Backup: Nextcloud configuration

[rwbrt]

Hi,

I'm facing the same issue or at least it looks the same from the error.

I'd like to backup to my self-hosted Nextcloud instance. It's publicly reachable with a valid Letsencrypt SSL certificate. There's a NAT in place mapping port 443 to the k8s ingress.

While it's working fine from the LAN, WAN and Guest-LAN I cannot reach the NC service from the OpnSense appliance itself:

Code: [Select]

root@OPNsense:~ # nc -v opnsense.org 443
Connection to opnsense.org 443 port [tcp/https] succeeded!

root@OPNsense:~ # nc -v my-nextcloud.xyz 443
nc: connect to my-nextcloud.xyz port 443 (tcp) failed: Operation timed out

I'm probably missing the obvious, but I just can't figure out why this wouldn't work.... 

Update: I create a DNS override for *.my-nextcloud.xyz (this is just an example, obviously) which seems to do the trick. I'd still be interested why it didn't work without that, but at least it's working now...

[drewhemm]

I went through the process of creating a CA and cert for Nextcloud in OPNsense and installing it on my Nextcloud instance. Still did not work. The reason is that the HTTPS communication is handed off to curl, so it is necessary to do the following:

Code: [Select]

vi /usr/local/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
add the following lines to the curl_setopt_array:

Code: [Select]

CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_SSL_VERIFYPEER => false,
This is how the array looks now:

Code: [Select]

curl_setopt_array($curl, array(
    CURLOPT_URL => $url,
    CURLOPT_CUSTOMREQUEST => $method, // Create a file in WebDAV is PUT
    CURLOPT_RETURNTRANSFER => true, // Do not output the data to STDOUT
    CURLOPT_VERBOSE => 0,           // same here
    CURLOPT_MAXREDIRS => 0,         // no redirects
    CURLOPT_TIMEOUT => 60,          // maximum time: 1 min
    CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
    CURLOPT_USERPWD => $username . ":" . $password,
    CURLOPT_SSL_VERIFYHOST => false,
    CURLOPT_SSL_VERIFYPEER => false,
    CURLOPT_HTTPHEADER => $headers
));
After doing this, I was able to backup my config to my Nextcloud instance without error.

It would be nice if this was driven by a 'Skip SSL verification' checkbox in the UI, which would require the following changes in the PHP code:

Code: [Select]

public function curl_request(
        $url,
        $username,
        $password,
        $method,
        $error_message,
        $postdata = null,
        $headers = array("User-Agent: OPNsense Firewall"),
        $verify_ssl = true # additional parameter
    ) {
        $curl = curl_init();
        curl_setopt_array($curl, array(
            CURLOPT_URL => $url,
            CURLOPT_CUSTOMREQUEST => $method, // Create a file in WebDAV is PUT
            CURLOPT_RETURNTRANSFER => true, // Do not output the data to STDOUT
            CURLOPT_VERBOSE => 0,           // same here
            CURLOPT_MAXREDIRS => 0,         // no redirects
            CURLOPT_TIMEOUT => 60,          // maximum time: 1 min
            CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
            CURLOPT_USERPWD => $username . ":" . $password,
            CURLOPT_SSL_VERIFYHOST => $verify_ssl, // verify ssl unless explicitly asked not to
            CURLOPT_SSL_VERIFYPEER => $verify_ssl, // same here
            CURLOPT_HTTPHEADER => $headers
        ));

        // Code continues as before...   
    }

Alternatively, it is possible to tell curl which CA certificate to trust:

Code: [Select]

curl_setopt($ch, CURLOPT_CAINFO, '/etc/ssl/certs/cacert.pem');
That way, verification can be kept on, but a custom CA cert can be used.

One of these methods will be required when using a Nextcloud instance in an isolated network where Let's Encrypt won't work (because it requires a publicly-resolvable DNS record) and self-signed or private CA certs will not work out of the box.

[shelter_]

I created an account just to give you a high five for solving my problem.  I hope we don't have backup issues once OPNsense updates.  Anyway, thanks for the fix!

[fabian]

@drewhemm by default, curl uses the system's cert store. Where you can install the certificates and it will work. It is far better than building a backdoor or use it in a way that it will not survive the next update.

[mainmachine]

I've registered just to add this:

I had the same "Cannot get real username" error, but in my case I was already using an FQDN and a trusted Letsencrypt cert.

The root cause for me was that the directory I chose already existed, and the solution was to remove that directory in NC and then re-run the "Setup/Test" again. Doing so, the test succeeded and the directory was created and populated with a single XML backup on my NC server.

[Flyinace2000]

I've registered just to add this:

I had the same "Cannot get real username" error, but in my case I was already using an FQDN and a trusted Letsencrypt cert.

The root cause for me was that the directory I chose already existed, and the solution was to remove that directory in NC and then re-run the "Setup/Test" again. Doing so, the test succeeded and the directory was created and populated with a single XML backup on my NC server.

