Owncloud Docker Upgrade - SSL problem

test723 · April 14, 2020, 10:41am

Hello,

For a long time ago I have installed owncloud as Docker version 10.0 on Ubuntu 16 LTS with a SSL certificate.
Later I have upgraded to Ubuntu 18 and everything still worked fine.

Now I tried to upgrade the owncloud version from 10.0 to 10.4 however I can’t reach my onwcloud Server over https anymore. Over http it still works.
I did exactly the steps as described for an upgrade with docker (https://doc.owncloud.org/server/10.4/admin_manual/installation/docker/).

Is there anything else I have to do for SSL?

Thank you very mich for your help and infos.

Best regards.

michaelstingl · April 14, 2020, 11:20am

Reverse proxy (traefik for example) is needed. Check this blog post:

Also check this example with docker-compose:

test723 · April 14, 2020, 12:04pm

ok…thank you. I will have a look at it.

test723 · April 14, 2020, 1:29pm

Could you please explain me, why now I have to use a reverse proxy in combination with owncloud Docker? Is this necessary with the new Docker image? Thanks

michaelstingl · April 14, 2020, 1:49pm

No SSL in the Docker images. But this is not so new, change was made in 2018:
https://github.com/owncloud-docker/server/blob/master/CHANGELOG.md#2018-10-09

test723 · April 14, 2020, 1:51pm

thanks, I understand

skinless · April 17, 2020, 1:46pm

Hi, I understand that SSL is no longer supported with the actual Docker setup. But I don’t want to use Traefik.

I not really want to analyze Docker structure. So, please, could you provide me some details about the Docker’s structure?
Where are stocked apache2’s variable like “APACHE_DOCUMENT_ROOT”
What is the site config file (full path name) to add “SSLCertificateKeyFile” parameter, etc?
All other information that could be useful to set this up!!!

Thanks you for your help and great work!!

tom42 · April 20, 2020, 4:40pm

Hey @skinless,

i think you should create a new thread about this different questions.

skinless · April 21, 2020, 12:55am

I found a solution, it’s more a workaround a bit tricky but that works…
So, if you are not comfortable with bash script, docker and apache2, it’s probably not for you.
This is a resume of my procedure to enable SSL without Traefik.

For my example I use these folder names :

owncloud = Folder where I put docker-compose.yml file
ownclouddata = Folder for owncloud service (equivalent to /mnt/data/ inside the docker).

Create a folder ./owncloud/ownclouddata/ssl
copy service certificate/key and CA certificate (if self-signed certificate) inside this folder
apply appropriate access for the folder and sub-files (www-data:root rr-)
create a file ./owncloud/ownclouddata/apacheSSL.inc
put these lines inside this file:

SSLEngine on
SSLCertificateFile /mnt/data/ssl/ownCloud_cert.pem
SSLCertificateKeyFile /mnt/data/ssl/ownCloud_key.pem
SSLCACertificateFile /mnt/data/ssl/server_ca_cert.pem
<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>

Note that you must match filename with your certificates/key filenames inside your ssl folder

create a new file ./owncloud/ownclouddata/set_SSL.sh
add these lines inside this file:

#!/usr/bin/env bash
# Enable the apache2 SSL module 
a2enmod ssl
# Delete previous adding
sed -i '/^include \/mnt\/data.*/d' /etc/templates/apache.conf
# Adding SSL parameters to the apache.conf template file
sed -i '/<Directory/i include /mnt/data/apacheSSL.inc' /etc/templates/apache.conf

Modify your ./owncloud/docker-compose.yml file to add the following line under
services --> owncloud -->volumes
- ./ownclouddata/set_SSL.sh:/etc/entrypoint.d/13-set_ssl.sh
Execute the following command to reset and rebuild your container
docker-compose down && docker-compose up -d

Wait until the service is up and running and try to access your ownCloud server with the httpS://
That can takes a moment, be patient. If you can’t access your server with https, try with http. If nothing happend, probably you have miss something…
Like I said at the beginning, it’s a tricky solution. It’s for people comfortable with bash script, apache2 and Docker/Docker-compose

The process is quite simple.
The volume line added in the docker-compose.yml file will add the script to the entrypoint folder and it will be executed to add SSL parameters required to run SSL on apache2 server.

