enoch85
commented
5 months ago Thanks for the detailed information.
What's the output of:
systemctl restart apache2.servicesystemctl status apache2.service
Closed sseide closed 5 months ago
enoch85
commented
5 months ago Thanks for the detailed information.
What's the output of:
systemctl restart apache2.servicesystemctl status apache2.service
sseide
commented
5 months ago with the Apache config file as created after the "Activate TLS" script is run:
# systemctl restart apache2.service
Job for apache2.service failed because the control process exited with error code.
See "systemctl status apache2.service" and "journalctl -xeu apache2.service" for details.
# systemctl status apache2.service
× apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2024-06-11 15:38:36 CEST; 22s ago
Docs: https://httpd.apache.org/docs/2.4/
Process: 4033943 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)
CPU: 14ms
Jun 11 15:38:36 MYDOMAIN systemd[1]: apache2.service: Deactivated successfully.
Jun 11 15:38:36 MYDOMAIN systemd[1]: Stopped The Apache HTTP Server.
Jun 11 15:38:36 MYDOMAIN systemd[1]: apache2.service: Consumed 28.045s CPU time.
Jun 11 15:38:36 MYDOMAIN systemd[1]: Starting The Apache HTTP Server...
Jun 11 15:38:36 MYDOMAIN apachectl[4033943]: Action 'start' failed.
Jun 11 15:38:36 MYDOMAIN apachectl[4033943]: The Apache error log may have more information.
Jun 11 15:38:36 MYDOMAIN systemd[1]: apache2.service: Control process exited, code=exited, status=1/FAILU>
Jun 11 15:38:36 MYDOMAIN systemd[1]: apache2.service: Failed with result 'exit-code'.
Jun 11 15:38:36 MYDOMAIN systemd[1]: Failed to start The Apache HTTP Server.And the Apache error log shows the error as said above. Last messages of restart/shutdown added here too befor start:
[Tue Jun 11 15:38:27.992793 2024] [core:info] [pid 3922680:tid 140207359547264] AH00096: removed PID file /var/run/apache2/apache2.pid (pid=3922680)
[Tue Jun 11 15:38:27.992818 2024] [mpm_event:notice] [pid 3922680:tid 140207359547264] AH00492: caught SIGWINCH, shutting down gracefully
[Tue Jun 11 15:38:31.353701 2024] [core:warn] [pid 3922680:tid 140207359547264] AH00045: child process 3969410 still did not exit, sending a SIGTERM
[Tue Jun 11 15:38:33.355862 2024] [core:warn] [pid 3922680:tid 140207359547264] AH00045: child process 3969410 still did not exit, sending a SIGTERM
[Tue Jun 11 15:38:35.358018 2024] [core:warn] [pid 3922680:tid 140207359547264] AH00045: child process 3969410 still did not exit, sending a SIGTERM
[Tue Jun 11 15:38:36.384469 2024] [ssl:info] [pid 4033946:tid 139920414369664] AH01883: Init: Initialized OpenSSL library
[Tue Jun 11 15:38:36.385343 2024] [ssl:info] [pid 4033946:tid 139920414369664] AH01887: Init: Initializing (virtual) servers for SSL
[Tue Jun 11 15:38:36.387954 2024] [ssl:emerg] [pid 4033946:tid 139920414369664] AH02407: "SSLOpenSSLConfCmd DHParameters /etc/letsencrypt/live/MYDOMAIN/dhparam.pem" failed for MYDOMAIN:443
[Tue Jun 11 15:38:36.387963 2024] [ssl:emerg] [pid 4033946:tid 139920414369664] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
AH00016: Configuration FailedManually removing/commenting out the SSLOpenSSLConfCmd DHParameters /etc/letsencrypt/live/MYDOMAIN/dhparam.pem line in the Apache config file solves the problem. Apache restarts fine without problem.
