Setup SSL (https) for ownCloud (info.dump)

Here is another info.dump with directions on how to setup SSL on your ownCloud server.  This will greatly improve the security of your server by not allowing an attacker to intercept your password in plain text over the internet. If you are going to be using the ownCloud outside of a private LAN, this is a must!

NOTE: Most of these directions where found here on the ‘Ubuntu Server Guide’ site…

http://ubuntuserverguide.com/2013/04/how-to-setup-owncloud-server-5-with-ssl-connection.html

Server is assumed to be running Linux (Ubuntu 12.04).

Change to ‘root’:
sudo -i

Edit file /etc/apache2/sites-enabled/000-default,  change AllowOverride None to AllowOverride All.

You should edit the section of the file to looks like this:
DocumentRoot /var/www
Options FollowSymLinks
AllowOverride All

You will need to enable apache module mod_rewrite, mod_headers and mod_ssl to enable both modules use the following command:
a2enmod rewrite && a2enmod headers && a2enmod ssl

Restart apache2 daemon:
service apache2 restart

Edit the configuration file /ect/ssl/openssl.cnf:
Change the following lines in the document with the following information:

dir = /root/SSLCertAuth
default_days = 3650
default_bits = 2048
countryName_default = US
0.organizationName_default = "Organization Name"

Create Directory to save the SSL Certificate Authority, in this case make the directory name SSLCertAuth:

mkdir /root/SSLCertAuth
chmod 700 /root/SSLCertAuth
cd /root/SSLCertAuth
mkdir certs private newcerts
echo 1000 > serial
touch index.txt

To generate the Certificate Authority (CA) run the following:
Note: Be sure to enter in your PEM passphrase and log it in a secure location. Also, you should make sure that you fill in the correct information for your cert. The common name will be your sites external site address.

openssl req -new -x509 -days 3650 -extensions v3_ca \
-keyout private/cakey.pem -out cacert.pem \
-config /etc/ssl/openssl.cnf

Create a Certificate Signing Request:

openssl req -new -nodes \
-out apache-req.pem \
-keyout private/apache-key.pem \
-config /etc/ssl/openssl.cnf

Generate the certificate:

openssl ca \
-config /etc/ssl/openssl.cnf \
-out apache-cert.pem \
-infiles apache-req.pem

Copy the files to directory /etc/ssl:

mkdir /etc/ssl/crt
mkdir /etc/ssl/key
cp /root/SSLCertAuth/apache-cert.pem /etc/ssl/crt
cp /root/SSLCertAuth/private/apache-key.pem /etc/ssl/key

Configure HTTPS apache2 web server, create the SSL log and create a new file /etc/apache2/conf.d/owncloud5-ssl.conf to add the SSL virtualhost:

mkdir/var/www/logs
touch /etc/apache2/conf.d/owncloud5-ssl.conf

Edit the file with the following info:

ServerName "Server IP"
SSLEngine on
SSLCertificateFile /etc/ssl/crt/apache-cert.pem
SSLCertificateKeyFile /etc/ssl/key/apache-key.pem
DocumentRoot /var/www/owncloud
CustomLog /var/www/logs/ssl-access_log combined
ErrorLog /var/www/logs/ssl-error_log

Restart the apache2 server:

service apache2 restart

That is it! Now goto your ownCloud page with https:// and you should have a secure connection!

NOTES:

  • You will need to make sure that you have your NAT forwarding port 443 to your server to allow the secure traffic to reach it.
  • If this does not work (EX. You dont get a webpage) you may need to make sure that you have the correct info entered in the /etc/apache2/conf.d/owncloud5-ssl.conf under DocumentRoot /var/www/owncloud. I have seen this location possibly be different if you did not install using the ownCloud repo (see me other post on installing ownCloud for the right way to do it: https://atari911.com/2013/07/29/install-owncloud-info-dump/).
  • You will see a red X over the https://. This is because we are using a “self signed certificate” and it was not verified with a trusted authority. All this means is that the world wide web does not trust you because you are not a big, money hungry corporation. This message can be safely ignored because if you cant trust yourself, who can you trust?
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s