Owncloud SSL Offical Image Guide

Hi,

for everyone who wants to try the out the official Owncloud image with SSL! Here are the steps you need for that:

First install > mariadb and > owncloudHTTPS via Rockstor Web-GUI.
The .json file isn’t visible in your Rockon Registry - I have a pending pull request for this.
As long it’s not merged you can create your own .json file and paste the following:
owncloudHTTPS.json
How to make your own .json file:
Rockstor Docs

After that go to system shell and logon as root.

Run:
docker exec -it mariadbcontainer bash
You can find the “mariadbcontainer” when you hit a docker ps command in shell - it’s the “container-id”.

When you got to the mariadb shell hit:
mysql -u root -p
Then enter the password which was setup during installation process.

After that:
CREATE DATABASE ownclouddb;
show databases;
To verify the database is created.

Then Setup a new user:
CREATE USER ownclouduser IDENTIFIED BY 'password';

As @Thad obeserved, just setting the binlog_format to mixed via command is not persistent.
You need to edit the /etc/mysql/my.cnf file in the mariadb container.
Got to the buttom of the file to the section "[galera]"
Edit it to:
binlog_format = mixed
(delete the “#” !!)

Enter the following commands:
GRANT ALL ON ownclouddb.* TO 'ownclouduser'@'%';
FLUSH PRIVILEGES;

Type exit two times to get out of mysql and mariadb shell.

So ilet’s go to the owncloud config - here is a little more to do:

Go to the owncloudHTTPS container bash with
docker exec -it owncloudHTTPS bash
You can find the “owncloudHTTPS” when you hit a docker ps command in shell - it’s the “container-id”.

Then run
apt-get update
apt-get upgrade
apt-get install vi
Of course, you can use nano or something else…

vi /etc/apache2/apache2.conf
-> At the end of file paste:
ServerName owncloud

a2enmod rewrite
(already enabled - just to make sure)

a2enmod headers

/etc/init.d/apache2 restart

After the last command you were thrown out of the container, go back to it.
Then enter
cd /root

openssl genrsa -out server.key 4096

openssl req -new -key server.key -out server.csr
Fill out everything and set a challenge password.

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

chmod 400 sever.key

vi /etc/apache2/sites-enabled/000-default.conf
Paste the following at the end of file:
<VirtualHost *:443>
ServerName owncloud
SSLEngine on
SSLCertificateFile /root/server.crt
SSLCertificateKeyFile /root/server.key

Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”

vi /etc/apache2/sites-available/000-default.conf
At the end of file:
<VirtualHost *:443>
ServerName owncloud
SSLEngine on
SSLCertificateFile /root/server.crt
SSLCertificateKeyFile /root/server.key

vi /etc/apache2/sites-available/default-ssl.conf
Here I deleted all the existing lines and pasted the following:

<IfModule mod_ssl.c>
    <VirtualHost *:443>
                         ServerAdmin admin@YOURROCKSTORSERVER
                         SSLEngine on
                         SSLCertificateFile /root/server.crt
                         SSLCertificateKeyFile /root/server.key
                         SetEnvIf User-Agent ".*MSIE.*" \
                         nokeepalive ssl-unclean-shutdown \
                         downgrade-1.0 force-response-1.0
    </VirtualHost>
    </IfModule>

a2enmod ssl

apache2ctl configtest
This shouldn’t throw any errors.

apache2ctl restart

Go to https://YOURIP:8443 (accept the Certificate Error - it’s selfsigned) and run the setup process with the following parameters:

  • admin username and password for you owncloud amin.
    Select "Mariadb"
    User -> User created via shell (i.e. ownclouduser)
    Password -> password for the user
    Database -> created db (ownclouddb)
    Host -> MYIP (Without ports or anything - i.e 192.168.1.150)

Thats it.

Special thanks to @magicalyak for your hint regarding the privileges.

Hope this works for you. If I missed something please let me know.