The dhparam.pem file exists and is readable by user / group "root" which should be fine as Apache is starting as root (before dropping privileges)
ls -la /etc/letsencrypt/live/MYDOMAIN/dhparam.pem
-rw-r--r-- 1 root root 1525 Sep 17 2020 /etc/letsencrypt/live/MYDOMAIN/dhparam.pemThanks! Solved the "bug". Please try again in like 10 minutes.
enoch85
commented
5 months ago @sseide Alll good now, did the new fix solve it?
Just for the record: https://github.com/nextcloud/vm/commit/54f59c1069acf2bec3205458c6f886dd08ffdc17 + https://github.com/nextcloud/vm/commit/076147ef88d828259b6ad02f367d89e476ddf1b4 are the fixes we made.
sseide
commented
5 months ago Found time today to check the new version. Thanks for looking into it. All changes from the commits linked are applied to my Apache configuration. But its not working nonetheless.
Currently we have two problems - booth persist.
Apache not starting after applying script.
The SSLOpenSSLConfCmd line is added to the Apache2 site configuration that leads to service not starting at all.
This line must be removed afterwards.
Logs are the same as in last comment (the systemctl status apache2.service and content of /var/log/apache/error.log)
Nextcloud integrated security check fails. After fixing point 1 and restarting Apache the test fails with same error "data directory might be accessible, .htaccess not working".
Checking here again with curl -iL --location-trusted -u 'user:pass' http://MYDOMAIN/mnt/ncdata/.ocdata
returns a
Without an valid user the second step redirects to the login page also giving (as expected) an HTTP 200. As i understand it the Nextcloud test itself is borked and does not really check what it wants to check. For your configuration setup as done within your Nextcloud VM this check at https://github.com/nextcloud/server/blob/b081d3ccccb741235858fb0515678ab45f79f623/apps/settings/lib/SetupChecks/DataDirectoryProtected.php#L59 will fail every time. Should not that be discussed in the original ticket? Or should the HTTP -> HTTPS redirect be changed to include the original request path and not redirect to the server root "/".
enoch85
commented
5 months ago Sorry, missed one place: https://github.com/nextcloud/vm/commit/a185a015e892bf2acb39d305b57feb0e9773bd31
Please try again.
enoch85
commented
5 months ago You can also try to run a sudo a2dissite MYDOMAIN.TLD && sudo a2ensite MYDOMAIN.TLD && sudo systemctl apache2 restart when the script is finished.
I would also like to see the output of ls -l /etc/apache2/sites-enabled
sseide
commented
5 months ago Thanks, now the script is working. After running the ActivateTLS script the server restarted and login/usage was possible.
Therefor problem 1 fixed. Only problem 2 remains (Nextcloud new internal Security check)
Here is the output of running the Activate TLS script:
# bash menu.sh
Running the main menu script...
Testing if network is OK...
Checking connection...
Downloading the Server Configuration Menu...
Downloading the Let's Encrypt script...
Checking if MYDOMAIN exists and is reachable...
Doing a DNS lookup for MYDOMAIN...
Server: 9.9.9.9
Address: 9.9.9.9#53
Non-authoritative answer:
Name: MYDOMAIN
Address: 1.2.3.4
DNS seems correct when checking with nslookup!
DNS seems correct when checking with dig!
Testing if network is OK...
Checking connection...
Checking if port 80 is open...
Port 80 is open on 1.2.3.4!
Checking if port 443 is open...
Port 443 is open on 1.2.3.4!
Getting current PHP-version...
PHPVER=8.1
/etc/apache2/sites-available/MYDOMAIN.conf was successfully created.
795
1152
1153
1154
1155
10715
Site 000-default already disabled
Trying to generate certs and validate them with standalone method.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for MYDOMAIN
Hook 'deploy-hook' ran with output:
Webmin certificates renewed - update certs
Hook 'post-hook' reported error code 1
Hook 'post-hook' ran with error output:
Job for apache2.service failed because the control process exited with error code.
See "systemctl status apache2.service" and "journalctl -xeu apache2.service" for details.
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/MYDOMAIN/fullchain.pem
Key is saved at: /etc/letsencrypt/live/MYDOMAIN/privkey.pem
This certificate expires on 2024-09-11.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Generating DH parameters, 2048 bit long safe prime
.............+......................................... . . .
