Client Cert for Nextcloud

lenhuppe · 2019-04-01 23:35:27

UPDATE:

Apparently the Nextcloud client has known issues with client certs.

One suggestion I got was to use a VPN instead.

If you find a way to do that please post your findings.

-OP

***

I am experimenting with client TLS certificates for a home project.
My test server is an Arch LAMP server running Nextcloud 15.
I am my own CA and getting Firefox to accept my client cert was easy.
However I cannot get my Nextcloud client to accept my client cert.
It offers to configure a client cert but then it goes back to the same screen.
The error message is unable to connect.

My question is did I create the client package correctly?
If so, do I have to do it differently for Nextcloud?

Creating the client package

openssl pkcs12 -export \
  -in certs/client.crt \
  -inkey certs/client.key \
  -certfile ca/ca-chain.pem \
  -name "Client Cert" \
  -out certs/client.p12 \
  -caname "3rd CA" \
  -caname "2nd CA" \
  -caname "Root CA" \
----------------------------------------------
Enter Export Password: ****
Verifying - Enter Export Password: ***

Firefox config

Open menu > Preferences > Privacy & Security > Certificates > View Certificates

    Enable     Select one automatically
    Disable    Query OCSP responder ...

    > Authorities > Import

        open root-ca.crt
        authorize to identify web sites

    > Your Certificates > Import

        open client.p12
        enter passwd

Last edited by lenhuppe (2019-05-08 09:45:02)

qinohe · 2019-04-02 12:59:50

Hey, I remember from a little while back you want this.
You've discovered the downside of self-signed certs., 'no one' knows about the chain.
What I would do is not add the CA to every app capable of storing it, unless F.I. firefox is all you need of course.
Most convenient way to use it for all apps, add it to the system CA store, and trust it.
Have a look at https://wiki.archlinux.org/index.php/Tr … management

I glanced over your command, but haven't tested it, It looks okay to me.

The commands I used to extract the p12 archive(edit2):

openssl pkcs12 -in nextcloud-crt.p12 -nodes -out nextcloud.key -nocerts
openssl pkcs12 -in nextcloud-crt.p12 -clcerts -nokeys -out nextcloud.pem
cp nextcloud.pem nextcloud.crt

edit: removed command to extract cert. not export, sigh.
edit2: decided to add the way I extract the archive anyway

Last edited by qinohe (2019-04-02 13:34:41)

lenhuppe · 2019-04-02 18:04:35

qinohe wrote:

Hey, I remember from a little while back you want this.
You've discovered the downside of self-signed certs., 'no one' knows about the chain.
What I would do is not add the CA to every app capable of storing it, unless F.I. firefox is all you need of course.
Most convenient way to use it for all apps, add it to the system CA store, and trust it.
Have a look at https://wiki.archlinux.org/index.php/Tr … management
I glanced over your command, but haven't tested it, It looks okay to me.
The commands I used to extract the p12 archive(edit2):
openssl pkcs12 -in nextcloud-crt.p12 -nodes -out nextcloud.key -nocerts
openssl pkcs12 -in nextcloud-crt.p12 -clcerts -nokeys -out nextcloud.pem
cp nextcloud.pem nextcloud.crt
edit: removed command to extract cert. not export, sigh.
edit2: decided to add the way I extract the archive anyway

Hi qinohe,

Yes, I created my own CA and I am running into the limitations of self-signed certs.
Some applications are ok with that approach and others are a challenge.

qinohe · 2019-05-01 18:56:08

Hey Lenhuppe,

UPDATE:
Apparently the Nextcloud client has known issues with client certs.
***

Could you be be more specific, if you will ;-), the only system I have trouble with is Android.
That is, my devices are not rooted so for this one I use a local VPN server to reach the cloud, but everything else is playing nice, even Windows.
So if you elaborate a little more what you have issues with, we may find a solution together...

lenhuppe · 2019-05-02 00:00:07

qinohe wrote:

Hey Lenhuppe,
UPDATE:
Apparently the Nextcloud client has known issues with client certs.
***
Could you be be more specific, if you will ;-), the only system I have trouble with is Android.
That is, my devices are not rooted so for this one I use a local VPN server to reach the cloud, but everything else is playing nice, even Windows.
So if you elaborate a little more what you have issues with, we may find a solution together...

In my travels to find an answer I found this post https://github.com/nextcloud/desktop/issues/863 along with numerous comments/complaints that client certs were broken. With that knowledge I moved on to other things. If you know how to get clients certs working that's great. I had wondered if I was even creating mine correctly.

What can you say about creating client certs at home using a private PKI?

qinohe · 2019-05-02 11:09:25

Right, so you have installed the desktop client to reach your Nextcloud server, I presume ;-).
You used the wizard to create an account and you got something like '400 bad request'
Well, using self-singned chains is somewhat more work because you need to distribute all certs (CA, leaf etc) yourself.
Also creating the certs you need to use the correct 'SAN/common name' and they should hold the correct values, there can be no doubt about that, clients can/will/may trip over that, leaving you with an untrusted chain.
I don't know how you created your chains but it could be of some help to use tools that show the process to get a visual picture of what you are doing, you don't have to but it may/will help....
If you would use a system like OPNsense or PFsense and create your own local domain with them, they come with a tools to enroll your own chains this is very visual and will give insight in how they should be created... my 50 cents, of course... What I mean is using the openssl tools won't give you a visual picture, but the above tools do for certain

What should I say about PKI that's not already clear to you?, that said, PKI is a Public Key Infrastructure, and is basically what you are building yourself. It is based on asymmetric keys, a private key and a public key. The public key is distributed, the private key is what it says private. You can encrypt data with the public key which in return can only be decrypted if you have the private key. If you don't have the private key you won't be able to decrypt the data with the public key and is considered 'safe/trusted' to send to the recipient that holds the private key.

lenhuppe · 2019-05-05 00:39:24

qinohe wrote:

Right, so you have installed the desktop client to reach your Nextcloud server, I presume ;-).
You used the wizard to create an account and you got something like '400 bad request'
Well, using self-singned chains is somewhat more work because you need to distribute all certs (CA, leaf etc) yourself.
Also creating the certs you need to use the correct 'SAN/common name' and they should hold the correct values, there can be no doubt about that, clients can/will/may trip over that, leaving you with an untrusted chain.
I don't know how you created your chains but it could be of some help to use tools that show the process to get a visual picture of what you are doing, you don't have to but it may/will help....
If you would use a system like OPNsense or PFsense and create your own local domain with them, they come with a tools to enroll your own chains this is very visual and will give insight in how they should be created... my 50 cents, of course... What I mean is using the openssl tools won't give you a visual picture, but the above tools do for certain
What should I say about PKI that's not already clear to you?, that said, PKI is a Public Key Infrastructure, and is basically what you are building yourself. It is based on asymmetric keys, a private key and a public key. The public key is distributed, the private key is what it says private. You can encrypt data with the public key which in return can only be decrypted if you have the private key. If you don't have the private key you won't be able to decrypt the data with the public key and is considered 'safe/trusted' to send to the recipient that holds the private key.

Yes I did have a Nextcloud server running for a little while. In the process I dove into the self-signed certs arena enough that I had http/2 and SSL running on my home network. That worked ok until I was ready to get my server on the net and accessible from my cell phone. I never got Android to work with my client cert and I eventually walked away from NextCloud altogether.

I will look into your suggestions for a router / domain controller to replace my Linksys Velop which has too many limitations. I agree that a private PKI is going to become unmanageable as my network grows. Especially now that I have an LXD server running with plans to deploy servers on the net.

qinohe · 2019-05-05 12:17:53

Soon as you're server is facing the Web/Internet I suggest you start using something like Let's Encrypt for your domain.
You don't have to, but, self-signed chains are not really meant to use outside you're intranet/homenet.
Android will be a problem until Google decides CA or leaf certs. can be added to the system store, which ATM you can only achieve by rooting the device.
So there is no other way then trust the cert., this is also in the Nextcloud Android guide..
You can also setup a OpenVPN(roadwarrior) with a self-signed chain, then reach you're local net trough the VPN and then have access to you're local cloud. (this I use;)
But than still you'd need to accept the cert. for Nextcloud unless you root your device.
Spam google to address this issue so we are able to add CA's to the system store ;-)
They probably have their reasons, but I think they should open up and let us judge about that ourself.

lenhuppe · 2019-05-05 14:25:08

qinohe wrote:

Soon as you're server is facing the Web/Internet I suggest you start using something like Let's Encrypt for your domain.
You don't have to, but, self-signed chains are not really meant to use outside you're intranet/homenet.
Android will be a problem until Google decides CA or leaf certs. can be added to the system store, which ATM you can only achieve by rooting the device.
So there is no other way then trust the cert., this is also in the Nextcloud Android guide..
You can also setup a OpenVPN(roadwarrior) with a self-signed chain, then reach you're local net trough the VPN and then have access to you're local cloud. (this I use;)
But than still you'd need to accept the cert. for Nextcloud unless you root your device.
Spam google to address this issue so we are able to add CA's to the system store ;-)
They probably have their reasons, but I think they should open up and let us judge about that ourself.

Sound advice for sure.

My position on Google is that we need alternatives. Unless and until there is a Linux-friendly alternative to Android, I don't believe that Google will change their stance. At least not very much. Having said that I hope to be proven wrong.

Meanwhile my Arch desktop and LXD server present me with no shortage of challenges. Every time I turn around I think of something that I need to learn. I wish now that I had learned software in the beginning and not hardware.

qinohe · 2019-05-05 15:22:18

I hope you're proven wrong too ;-)

There would be another way, but that would involve the developers of the Nextcloud Android app to create an import of the chain you use for Nextcloud.
OpenVPN is actually using this method with their app on Android and works very well, maybe open a ticket on their GitHub...(Nextcloud-Andoid)

I'm happy with and trust my own workarounds but the above solution would definitely be much better.

Arch Linux

#1 2019-04-01 23:35:27

Client Cert for Nextcloud

#2 2019-04-02 12:59:50

Re: Client Cert for Nextcloud

#3 2019-04-02 18:04:35

Re: Client Cert for Nextcloud

#4 2019-05-01 18:56:08

Re: Client Cert for Nextcloud

#5 2019-05-02 00:00:07

Re: Client Cert for Nextcloud

#6 2019-05-02 11:09:25

Re: Client Cert for Nextcloud

#7 2019-05-05 00:39:24

Re: Client Cert for Nextcloud

#8 2019-05-05 12:17:53

Re: Client Cert for Nextcloud

#9 2019-05-05 14:25:08

Re: Client Cert for Nextcloud

#10 2019-05-05 15:22:18

Re: Client Cert for Nextcloud

Board footer