[How-To] ownCloud using NGINX, PHP-FPM, and MySQL

[acook8103]

I upgraded to 8.1.1 (Surprisingly BSD and Linux are supported).

Could use some help on this though. View attachment 8406

I just fixed this for myself last night.

Following the Docker config here, I just linked the system CA Root to the desired location.

# ln -s /usr/local/share/certs/ca-root-nss.crt /usr/local/www/owncloud/config/ca-bundle.crt

 

[Krowvin]

I'll look into the ca-bundle fix more when I get home. I was typing off a fast response this morning.

I tried pinging google and it worked. I have no problems connecting to the server and uploading or downloading on the browser. All the research I did on the Internet connectivity warning came from people with unresponsive admin pages using older versions of owncloud. So I appogozie if it's not FreeNAS related. I just figured this post is #1 since you all have the same configuration you may experience the same problems.


I had two other warnings when I updated. One was in regard to memorycaching. Supposedly owncloud stopped using the local cache for performance gains. @Joshua Parker Ruehlig has updated his guide to fix this. I believe I also went back through the guide and added a few more packages as well as updated some configuration files.

The third problem was related to HSTS and to fix it you add a single line (to my knowledge) to the nginx.conf file in /usr/local/etc/nginx/nginx.conf

Sorry I'm on my mobile and this keyboard is lacking.

 

[Joshua Parker Ruehlig]

HSTS, is just leaves a cookie on browsers saying this domain will always be HTTPS until the cookie expires. so up to you if you want it. it's good if someone connects to your OC and a man-in-the-middle takes off the SSL layer.

doesn't help if it's the first time they visit your domain with that browser though.

 

[Krowvin]

# ln -s /usr/local/share/certs/ca-root-nss.crt /usr/local/www/owncloud/config/ca-bundle.crt

Thanks for this! Seemed to work.

You give a better explanation than what I read last night about HSTS @Joshua Parker Ruehlig, but if it's not too much overhead and you do login to your ownCloud out in public, school, or even work. Why not add the line? Is there overhead i'm not aware of?


Here's what I added to the server block of my nginx.conf

Code:

add_header Strict-Transport-Security max-age=15768000;

Bonus for Residential Users
And in terms of HTTPS I host my ownCloud instance from a residential service line. So for me port 80 is blocked. To fix this I route traffic through a VPS. (I also host my main website on the VPS so it works out)

Added as a separate server block

Code:

server {
listen 80;
listen [::]:80;
server_name yourdomainname.com subdomain.domain.com;
return 301 https://$host$request_uri;
}

301 is a permanent redirect so the browser will remember to use HTTPS next time.

If you have another way of doing this i'd love to see/read it.[/code]

 

[Joshua Parker Ruehlig]

I guess I just never enabled HSTS cause one day I thought I might need to access stuff through HTTP. but, I haven't done this since enabling HTTPS on my sites so I might as well set it. gonna change it now.

 

[Krowvin]

I thought I might need to access stuff through HTTP.

I was under the impression if you used a 301 permanent redirect you'd have to pull teeth to get it to switch back to HTTP.

Whenever I do something that I want to test in HTTP I use a fake/quick domain or the IP address. Works fine so long as I comment out the ssl stuff.

I use NOIP as a registrar for the home servers. It allows me to use a subdomain for my home IP and the main domain for my VPS server. Could theoretically run them both as Dynamic IPs if I enabled Dynamic DNS clients on both IPs. (FreeNAS and PFsense both have DynDNS support) -ranting at this point haha

I'm starting to realize how fantastic snapshots are. FreeNAS makes it even easier with a GUI.

 

[thefox13]

can you verify if your jail can connect out?
fetch "https://www.google.com"

if so, maybe it's related to the new SSL verification in 8.1.
https://github.com/owncloud/core/issues/17446
I had to
* set "WITH_OPENSSL_PORT=yes" in /etc/make.conf
* stop php, force uninstalled php and php-curl, curl
* recompile the above (and had to unset an option in curl the conflict with using the ports SSL)
* start php

Hi Joshua,
I'm trying to fix the "cURL error 60: SSL certificate problem: unable to get local issuer certificate" issue which from what I can tell is related to OpenSSL. I think your above solution will fix it but what exactly are the commands I need to run? I corrected most of the other issues but not sure how to stop, force uninstall, recompile, and then restart. I've also updated all the ports within the owncloud jail so I think all I need to do is your last three steps. I'm also running nginx and will that also need to be recompiled? Any help would be appreciated so I can get the newest Calendar app running!

 

[Joshua Parker Ruehlig]

Hi Joshua,
I'm trying to fix the "cURL error 60: SSL certificate problem: unable to get local issuer certificate" issue which from what I can tell is related to OpenSSL. I think your above solution will fix it but what exactly are the commands I need to run? I corrected most of the other issues but not sure how to stop, force uninstall, recompile, and then restart. I've also updated all the ports within the owncloud jail so I think all I need to do is your last three steps. I'm also running nginx and will that also need to be recompiled? Any help would be appreciated so I can get the newest Calendar app running!

I think this should do it.
Add 'WITH_OPENSSL_PORT=yes' to /etc/make.conf

Code:

service php-fpm stop
pkg delete -f php56 php56-curl
make install clean -C /usr/ports/ftp/php56-curl
service php-fpm start

I don't remember if I also deleted+recompiled 'curl'.

