced with the official owncloud server?
(url: https://demo.owncloud.org, user: test, password: test)
No, I’m not able to reproduce the problem with demo.owncloud.org. It works fine.
Environment data
Android version: Blackberry OS 10.3.3.2163
Device model: Blackberry Z10
Stock or customized system: Stock system
ownCloud app version: 2.4.0
ownCloud server version: ownCloud 9.0.10 (stable)
Logs
Web server error log
(It’s a snippet of Sep 04 because I’ve done on this day one connection test only)
[Mon Sep 04 09:14:06.393452 2017] [core:info] [pid 2434:tid 139994651911936] [client 114.215.149.183:55807] AH00128: File does not exist: /usr/www/users/epperl/phpMyAdmin/scripts/setup.php
[Mon Sep 04 09:14:16.372147 2017] [core:info] [pid 23727:tid 139995031238400] [client 114.215.149.183:56378] AH00128: File does not exist: /usr/www/users/epperl/pma/scripts/setup.php
[Mon Sep 04 09:14:26.348904 2017] [core:info] [pid 23727:tid 139994685482752] [client 114.215.149.183:56984] AH00128: File does not exist: /usr/www/users/epperl/myadmin/scripts/setup.php
[Mon Sep 04 14:30:50.206051 2017] [cgid:error] [pid 5214:tid 140154913056512] [client 186.207.19.19:60643] AH01262: Options ExecCGI is off in this directory: /usr/www/users/epperl/hndUnblock.cgi
[Mon Sep 04 14:30:53.226046 2017] [cgid:error] [pid 17409:tid 140154723337984] [client 186.207.19.19:60657] AH01262: Options ExecCGI is off in this directory: /usr/www/users/epperl/tmUnblock.cgi
[Mon Sep 04 14:30:56.232938 2017] [core:info] [pid 17565:tid 140154748516096] [client 186.207.19.19:60674] AH00128: File does not exist: /usr/www/users/epperl/moo
[Mon Sep 04 19:11:56.425481 2017] [core:info] [pid 17409:tid 140154756908800] [client 122.154.239.109:55604] AH00128: File does not exist: /usr/www/users/epperl/phpMyAdmin/scripts/setup.php
[Mon Sep 04 19:13:14.624921 2017] [core:info] [pid 17565:tid 140154913056512] [client 122.154.239.109:60436] AH00128: File does not exist: /usr/www/users/epperl/pma/scripts/setup.php
[Mon Sep 04 19:14:32.891888 2017] [core:info] [pid 17565:tid 140154871092992] [client 122.154.239.109:49344] AH00128: File does not exist: /usr/www/users/epperl/myadmin/scripts/setup.php
[Mon Sep 04 20:51:31.187401 2017] [core:info] [pid 17442:tid 140154773694208] [client 163.172.64.133:55514] AH00128: File does not exist: /usr/www/users/epperl/a2billing/admin/Public/index.php
[Mon Sep 04 21:22:53.983987 2017] [core:info] [pid 17442:tid 140154740123392] [client 163.172.64.133:47040] AH00128: File does not exist: /usr/www/users/epperl/a2billing/admin/Public/index.php
[Mon Sep 04 23:50:25.646046 2017] [core:info] [pid 14247:tid 140154862700288] [client 93.65.210.204:33160] AH00128: File does not exist: /usr/www/users/epperl/phpMyAdmin/scripts/setup.php
[Mon Sep 04 23:50:30.732396 2017] [core:info] [pid 14247:tid 140155039278848] [client 93.65.210.204:34045] AH00128: File does not exist: /usr/www/users/epperl/pma/scripts/setup.php
[Mon Sep 04 23:50:35.815685 2017] [core:info] [pid 19423:tid 140154913056512] [client 93.65.210.204:34943] AH00128: File does not exist: /usr/www/users/epperl/myadmin/scripts/setup.php
Insert your webserver log here
You can find it here: https://epperleinberlin.name/owncloud/index.php/s/lEOBBa8bKCcccsN
But there isn’t any related content, I’m afraid.