It’s not the simplest way I found but that works very well and I don’t need to install Traefik to have SSL communication to my ownCloud.

Another great advantage to this method is that we can add any apache2 additional parameters directly inside the apacheSSL.inc file.

If that can help someone!!

epalma · November 27, 2020, 1:45pm

looks good

I am gonna test it later

isudoajl · October 16, 2023, 7:22pm

Hello,

Is this procedure still valid?

Because I have not been able to configure SSL. The deployment is successful but it does not work for https. I even encountered an issue with the set_SSL.sh script - it targets /etc/templates/apache.conf, which was absent. I worked around this by creating apache.conf from apache.conf.tmpl.

Setup:
Directory Structure:

isudo@f37-srv:~/owncloud$ pwd
/home/isudo/owncloud
isudo@f37-srv:~/owncloud$ ls
docker-compose.yml  ownclouddata
isudo@f37-srv:~/owncloud$

isudo@f37-srv:~/owncloud/ownclouddata$ pwd
/home/isudo/owncloud/ownclouddata
isudo@f37-srv:~/owncloud/ownclouddata$ ls
apacheSSL.inc  defaultNetworkBackend  libpod  networks  overlay  overlay-containers  overlay-images  overlay-layers  secrets  set_SSL.sh  ssl  storage.lock  userns.lock  volumes
isudo@f37-srv:~/owncloud/ownclouddata$

isudo@f37-srv:~/owncloud/ownclouddata/ssl$ pwd
/home/isudo/owncloud/ownclouddata/ssl
isudo@f37-srv:~/owncloud/ownclouddata/ssl$ ls
ca-cert.pem  ca-cert.srl  ca-key.pem  server_cert.pem  server.csr  server_key.pem
isudo@f37-srv:~/owncloud/ownclouddata/ssl$

./owncloud/ownclouddata/set_SSL.sh

#!/usr/bin/env bash

# Check if the template file exists
if [ ! -f "/etc/templates/apache.conf.tmpl" ]; then
    echo "Template file does not exist."
    exit 1
fi

# Copy the template file to create a new apache.conf file
cp /etc/templates/apache.conf.tmpl /etc/templates/apache.conf

# Check if the apache.conf file was created successfully
if [ $? -eq 0 ]; then
    echo "apache.conf file created successfully."
else
    echo "Failed to create apache.conf file."
    exit 1
fi

# Enable the apache2 SSL module
a2enmod ssl

# Delete previous adding
sed -i '/^include \/mnt/d' /etc/templates/apache.conf

# Adding SSL parameters to the apache.conf template file
sed -i '/<Directory/i include /mnt/data/apacheSSL.inc' /etc/templates/apache.conf

docker-compose.yml:

volumes:
      - files:/mnt/data
      - ./ownclouddata/set_SSL.sh:/etc/entrypoint.d/13-set_ssl.sh

./owncloud/ownclouddata/apacheSSL.inc

SSLEngine on
SSLCertificateFile /mnt/data/ssl/server_cert.pem
SSLCertificateKeyFile /mnt/data/ssl/server_key.pem
SSLCACertificateFile /mnt/data/ssl/ca-cert.pem
<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>

After deployment:

isudo@f37-srv:~/owncloud$ podman logs owncloud_owncloud_1
apache.conf file created successfully.
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
  service apache2 restart
Creating volume folders...
Creating hook folders...
Waiting for MySQL...
services are ready!
Waiting for Redis...
services are ready!
Removing custom folder...
Linking custom folder...
Removing config folder...
Linking config folder...
Writing config file...
Fixing base perms...
Fixing data perms...
Fixing hook perms...
Upgrading server database...
ownCloud is already latest version
ownCloud is already latest version
Writing objectstore config...
Writing php config...
Updating htaccess config...
.htaccess has been updated
Writing apache config...
Enabling cron background...
Set mode for background jobs to 'cron'
Writing crontab file...
Touching cron configs...
Starting cron daemon...
Starting apache daemon...
[Mon Oct 16 19:00:05.488232 2023] [mpm_prefork:notice] [pid 177] AH00163: Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1f configured -- resuming normal operations
[Mon Oct 16 19:00:05.488271 2023] [core:notice] [pid 177] AH00094: Command line: '/usr/sbin/apache2 -f /etc/apache2/apache2.conf -D FOREGROUND'

After executing service apache2 restart:

isudo@f37-srv:~/owncloud$ podman exec -it owncloud_owncloud_1 service apache2 restart
/etc/init.d/apache2: 46: .: Can't open /etc/apache2/envvars
/etc/init.d/apache2: 57: .: Can't open /etc/apache2/envvars
ERROR: APACHE_PID_FILE needs to be defined in /etc/apache2/envvars

I try putting this command too in the script but same result.