 

[thefox13]

I think this should do it.
Add 'WITH_OPENSSL_PORT=yes' to /etc/make.conf

Code:

service php-fpm stop
pkg delete -f php56 php56-curl
make install clean -C /usr/ports/ftp/php56-curl
service php-fpm start

I don't remember if I also deleted+recompiled 'curl'.

I've tried the above and did not solve the problem so I tried to delete and re-install curl. My issue now seems to be that curl cannot install with the newer OpenSSL with GSSAPI enabled. Once I can figure a way around it, it should work. In the meantime, I've reinstalled the older versions of curl, php56-curl to allow owncloud to run. My latest online findings stated that the updated version of curl should compile with the newer OpenSSL but that does not seem to be the case here and I made sure the ports are update. I'll post updates once I figure it out.

 

[ClassicGOD]

I've tried the above and did not solve the problem so I tried to delete and re-install curl. My issue now seems to be that curl cannot install with the newer OpenSSL with GSSAPI enabled. Once I can figure a way around it, it should work. In the meantime, I've reinstalled the older versions of curl, php56-curl to allow owncloud to run. My latest online findings stated that the updated version of curl should compile with the newer OpenSSL but that does not seem to be the case here and I made sure the ports are update. I'll post updates once I figure it out.

I compiled everything including OpenSSL and PHP and PHP-curl from ports and still had the error. Then i did make reinstall clean from /usr/ports/ftp/curl and the problem went away. You did the curl reinstall from pkg or from ports?

If you do curl --version from the jail you should see OpenSSL/1.0.2d

 

[Joshua Parker Ruehlig]

I've tried the above and did not solve the problem so I tried to delete and re-install curl. My issue now seems to be that curl cannot install with the newer OpenSSL with GSSAPI enabled. Once I can figure a way around it, it should work. In the meantime, I've reinstalled the older versions of curl, php56-curl to allow owncloud to run. My latest online findings stated that the updated version of curl should compile with the newer OpenSSL but that does not seem to be the case here and I made sure the ports are update. I'll post updates once I figure it out.

I hit this error as well, but don't remember what I did. I think I just disabled GSSAPI_BASE then compiled curl.

Code:

make config install clean -C /usr/ports/ftp/curl

 

[Joshua Parker Ruehlig]

I compiled everything including OpenSSL and PHP and PHP-curl from ports and still had the error. Then i did make reinstall clean from /usr/ports/ftp/curl and the problem went away. You did the curl reinstall from pkg or from ports?

If you do curl --version from the jail you should see OpenSSL/1.0.2d

awesome, so 'pkg upgrade curl' migth do the trick. =]

 

[ClassicGOD]

awesome, so 'pkg upgrade curl' migth do the trick. =]

I don't know. AFAIK pkg upgrade still provides curl compiled with OpenSSL 0.9.8z and if I'm not mistaken to fix this error you need curl with OpenSSL 1.0.1 or higher.

 

[Joshua Parker Ruehlig]

I don't know. AFAIK pkg upgrade still provides curl compiled with OpenSSL 0.9.8z and if I'm not mistaken to fix this error you need curl with OpenSSL 1.0.1 or higher.

Ahh, I misread your post a bit. So compiling curl fixed it for you?

Actually, the fix requires openssl 1.0.2b+

 

[ClassicGOD]

Ahh, I misread your post a bit. So compiling curl fixed it for you?

Yea, compiling from ports with WITH_OPENSSL_PORT=yes (I also compiled OpenSSL before curl but I have no idea if that did anything, I basically complied all of the packages you mention in your instructions just to be sure)

 

[thefox13]

Yea, compiling from ports with WITH_OPENSSL_PORT=yes (I also compiled OpenSSL before curl but I have no idea if that did anything, I basically complied all of the packages you mention in your instructions just to be sure)

Joshua and Classic, Thanks for the tips. I've ran curl --version and it says OpenSSL/0.9.8z so I will need to make sure to get OpenSSL correct before compiling curl. I'll keep you posted.

 

[thefox13]

Classic, curl install from ports is the issue and I am wondering if my OpenSSL is incorrect. I've compiled OpenSSL in /usr/ports/security/openssl with make install clean and then went to /usr/ports/ftp/curl and executed make install clean and still get the same error. Am I missing something with the OpenSSL commands? Thankfully I haven't broken owncloud yet!

 

[ClassicGOD]

Classic, curl install from ports is the issue and I am wondering if my OpenSSL is incorrect. I've compiled OpenSSL in /usr/ports/security/openssl with make install clean and then went to /usr/ports/ftp/curl and executed make install clean and still get the same error. Am I missing something with the OpenSSL commands? Thankfully I haven't broken owncloud yet!

you have to go:

make reinstall clean

first for OpenSSL and then curl ports
after you do so verify curl openssl version with curl --version

and remember that before all of this you have to set WITH_OPENSSL_PORT=yes in /etc/make.conf

PS> if you don't want to brake your Owncloud install just make a ZFS snapshot of your jail. You can then restore it if needed.

 

[Joshua Parker Ruehlig]

you have to go:

make reinstall clean

first for OpenSSL and then curl ports
after you do so verify curl openssl version with curl --version

and remember that before all of this you have to set WITH_OPENSSL_PORT=yes in /etc/make.conf

PS> if you don't want to brake your Owncloud install just make a ZFS snapshot of your jail. You can then restore it if needed.

I don't think we need to be making openssl.
pkg install openssl should get us the latest one.

but, this is a great explanation anyways!

 

[thefox13]

Hmm..I got the calendar app installed but curl --version still reads the older OpenSSL....not sure what is going on but I'm not going to argue with it for now. Anyway, thanks for all the help!