all-in-one icon indicating copy to clipboard operation
all-in-one copied to clipboard

Published 20 hours ago verified publisher icon nextcloud

Let the Nextcloud-Container trust custom CAs (e.g. for using LDAPS)

Open lollo0296 opened this issue 2 years ago • 4 comments

This is just a proposal / proof of concept which enables the user to make the aio-nextcloud container trust custom CA's.

The reason for this PR

More info here: https://www.reddit.com/r/NextCloud/comments/wf5f97/ldaps_in_aio_deployment/

The idea

When creating the aio-mastercontainer, either via docker run or via docker-compose, it is possible to point the environmental variable TRUSTED_CACERTS_DIR to a directory on the host which contains one or more custom CA-Certificates.

If the variable is set, it will be passed to the aio-nextcloud container and the given directory will be mounted as a volume under /usr/local/share/ca-certificates/extra. Furthermore, the command update-ca-certificates will be run in order to make the OS update its trusted certification authorities.

The aio-nextcloud container now trusts the given custom CAs. It is now possible, for example, to configure LDAPS against a company domain controller which uses a certificate signed by the company's internal CA.

Trusting custom CAs probably also has other applications / use cases I didn't think about yet.

lollo0296 avatar Aug 04 '22 09:08 lollo0296

Would be nice to get a feedback from you guys @szaimen @juliushaertl ☺

lollo0296 avatar Aug 04 '22 09:08 lollo0296

Thanks for your pull request. From the code perspective this looks good, but as I don't have a way to test it currently, I'll leave the review for @szaimen who'll be back on the 15th.

juliusknorr avatar Aug 04 '22 14:08 juliusknorr

Thanks for your pull request. From the code perspective this looks good, but as I don't have a way to test it currently, I'll leave the review for @szaimen who'll be back on the 15th.

@juliushaertl I got you.

@szaimen Please get in touch if you have any questions or need help with this PR.

lollo0296 avatar Aug 04 '22 15:08 lollo0296

Guys sorry for the rebase / commit chaos, I am having a 💩 time trying to fix this DCO-Check-Thing. It doesn't want to go away 😫

lollo0296 avatar Aug 04 '22 15:08 lollo0296

Hi @lollo0296 thanks for your PR!

Before I start reviewing/testing this, can you please first check if importing the certificate into Nextclouds cert store makes it work already? See https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/occ_command.html#security

szaimen avatar Aug 14 '22 19:08 szaimen

Hi @lollo0296 thanks for your PR!

Before I start reviewing/testing this, can you please first check if importing the certificate into Nextclouds cert store makes it work already? See https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/occ_command.html#security

@szaimen when importing to the certificate store I would have to import the server certificate itself and not the Certification Authority that issued it, am I right?

lollo0296 avatar Aug 14 '22 22:08 lollo0296

@szaimen when importing to the certificate store I would have to import the server certificate itself and not the Certification Authority that issued it, am I right?

Yes 👍

szaimen avatar Aug 15 '22 09:08 szaimen

@szaimen So Simon, I tried to import the certificate as you suggested. My steps within the nextcloud-aio-nextcloud container as user www-data:

  • Create a directory for the certificate
    • mkdir /mnt/ncdata/certs
    • cd /mnt/ncdata/certs
  • Download the certificate directly from the LDAPS Server
    • openssl s_client -connect dcjm01.meeth.de:636 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | tee dcjm01.meeth.de.crt
  • Import the certificate using php occ
    • php occ security:certificates:import /mnt/ncdata/certs/dcjm01.meeth.de.crt
  • I've then restarted all containers from the AIO-Gui (Stop containers, Start containers)
  • LDAP/AD Integration Plug-in still says Configuration incorrect 🟥

grafik

Probably, the plug-in does not respect the trusted certificates that have been added with php occ security:certificates:import, IDK. I use the LDAPS-Server of our Domain-Controller within several apps and tools, both open-source projects and internal, self programmed tools: I've always had to make the container / OS trust our CertificationAuthority in order to make it work.

lollo0296 avatar Aug 30 '22 08:08 lollo0296

Yes, LDAP will not use the Nextcloud certificate store, but the system or the ldap configured one, but may depend on the used client ldap library and distribution.

juliusknorr avatar Aug 30 '22 10:08 juliusknorr

@juliushaertl @szaimen Then the only way to go is to do something like I suggested in this PR, am I right?

I would like to help you out with the implementation and learn more about this awesome Project :)

lollo0296 avatar Aug 30 '22 14:08 lollo0296

All right! Then lets do this!

@lollo0296 can you please fix the PR? The easiest things is probably creating a new branch and recreate your changes there and do not forget the sign-off! Afterwards simply create a new PR.

I'll help then out. Thanks for your effort! :)

szaimen avatar Aug 31 '22 12:08 szaimen

@szaimen Please refer to #1097

lollo0296 avatar Aug 31 '22 20:08 lollo0296