I setup ownCloud on an Ubuntu node on a proxmox box. I’m getting the typical SSL errors when accessing the app via browser. I don’t plan on ever using ownCloud via WAN. I know it might defeat the purpose but I just wanted a clean UI and a central point for my data and I don’t trust mainstream options.
Is there any danger to using ownCloud on LAN with no SSL? My network is in no way exposed to WAN, I don’t connect remotely for any reason, WiFi is secured, no possibility of unauthorized physical connections.
If you mean your browser and ownCloud apps are presenting untrusted certificate warnings. I would suggest keeping access limited to HTTPS and instead find a suitable way of resolving those warnings
In the era of truly free recognized certificates from Let’s Encrypt, there are plenty of options, even for hosts that have no access from the internet. DNS-01 validation is an effective method for issuing LE certs for use on hosts that are not publically accessible.
You can always create your own private CA that can be used to issue your certificates. Loading the CA cert on your client devices will clear up unknown certificate warnings.
Others may disagree and YMMV. Ultimately, the risk is yours to deem acceptable or not.
Thanks for the reply. I was going to go the way of configuring a CA but wasn’t sure the hassle was necessary. If you don’t mind me asking, if you were in this position, would you configure a CA/DNS-01 if the ownCloud service was restricted to LAN?
Limiting access to only the LAN would render my ownCloud useless to me. I realize that your planned usage differs from mine, but it sill makes it hard to tell you “what I would do” when my answer is “not that”.
I have maintained my own private CA (using XCA) for long enough that I preemptively generated a new root certificate last year to avoid last minute migrations when the previous root expires next year. Since I already tend keep the CA certificate deployed to my devices that need it, that would be the quickest way for me to generate a certificate for a resource that was strictly limited to private access.
That said, I have been retiring that option for anything that I can move to automation with DNS-01 (usually with verification domain aliasing) on Let’s Encrypt. While this method does take longer to put in place, it scales much better, and once you know that it is handling renewals properly, it tends to not require any further thought or maintenance.