Site MYDOMAIN already enabled
Site nextcloud_tls_domain_self_signed already disabled
Site nextcloud_http_domain_self_signed already disabled
Site 000-default already disabled
Restarting Apache2 and PHP-FPM...
Getting current PHP-version...
PHPVER=8.1
Adding MYDOMAIN to trusted domains...
System config value overwrite.cli.url set to string https://MYDOMAIN
.htaccess has been updatedAnd just for completeness (but probably not needed anymore)
# ls -l /etc/apache2/sites-enabled
total 0
lrwxrwxrwx 1 root root 47 Dec 3 2020 MYDOMAIN-COLLABORA.conf -> ../sites-available/MYDOMAIN-COLLABORA.conf
lrwxrwxrwx 1 root root 44 Sep 17 2020 MYDOMAIN.conf -> ../sites-available/MYDOMAIN.confThere's something else that's off with your config.
As you can see on the creation date for the Apache configs, they are old. So that means the new ones aren't enabled. What happens if you run the command I wrote above?
sseide
commented
5 months ago its only the soft-link thats that old. The file it points to is new (at least the MYDOMAIN.conf. Its from the time the Activate TLS script is run. Therefor no need to disable/enable (but did it non the less now).
$ ls -la /etc/apache2/sites-available/
total 36
drwxr-xr-x 2 root root 4096 Jun 13 10:00 .
drwxr-xr-x 8 root root 4096 Apr 14 06:20 ..
-rw-r--r-- 1 root root 1552 Dec 27 12:56 000-default.conf
-rw-r--r-- 1 root root 6338 Apr 13 2020 default-ssl.conf
-rw-r--r-- 1 root root 1234 Dec 27 12:56 nextcloud_http_domain_self_signed.conf
-rw-r--r-- 1 root root 1572 Dec 27 12:56 nextcloud_tls_domain_self_signed.conf
-rw-r--r-- 1 root root 2837 Dec 27 12:35 MYDOMAIN-COLLABORA.conf
-rw-r--r-- 1 root root 2822 Jun 13 10:00 MYDOMAIN.confInside the MYDOMAIN.conf the VirtualHostport 80 definition looks the following:
<VirtualHost *:80>
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST} [END,NE,R=permanent]
</VirtualHost>As i'm more the NGinx guy and not really fluent with Apache dialect - but it looks exactly as i might expect looking at the curl output. Rewrite HTTP to HTTPS and redirect to root. The capture group on the URI is never used inside the new location redirect.
Full file as generated by Activate TLS script:
<VirtualHost *:80>
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
### YOUR SERVER ADDRESS ###
ServerAdmin admin@MYDOMAIN
ServerName MYDOMAIN
### SETTINGS ###
<FilesMatch "\.php$">
SetHandler "proxy:unix:/run/php/php8.1-fpm.nextcloud.sock|fcgi://localhost"
</FilesMatch>
# Intermediate configuration
Header add Strict-Transport-Security: "max-age=15552000;includeSubdomains"
SSLEngine on
SSLCompression off
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
ServerSignature off
# Logs
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
ErrorLog ${APACHE_LOG_DIR}/error.log
# Document root folder
DocumentRoot /var/www/nextcloud
# The Nextcloud folder
<Directory /var/www/nextcloud>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