So my question is: Is this procedure still valid?

I would be very grateful if you could shed some light on what is happening.

Thank you!

skinless · October 16, 2023, 11:54pm

Hello!!

Yes I did some change.
I don’t know if that fix your issue but there is my new settings:

File: set_SSL.sh

#!/usr/bin/env bash
# Enable the apache2 SSL module 
a2enmod ssl
# Delete previous adding
sed -i '/^include \/mnt\/data.*/d' /etc/templates/apache.conf.tmpl
# Adding SSL parameters to the apache.conf template file
sed -i '/<Directory/i include /mnt/data/apacheSSL.inc' /etc/templates/apache.conf.tmpl

File: apacheSSL.inc

SSLEngine on
SSLCertificateFile /mnt/data/ssl/<CERTIFICATE_FILENAME>.pem
SSLCertificateKeyFile /mnt/data/ssl/<KEY_FILENAME>.pem
SSLCACertificateFile /mnt/data/ssl/<CA_CERTIFICATE_FILENAME>.pem
Protocols h2 http/1.1
SSLProtocol TLSv1.2
<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>

#if you have proxy uncomment and set following parameters
#RemoteIPHeader X-Forwarded-For
#RemoteIPInternalProxy <YOUR_IP_ADDRESSES_HERE_SEPARATE_BY_SPACE>

In your docker-compose.yml file
Your owncloud section must contains a “hostname” parameter that match with your SSL certificate, and I changed the following mount:

volumes:
      - ./ownclouddata:/mnt/data
      - ./ownclouddata/set_SSL.sh:/etc/entrypoint.d/06-set_ssl.sh

It’s a long time I worked on this solution. I forgot many little things.
If I remember well, ownCloud is now more picky with domain name.
I mean that you SSL certificate and your docker’s hostname must match.
Even if all your settings are OK, if the hostname is not set properly nothing will work.

I hope that help you!

Thank you and have a nice day!

isudoajl · October 17, 2023, 10:00pm

I just wanted to drop you a quick note to say a massive thank you for your lightning-fast response and awesome help with my server configuration question.

Your help saved my day, seriously! I’m super grateful for your willingness to help and the clear instructions you provided. Thanks to you, my server is running smoothly now.

You rock! It’s people like you that make any forum awesome!

The container log is incredibly impeccable:

isudo@f37-srv:~/owncloud$ podman logs owncloud_owncloud_1
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
  service apache2 restart
Creating volume folders...
Creating hook folders...
Waiting for MySQL...
services are ready!
Waiting for Redis...
services are ready!
Removing custom folder...
Linking custom folder...
Removing config folder...
Linking config folder...
Writing config file...
Fixing base perms...
Fixing data perms...
Fixing hook perms...
Upgrading server database...
ownCloud is already latest version
ownCloud is already latest version
Writing objectstore config...
Writing php config...
Updating htaccess config...
.htaccess has been updated
Writing apache config...
Enabling cron background...
Set mode for background jobs to 'cron'
Writing crontab file...
Touching cron configs...
Starting cron daemon...
Starting apache daemon...
[Tue Oct 17 21:48:03.769663 2023] [ssl:warn] [pid 173] AH01909: localhost:8080:0 server certificate does NOT include an ID which matches the server name
[Tue Oct 17 21:48:03.814799 2023] [ssl:warn] [pid 173] AH01909: localhost:8080:0 server certificate does NOT include an ID which matches the server name
[Tue Oct 17 21:48:03.821465 2023] [mpm_prefork:notice] [pid 173] AH00163: Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1f configured -- resuming normal operations
[Tue Oct 17 21:48:03.821478 2023] [core:notice] [pid 173] AH00094: Command line: '/usr/sbin/apache2 -f /etc/apache2/apache2.conf -D FOREGROUND'