ownCloud log (data/owncloud.log)
There aren’t any entries for Sep 04 (see above). This here doesn’t seem to be related:
{"reqId":"GViceHXQA+JWwOswSf62","remoteAddr":"87.164.xx.xx","app":"files_versions","message":"Mark to expire /documents/Heike/xxxxxxxxxxxxxxx.odt next version should be 1503083250 or smaller. (prevTimestamp: 1503169650; step: 86400","level":1,"time":"2017-09-05T18:30:59+00:00","method":"GET","url":"/owncloud/cron.php","user":"--"}
{"reqId":"GViceHXQA+JWwOswSf62","remoteAddr":"87.164.xx.xx","app":"files_versions","message":"Expire: /documents/Heike/xxxxxxxxxxx.odt.v1503169495","level":1,"time":"2017-09-05T18:30:59+00:00","method":"GET","url":"/owncloud/cron.php","user":"--"}
{"reqId":"Q3MGKJVQALfyM4QRy/bz","remoteAddr":"87.164.xx.xx","app":"PHP","message":"Automatically populating $HTTP_RAW_POST_DATA is deprecated and will be removed in a future version. To avoid this warning set 'always_populate_raw_post_data' to '-1' in php.ini and use the php://input stream instead. at Unknown#0","level":3,"time":"2017-09-05T18:43:12+00:00","method":"POST","url":"/owncloud/index.php/heartbeat","user":"xxxx"}
{"reqId":"Uh/rOHJv5T7MPrOvQBGV","remoteAddr":"87.164.xx.xx","app":"PHP","message":"Automatically populating $HTTP_RAW_POST_DATA is deprecated and will be removed in a future version. To avoid this warning set 'always_populate_raw_post_data' to '-1' in php.ini and use the php://input stream instead. at Unknown#0","level":3,"time":"2017-09-05T19:02:56+00:00","method":"POST","url":"/owncloud/index.php/heartbeat","user":"xxxx"}
Alarm Explanation
SSL initialization failed.
Alarm Properties
|
Alarm ID |
Alarm Severity |
Alarm Type |
|---|---|---|
|
17 |
Important |
Communications alarm |
Alarm Parameters
|
Parameter Name |
Parameter Meaning |
|---|---|
|
Error code indicating the failure to update the network address book |
SSL initialization failed. |
Impact on the System
The system fails to load the network address book.
Possible Causes
SSL initialization failed.
Processing Steps
- Verify that the network connection is normal and the network configuration is correct.
- If the network connection is normal and the network configuration is correct, restart the system and redownload the address book.
- If the fault persists, contact service engineers.
Hello:
We just installed a global certificate into our VMware View Connection Server and now remote ThinApp VMware clients and web clients fail to work. With the ThinApp View Client, it successfully talks to the connection server and authenticates the user, but when it tries to establish the tunnel connection, it fails with the error, «The View Connection Server authentication failed. The SSL initialization while connecting to server ‘https://a.b.c:443’ failed.»
This is definitely not a resolving issue. When the name cannot be resolved by the client, the error message reads «The View Connection Server authentication failed. The server name ‘http://a.b.c:443’ could not be resolved. . . .»
I have also confirmed this with packet sniffing. The client opens a connection to port 443 on the View Connection Server then appears to reject the server’s certificate. (A TLS notify and close alert is sent by the client.) When connecting for authentication instead of establishing the tunnel, there are no issues.
I am wonder if the fact that the certificate is a wildcard certificate may contribute to this issue. E.g. if the tunnel portion of the client were written using a different SSL/TLS library than the authentication portion maybe this would cause issues.
The most confusing part of this issue is that the ThinApp client is okay with the certificate on the LAN (these are different machines).
Any other advice would be appreciated.
Thank you!
Update: In the client application logs, the follow error appears.
SSL: ClientHandshake: InitializeSecurityContext FAILED, Error 0x80090308 (The token supplied to the function is invalid.)
The exact same ThinApped View Client does not generate this message on machines on the LAN. Unfortunately, I am unable to try attaching a remote machine to the LAN to test due to policy.
Message was edited by: njlaw