Satisfy Any
# This is to include all the Nextcloud rules due to that we use PHP-FPM and .htaccess aren't read
Include /var/www/nextcloud/.htaccess
</Directory>
# Deny access to your data directory
<Directory /mnt/ncdata>
Require all denied
</Directory>
# Deny access to the Nextcloud config folder
<Directory /var/www/nextcloud/config/>
Require all denied
</Directory>
<IfModule mod_dav.c>
Dav off
</IfModule>
# The following lines prevent .htaccess and .htpasswd files from being viewed by Web clients.
<Files ".ht*">
Require all denied
</Files>
SetEnv HOME /var/www/nextcloud
SetEnv HTTP_HOME /var/www/nextcloud
# Disable HTTP TRACE method.
TraceEnable off
# Disable HTTP TRACK method.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [R=405,L]
# Avoid "Sabre\DAV\Exception\BadRequest: expected filesize XXXX got XXXX"
<IfModule mod_reqtimeout.c>
RequestReadTimeout body=0
</IfModule>
### LOCATION OF CERT FILES ###
# SSLCertificateChainFile /etc/letsencrypt/live/MYDOMAIN/chain.pem
SSLCertificateFile /etc/letsencrypt/live/MYDOMAIN/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/MYDOMAIN/privkey.pem
SSLOpenSSLConfCmd DHParameters /etc/letsencrypt/live/MYDOMAIN/dhparam.pem
</VirtualHost>
### EXTRAS ###
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
Yes of course you're right, the symlink is old!
Anyway, the config looks correct now, and it solved the issue in our testing, so I guess you need to change the Collabora conf as well to match the mydomain conf since that's also referenced in config.php.
Can you please copy paste the exact config for port 80 virtualhost to the Collabora conf?
sseide
commented
5 months ago There is no port 80 VHost. The only VHost configured (as NC and Collabora running on same host) is the one from the Nextcloud Apache config above. As this does not have a ServerName directive set its reused for Collabora too and redirects to the respective hostname with SSL.
The 443 VHost is configured same as in their documentation (https://sdk.collaboraonline.com/docs/installation/Proxy_settings.html#reverse-proxy-settings-in-apache2-config-ssl) - "Reverse proxy settings in Apache2 config (SSL)"
sseide
commented
5 months ago Reading the original thread in its full glory it seems the HTTP 80 redirct is wrong. As i suspected above the problem lies in the redirect pointing to the HTTPS root path no matter what the original HTTP url requested was...
Current setup of Redirect is
<VirtualHost *:80>
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST} [END,NE,R=permanent]
</VirtualHost>changing it to include the original path the security warning is gone away! Nextcloud is happy.
<VirtualHost *:80>
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [END,NE,R=permanent]
</VirtualHost>BUT: After changing the NC VHost definition i tried to run the "Activate TLS" script again to check if this change is reverted or not. And your Activate TLS script reverts to correct redirect to the first one - and the security warning about open directory access is there again.
To fix the initial security warning from the other issue the redirect rule must be changed to include the full path to the requested file on redirect.
Thanks, Stefan
enoch85
commented
5 months ago OK, thanks, missed one detail in our previous PR. It's fixed now, please try again in like 10 minutes.
sseide
commented
5 months ago Thanks - script running without problem and NC integrated security scanner is happy - no warnings anymore.
enoch85
commented
5 months ago Great news! Thanks for the debugging!
Steps To Reproduce
The VM server was running fine without any real problem (except 227145).
As recommended i run the Activate TLS Script from
/var/scripts/menu.sh-> "Server Configuration". After running the script the Apache server did not start anymore. The log "/var/log/apache/error.log" had following entries:The ActivateTLS script modified the Apache server configuration file and the end of the file now looked like the following:
After commenting out the
SSLOpenSSLConfCmdit started up again. Related issues: #2296 #2304The output of the ActivateTLS script was:
Expected Result
The Activate TLS script is running, detecting that TLS already is activated and (optionally) renew certificate if needed. Afterwards Apache server starts up again.
Actual Result
After running script the Apache configuration file was modified with (for this server) invalid OpenSSL configuration parameter. Therefor Apache server did not start up again.
Screenshots, Videos, or Pastebins
No response
Additional Context
This VM was original downloaded with Ubuntu 20.04 and Nextcloud 19(? - or similar) and constantly updated via provided
/var/scripts/update.shscript with an Ubuntu update in between as needed by Nextcloud 26. No other customizations done otherwise except adding an additional Apache VHost for Collabora Office. And as said everysthing was working fine since then.Build Version
29.0.2
Environment
By using the scripts, By downloading the VM
Environment Details
Nextcloud VM dowloaded long ago and updated since them. Collabora Office running inside docker on same server as additional VHost.
Ubuntu packages: