Apache SSL certificate renewal

Steps to reproduce

I’m trying to add a certificate as per the instructions here: https://doc.owncloud.com/server/admin_manual/appliance/configuration/certificates.html

  1. I try to execute the first command: ucr set apache2/ssl/certificate="/etc/[MYPATH]"

But I get and error:

Command ‘ucr’ not found, did you mean:

command ‘ur’ from deb libur-perl
command ‘ucfr’ from deb ucf
command ‘acr’ from deb acr
command ‘ccr’ from deb codecrypt
command ‘ucc’ from deb exult-studio
command ‘ucf’ from deb ucf

Try: sudo apt install

Server configuration

Operating system: Ubuntu v18.04

Web server: 2.4.29

Database: MySQL 5.0.12

PHP version: 7.2.10

ownCloud version: 10

Updated from an older ownCloud or fresh install: 9

Where did you install ownCloud from: [http://download.owncloud.org/download/repositories/production/Ubuntu_18.04/ ]

Signing status (ownCloud 9.0 and above):

Login as admin user into your ownCloud and access 
paste the results into https://gist.github.com/ and puth the link here.
```Says: "No errors have been found."

**The content of config/config.php:**

$CONFIG = array (
  'updatechecker' => false,
  'instanceid' => 'HIDDEN',
  'passwordsalt' => 'HIDDEN',
  'secret' => 'HIDDEN',
  'trusted_domains' => 
  array (
    0 => 'localhost',
    1 => 'HIDDEN',
  'datadirectory' => '/mnt/hgfs/HIDDEN',
  'overwrite.cli.url' => 'http://localhost/owncloud',
  'dbtype' => 'mysql',
  'version' => '',
  'dbname' => 'HIDDEN',
  'dbhost' => 'localhost',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'HIDDEN',
  'dbpassword' => 'HIDDEN',
  'files_external_allow_create_new_local' => 'true',
  'logtimezone' => 'Europe/London',
  'installed' => true,
  'mail_from_address' => 'info',
  'mail_smtpmode' => 'smtp',
  'mail_domain' => 'HIDDEN',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtphost' => 'HIDDEN',
  'mail_smtpport' => '25',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'mail_smtpauth' => 1,
  'appstore.experimental.enabled' => true,
  'mail_smtpname' => 'HIDDEN',
  'mail_smtppassword' => 'HIDDEN',
  'log_type' => 'owncloud',
  'logfile' => '/var/log/owncloud.log',
  'loglevel' => 3,
  'syslog_tag' => 'ownCloud',
  'logdateformat' => 'F d, Y H:i:s',
  'log_query' => true,
  'debug' => false,
  'maintenance' => false,

Log in to the web-UI with an administrator account and click on
‘admin’ -> ‘Generate Config Report’ -> ‘Download ownCloud config report’
This report includes the config.php settings, the list of activated apps
and other details in a well sanitized form.


If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your ownCloud installation folder

ATTENTION: Do not post your config.php file in public as is. Please use one of the above
methods whenever possible. Both, the generated reports from the web-ui and from occ config:list
consistently remove sensitive data. You still may want to review the report before sending.
If done manually then it is critical for your own privacy to dilligently
remove all host names, passwords, usernames, salts and other credentials before posting.
You should assume that attackers find such information and will use them against your systems.

**List of activated apps:**

Text Editor
PDF Viewer
Audio Player
Password Policy
Mail Template Editor
Camera RAW Previews
Media Viewer

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your ownCloud installation folder.

**Are you using external storage, if yes which one:** local/smb/sftp/...
Yes, Local

**Are you using encryption:** yes/no

**Are you using an external user-backend, if yes which one:** LDAP/ActiveDirectory/Webdav/...

### Client configuration

**Operating system:**
Mac OS 10.14.6

### Logs
#### Web server error log

Insert your webserver log here

#### ownCloud log (data/owncloud.log)

Insert your ownCloud log here

#### Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) …


I might say something stupid, but are you using the ownCloud appliance ?

1 Like

Hiya, what do you mean by that? What is an appliance exactly?

I originally installed v9 and then upgraded to 10 at some point

How did you install your ownCloud server?

Did you install a LAMP setup and put the ownCloud files into the webroot?

The installation should have been very similar to this:

Or did you download the Univention appliance:

There you would have had to start the virtual machine image with some kind of hypervisor.
The appliance docs are here:

1 Like

I seem to remember having a lot of trouble with the installation (probably mainly due to my inexperience) so I fumbled through a lot of trial and error and searching online for command line examples. I know I definitely ended up doing a LAMP installation. I wish I’d known there was a simpler route! :slight_smile:

I’m very wary of touching it at this stage as it’s all functioning. The only reason I’m tinkering now is to update the expired SSL certificate but can’t seem to get past this error.

As you see the ucr command is only available on appliance installations.

In order to update your current SSL certificate, all you have to do is find where it is currently installed, replace the files and restart apache.

I’m assuming you have a simple apache setup, without a reverse-proxy for SSL offloading.

On a Debian/Ubuntu setup you can run (as root) apachectl -S to dump the current apache configuration, it should look similar to this:

VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server cloud.domain.tld (/etc/apache2/sites-enabled/000-default.conf:1)
*:443                  is a NameVirtualHost
         default server cloud.domain.tld (/etc/apache2/sites-enabled/default-ssl.conf:2)

Look for the virtual host configuration for your ownCloud server on port 443 (SSL). In my case this is /etc/apache2/sites-enabled/default-ssl.conf and run the following grep on it:

root@ubuntu:~# grep "^\s*SSLCertificate.*File" /etc/apache2/sites-enabled/default-ssl.conf
                SSLCertificateFile /etc/ssl/domain.tld/fullchain.pem
                SSLCertificateKeyFile /etc/ssl/domain.tld/privkey.pem

There might also be a third variable SSLCertificateChainFile, which, depending on your new certificate also might need to be updated.

It is also possible that you DON’T have to update your key file, depending on how you created the new CSR. If you don’t have a new key, make sure that the current private key matches the certificate.

Make a backup of these files, and then replace the contents of the files with new certificate, new chain and new key respectively.

  1. Backup: cp /etc/ssl/domain.tld/fullchain.pem{,.bak}; cp /etc/ssl/domain.tld/privkey.pem{,.bak} (and the same for the SSLCertificateChainFile if it exists)
  2. You should be able to just use your (CLI) favorite editor to edit the certificate (nano, vim)
  3. Delete the old content
  4. Paste the new content
  5. Save the file
  6. Repeat steps 2-5 for key and chain (if needed)

Afterwards you can apply your new configuration by restarting apache:

root@ubuntu:~# apachectl -t # make sure your config is correct
Syntax OK
root@ubuntu:~# systemctl restart apache2 # don't run this if your syntax is not ok

Let me know should you have any problems

1 Like

oh I see, I was following instructions for the wrong thing! Thank you so much! Might seem like a small thing to you but I could have been going round in circles for days on this so thanks again, you guys are great on here, so helpful!

1 Like