Backup: Nextcloud configuration

[Gauss23]

Just a guess but https://192.168.1.100 or whatever private IP address will never have a valid SSL certificate. Maybe it's failing because of that? Does it matter if you enter a correct or a wrong username/password combination?

I'm using NextCloud backup on multiple boxes. NextCloud instance has a valid SSL cert though and is reached by hostname instead of IP. No issues.

[fabian]

In theory you can have an IP address in the SAN. But I guess this is not the case here.

[qinohe]

Just a guess but https://192.168.1.100 or whatever private IP address will never have a valid SSL certificate. Maybe it's failing because of that? Does it matter if you enter a correct or a wrong username/password combination?

Valid? Sure it's valid if it's a self signed cert. Using an IP just because it's a local, don't make it less valid, it's just local.
You're restriction is you can only use it locally.
I have no idea what you mean with 'wrong username/password combination'??

I'm using NextCloud backup on multiple boxes. NextCloud instance has a valid SSL cert though and is reached by hostname instead of IP. No issues.

I guess by valid you mean signed by a trusted third party{where trusted is what you believe) A locally signed cert. is just as valid and let me remind you, it's trust value not measurable higher ;)

In theory you can have an IP address in the SAN. But I guess this is not the case here.

Not only in theory, it's no problem to sign the local cert. SAN with both local IP and local hostname or one of them.

[Gauss23]

Yes, with valid I mean trusted. For the curl request it makes a difference if self-signed or 3rd party (trusted) signed. Of course you can sign yourself a certificate on an ip address but will it be trusted by your OPNsense? Did you import your own CA to the OPNsense or is your OPNsense your main CA?

I wanted to know if the error message is the same if you enter a wrong username/password combination? This would show if the curl request is being completed or not.

[qinohe]

Valid and trusted are two very different things in the world of certificates.

Of course a wrong Uname/paswd would break the action.
Nextcloud has the app. paswd for that, you'd never need to worry the curl would work just fine also using self signed certs. no problem.
If you setup your local env. correctly using self signed certs there are no complaints by apps servers phones or whatever, just don't use them remotely unless you have a very good reason to do so, in fact better don't.

I looked for 'ssl_verify_result":1' ; no list seems to explain the meaning for ''1'
Later on in the line 'ssl_verifyresult":0' there seems nothing wrong.

[lfirewall1243]

Valid and trusted are two very different things in the world of certificates.

Of course a wrong Uname/paswd would break the action.
Nextcloud has the app. paswd for that, you'd never need to worry the curl would work just fine also using self signed certs. no problem.
If you setup your local env. correctly using self signed certs there are no complaints by apps servers phones or whatever, just don't use them remotely unless you have a very good reason to do so, in fact better don't.

I looked for 'ssl_verify_result":1' ; no list seems to explain the meaning for ''1'
Later on in the line 'ssl_verifyresult":0' there seems nothing wrong.

Just import your self signed cert into the OPNsense

[qinohe]

Just import your self signed cert into the OPNsense

I'm not the one having problems  ;D

[lfirewall1243]

Just import your self signed cert into the OPNsense

I'm not the one having problems  ;D

Ooops! Then the original poster ![emoji23]

[Flyinace2000]

I think I'm having the same issue.  I've tried w/ both my actual username/password and the application specific generated credentials.  Here are the relevant logs

2021-03-11T19:26:40   config[36701]   {"url":"https:\/\/nextcloud.willsisti.com\/ocs\/v1.php\/cloud\/user","content_type":null,"http_code":0,"header_size":0,"request_size":0,"filetime":-1,"ssl_verify_result":0,"redirect_count":0,"total_time":60.00686,"namelookup_time":0.000374,"connect_time":0,"pretransfer_time":0,"size_upload":0,"size_download":0,"speed_download":0,"speed_upload":0,"download_content_length":-1,"upload_content_length":-1,"starttransfer_time":0,"redirect_time":0,"redirect_url":"","primary_ip":"","certinfo":[],"primary_port":0,"local_ip":"","local_port":0,"http_version":0,"protocol":0,"ssl_verifyresult":0,"scheme":"","appconnect_time_us":0,"connect_time_us":0,"namelookup_time_us":374,"pretransfer_time_us":0,"redirect_time_us":0,"starttransfer_time_us":0,"total_time_us":60006860}   
2021-03-11T19:26:40   config[36701]   Cannot get real username

[zibloon]

Hello,
I can't get the Nextcloud backup feature to work either :(

• version of Nextcloud = 20.0.1 (hanssonit appliance) with a self-signed certificate
• version of OPNsense = 21.1-amd64

The log is:

Code Select Expand

Mar 23 21:55:27 OPNsense config[93546]: {"url":"https:\/\/192.168.8.13\/ocs\/v1.php\/cloud\/user","content_type":null,"http_code":0,"header_size":0,"request_size":0,"filetime":-1,"ssl_verify_result":18,"redirect_count":0,"total_time":0.024741,"namelookup_time":6.6e-5,"connect_time":0.000522,"pretransfer_time":0,"size_upload":0,"size_download":0,"speed_download":0,"speed_upload":0,"download_content_length":-1,"upload_content_length":-1,"starttransfer_time":0,"redirect_time":0,"redirect_url":"","primary_ip":"192.168.8.13","certinfo":[],"primary_port":443,"local_ip":"192.168.8.1","local_port":62449,"http_version":0,"protocol":2,"ssl_verifyresult":0,"scheme":"HTTPS","appconnect_time_us":0,"connect_time_us":522,"namelookup_time_us":66,"pretransfer_time_us":0,"redirect_time_us":0,"starttransfer_time_us":0,"total_time_us":24741}

based on https://www.openssl.org/docs/man1.0.2/man1/verify.html "ssl_verify_result":18 means "X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate"

I did create an exception in Firefox to accept my Nextcloud self signed certificate so I just exported the .pem certificate from Firefox and imported it in OPNsense (in System: Trust: Authorities). Now the log is:

Code Select Expand

Mar 23 23:41:26 OPNsense config[60343]: {"url":"https:\/\/192.168.8.13\/ocs\/v1.php\/cloud\/user","content_type":null,"http_code":0,"header_size":0,"request_size":0,"filetime":-1,"ssl_verify_result":1,"redirect_count":0,"total_time":0.023768,"namelookup_time":4.4e-5,"connect_time":0.00064,"pretransfer_time":0,"size_upload":0,"size_download":0,"speed_download":0,"speed_upload":0,"download_content_length":-1,"upload_content_length":-1,"starttransfer_time":0,"redirect_time":0,"redirect_url":"","primary_ip":"192.168.8.13","certinfo":[],"primary_port":443,"local_ip":"192.168.8.1","local_port":34026,"http_version":0,"protocol":2,"ssl_verifyresult":0,"scheme":"HTTPS","appconnect_time_us":0,"connect_time_us":640,"namelookup_time_us":44,"pretransfer_time_us":0,"redirect_time_us":0,"starttransfer_time_us":0,"total_time_us":23768}
 
"ssl_verify_result":1 looks like a generic error so I don't know where else to search...

I read the documentation at https://docs.opnsense.org/manual/how-tos/self-signed-chain.html#a-chain-for-your-local-nextcloud-server but if I understand correctly, I don't need that as my Nextcloud server already has its own self-signed certificate.

Do you have any idea of what is happening?

[lfirewall1243]

Show your Backup config please.

Have you selected your NC IP address or FQND?

[pankaj]

I think I'm having the same issue.  I've tried w/ both my actual username/password and the application specific generated credentials.  Here are the relevant logs

2021-03-11T19:26:40   config[36701]   {"url":"https:\/\/nextcloud.willsisti.com\/ocs\/v1.php\/cloud\/user","content_type":null,"http_code":0,"header_size":0,"request_size":0,"filetime":-1,"ssl_verify_result":0,"redirect_count":0,"total_time":60.00686,"namelookup_time":0.000374,"connect_time":0,"pretransfer_time":0,"size_upload":0,"size_download":0,"speed_download":0,"speed_upload":0,"download_content_length":-1,"upload_content_length":-1,"starttransfer_time":0,"redirect_time":0,"redirect_url":"","primary_ip":"","certinfo":[],"primary_port":0,"local_ip":"","local_port":0,"http_version":0,"protocol":0,"ssl_verifyresult":0,"scheme":"","appconnect_time_us":0,"connect_time_us":0,"namelookup_time_us":374,"pretransfer_time_us":0,"redirect_time_us":0,"starttransfer_time_us":0,"total_time_us":60006860}   
2021-03-11T19:26:40   config[36701]   Cannot get real username

I was getting the same error and resolved it with following steps:
1. From profile icon (NextCloud account), under Security create an app specific password
2. In OPNSense add following items:
a. Enable backup under NextCloud
b. URL: https://nextcloud.willsisti.com  (mine is with linuxfabrik.io just in case you want to give it a try)
c. Username: your email for NC account
d. Password: generated in step 1)
e. Encryption: leave it blank for now but change it later
f. Directory name: leave blank for now to save at the root but you can change it later
3.Click on Setup/Test, and wait few seconds for backup to be created and uploaded to root directory of NC account

The above steps worked for me, hope it solves your problem.

[zibloon]

Hello and thanks for your answers,

Show your Backup config please.