I'm back working on this.  This still returned the same error for me in the logs. 

My NC instance is running on an UnRaid server (docker) and uses SWAG (letsencrypt) for the reversely proxy and cents.  Both machines are on the same subnet.

[fabian]

This is the OCS API:
https://github.com/opnsense/plugins/blob/master/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php#L283

It is used to get the real user id if the user is an LDAP user.
However it might be a sign, that your server is misconfigured, not reachable or OPNsense does not trust that particular certificate (afaik there was an issue with some LE certificates).

[slackadelic]

I had the exact same issue that most of you are having, however, when looking at the previous version of OPNsense and then comparing it to the changes for this latest upgrade, there wasn't anything that stuck out to me that would cause this.

I then decided to check https://docs.opnsense.org for Backup configuration when it comes to Nextcloud.

Right there in the docs was the smoking gun.  Generating an app password.   
Once I generated the app password, submitted that to Nextcloud, then updated OPNsense configuration to use that for the account for backup, WHAM!  Works a charm.

Hope this helps someone else!

[ChrisChros]

@drewhemm by default, curl uses the system's cert store. Where you can install the certificates and it will work. It is far better than building a backdoor or use it in a way that it will not survive the next update.

Hi,
I am also not able to store my backup within Nextcloud. Nextcloud is running as a plugin in TrueNAS with its own IP. It looks like that SSL is activated during the installation process. When I type in the IP to the browser it will show https://192.168.1.18.
Within TrueNAS I exported the certificate and the privat key. In OPNsense I added a new certificat in SYSTEM: TRUST: CERTIFICATES and imported the content of both files to the related fields.

After that I tried to save and test my nextcloud backup configuration but I still get the message

Code: [Select]

The following input errors were detected:
Saved settings, but remote backup failed.

Can someone please assist to get every thing running without creating backdoors

[fabian]

You need a trusted root certificate or a certificate that is signed by a trusted public root CA.

[MarBec]

I have a similar problem with the NextCloud plugin.
Our nextcloud runs with a valid Let's Encrypt certificate and is available over the internet.
I imported the certificates into opnsense, just to test. The whole chain and even the server certificate.
That didn't work.
Interestingly our ssl_verify_result is *1* . One is not even a valid error, according to some documentation the command should return 0 for "AOK" or 2+ for various error codes. 1 seems to be a "misc error".

Nextcloud is set up with LDAP. The user used has been logged in once and has all needed permissions and enough space provisioned.
Tested with the target folder existing and not existing.
Tested with the "CURL_SSL" options further up in this thread, but that changed nothing.

Here is the whole edited result:

Code: [Select]

{"url":"https:\/\/[URL REDACTED]\/ocs\/v1.php\/cloud\/user","content_type":null,"http_code":0,"header_size":0,"request_size":0,"filetime":-1,"ssl_verify_result":1,"redirect_count":0,"total_time":0.009638,"namelookup_time":0.000617,"connect_time":0.00078,"pretransfer_time":0,"size_upload":0,"size_download":0,"speed_download":0,"speed_upload":0,"download_content_length":-1,"upload_content_length":-1,"starttransfer_time":0,"redirect_time":0,"redirect_url":"","primary_ip":"[IP REDACTED]","certinfo":[],"primary_port":443,"local_ip":"[IP REDACTED]","local_port":13732,"http_version":0,"protocol":2,"ssl_verifyresult":0,"scheme":"HTTPS","appconnect_time_us":0,"connect_time_us":780,"namelookup_time_us":617,"pretransfer_time_us":0,"redirect_time_us":0,"starttransfer_time_us":0,"total_time_us":9638}
I don't like to necro a thread, but this seems to be something else wrong with the plugin?

[olafj]

Same here. Nextcloud runs in Proxmox in the home network. A solution would be very nice.

[t-i-m]

Hello,

We are on OPNsense 22.1.6-amd64 with OpenSSL and facing this problem, too.

Our Nextcloud is a plain stand-alone installation, no NAS plugin, Docker or something else.

The Nextcloud's certificate was created with our OPNsense internal CA. Nevertheless the backup on our Nextcloud fails with "ssl_verify_result":20.

A quick test via SSH with curl und openssl s_client also fails.

Code: [Select]

curl: (60) SSL certificate problem: unable to get local issuer certificate

openssl: Verify return code: 21 (unable to verify the first certificate)
As the Nextcloud’s certificate was provided by OPNsense internal CA it looks like OPNsense doesn’t trust itself anymore.

THX
Tim

[fabian]

If that is the case, create a bug ticket for OPNsense core. CAs in Trust should work.

[olthana]

Hi,

I had the same issue and find a way throught. If like me you are on local env and don't want to struggle with cert, in opnsense backup config for nextcloud, just remove the "s" of https of your NextCloud URL. It works for me.