• Enable = ticked
• URL = https://192.168.8.13
• User Name = <username>
• Password = <app_generated_password_for_username>
• Encryption Password = blank
• Directory Name = opnsense_backup

Have you selected your NC IP address or FQND?

I have selected the IP (192.168.8.13) because my nextcloud is only accessible through LAN (not opened to the internet)

I was getting the same error and resolved it with following steps:
1. From profile icon (NextCloud account), under Security create an app specific password
2. In OPNSense add following items:
a. Enable backup under NextCloud
b. URL: https://nextcloud.willsisti.com  (mine is with linuxfabrik.io just in case you want to give it a try)
c. Username: your email for NC account
d. Password: generated in step 1)
e. Encryption: leave it blank for now but change it later
f. Directory name: leave blank for now to save at the root but you can change it later
3.Click on Setup/Test, and wait few seconds for backup to be created and uploaded to root directory of NC account

The above steps worked for me, hope it solves your problem.

I did exactly the same except I am using the IP of Nextcloud (it has no FQDN) and the Directory Name which can't be left blank (or it generates the error "The Backup Directory can only consist of alphanumeric characters, dash, underscores and slash. No leading or trailing slash.")

I am pretty sure this is a certificate issue. Again, my Nextcloud is not accessible from the internet so I am using self-signed certificate which was generated during installation of Nextcloud (not corresponding to a FQDN). I had no problem to import this certificate in Firefox or Thunderbird though...

Any clue?

Thanks for any help!

[lfirewall1243]

Hello and thanks for your answers,

Show your Backup config please.

• Enable = ticked
• URL = https://192.168.8.13
• User Name = <username>
• Password = <app_generated_password_for_username>
• Encryption Password = blank
• Directory Name = opnsense_backup

Have you selected your NC IP address or FQND?

I have selected the IP (192.168.8.13) because my nextcloud is only accessible through LAN (not opened to the internet)

I was getting the same error and resolved it with following steps:
1. From profile icon (NextCloud account), under Security create an app specific password
2. In OPNSense add following items:
a. Enable backup under NextCloud
b. URL: https://nextcloud.willsisti.com  (mine is with linuxfabrik.io just in case you want to give it a try)
c. Username: your email for NC account
d. Password: generated in step 1)
e. Encryption: leave it blank for now but change it later
f. Directory name: leave blank for now to save at the root but you can change it later
3.Click on Setup/Test, and wait few seconds for backup to be created and uploaded to root directory of NC account

The above steps worked for me, hope it solves your problem.

I did exactly the same except I am using the IP of Nextcloud (it has no FQDN) and the Directory Name which can't be left blank (or it generates the error "The Backup Directory can only consist of alphanumeric characters, dash, underscores and slash. No leading or trailing slash.")

I am pretty sure this is a certificate issue. Again, my Nextcloud is not accessible from the internet so I am using self-signed certificate which was generated during installation of Nextcloud (not corresponding to a FQDN). I had no problem to import this certificate in Firefox or Thunderbird though...

Any clue?

Thanks for any help!

You'll need to import your self signed cert on the OPNsense

[pankaj]

I did exactly the same except I am using the IP of Nextcloud (it has no FQDN) and the Directory Name which can't be left blank (or it generates the error "The Backup Directory can only consist of alphanumeric characters, dash, underscores and slash. No leading or trailing slash.")

I am pretty sure this is a certificate issue. Again, my Nextcloud is not accessible from the internet so I am using self-signed certificate which was generated during installation of Nextcloud (not corresponding to a FQDN). I had no problem to import this certificate in Firefox or Thunderbird though...

Any clue?

Since this (Next Cloud) is a built in integration it will not surprise me if the developers leaned in favor of security in which case self signed certificates may not work. Here are few ways to try different things:
1. Use a service like "Let's Encrypt" to make a FQDN work just in case above premise is true - https://www.youtube.com/watch?v=IR41duTqN6Y
2. Since this is an internal LAN, there are other ways to make things reliable like isolating machines using VLANs and then you can use simple local archive or rsync to move configuration files between machines.

While I understand that https is more secure than http but overusing it on LAN is the equivalent of adding a bolted lock on each cabinet inside the house. But if there are legit reasons for you to use https for every service on LAN then you may want to rethink topology again.

In my house, I have few VLANs which provides such convenience:
- GuestWiFi is the most restrictive VLAN and does not have access to any other LAN/VLANs
- IoTs have some restricted services available (mostly on host basis)
- Working machines have most liberal access
- Management machines is also very restrictive and this VLAN is used for managing L2 switches and Idrac for server machines. On this VLAN, I collect all the logs centrally and do not feel the need to use https because it is isolated from other subnets using VLAN.

Hope this helps.