Mark

4 Likes

@Mark93 have you done anything to setup owncloud for https or are you running everything in your instance over port 80?

At the Moment everything runs over port 80. I`ll work on it in the next weeks when I have more time and post the details here.

Instead of linking to the container (since the docker run command would conflict with the existing owncloud container) you could just use the mariadb and enter the information in the setup wizard. One thing you’ll need to do is change the binary log type in mysql/mariadb.
After logging in as Root on the mysql command line
SET GLOBAL binlog_format = 'MIXED';
I also added privileges for the owncloud user (or whomever) for the owncloud DB.
GRANT ALL ON owncloud.* TO 'owncloud'@'%'; FLUSH PRIVILEGES;
This seemed to work without having to go too crazy with the linked containers.
I’m also not sure the settings the mariadb has but I usually run the mysql_secure_installation command on my installs to further secure the db.

I just updated the Guide regarding the privileges (Thanks again @magicalyak).
I’ll try to get https working in the next week (got holidays).

1 Like
SET GLOBAL binlog_format = 'MIXED'; GRANT ALL ON ownclouddb.* TO 'ownclouduser'@'%'; FLUSH PRIVILEGES;

The problem I’m having is that I have to do this every time I reboot the machine. My command-line SQL is a little rusty; I’m sure there’s a way to make this persistent but I don’t know offhand.

Sorry for the late answer.
Ok right now I’m having the same issue. I’m working on it :wink:

Update:
Fixed:

As @Thad obeserved, just setting the binlog_format to mixed via command is not persistent.
You need to edit the /etc/mysql/my.cnf file in the mariadb container.
Got to the buttom of the file to the section "[galera]"
Edit it to:
binlog_format = mixed
(delete the “#” !!)

May be better way put owncloud behind reverse proxy with lets encrypt.

Having problems since the latest Rockstor upgrade. I was still using owncloud-official (the non-SSL version); now it’s just giving me a blank page when I try to connect (HTTP). There doesn’t appear to be anything in /var/log/apache2 (in the container); every file is listed at 4.0K.

I tried setting up owncloudSSL, but any attempt to install any package with apt-get gives me this error:

cannot move ‘/etc/localtime.dpkg-new’ to ‘/etc/localtime’: Device or resource busy

Pretty stuck and a little nervous; I don’t like not having my sync run. Any suggestions?

This happens because the rock-on logic adds a read-only mapping of host’s /etc/localtime to all containers by default. Ideally, we shouldn’t be heavily configuring at the container level like we do here. Don’t get me wrong, I love this guide, but a docker preferred way is to bake new image with most/all configuration. Anyway, now to the workaround…

To get around this problem, do the following

  1. Stop the docker-daemon/rock-on service with systemctl stop docker
  2. Locate these two files at /mnt2/[rockon-root]/containers/[containerid]/{config.json,hostconfig.json}
  3. edit those two files and remove all references to /etc/localtime mappings. Here are the before and after snapshots of relevant sections
# colordiff hostconfig.json ~/hostconfig.json 
1c1
< {"Binds":["/mnt2/share123:/var/www/html"],"ContainerIDFile":"","LxcConf":[],"Memory":0,"MemoryReservation":0,"MemorySwap":0,"KernelMemory":0,"CpuShares":0,"CpuPeriod":0,"CpusetCpus":"","CpusetMems":"","CpuQuota":0,"BlkioWeight":0,"OomKillDisable":false,"MemorySwappiness":-1,"Privileged":false,"PortBindings":{"443/tcp":[{"HostIp":"","HostPort":"8445"}],"443/udp":[{"HostIp":"","HostPort":"8445"}]},"Links":null,"PublishAllPorts":false,"Dns":[],"DnsOptions":[],"DnsSearch":[],"ExtraHosts":null,"VolumesFrom":null,"Devices":[],"NetworkMode":"default","IpcMode":"","PidMode":"","UTSMode":"","CapAdd":null,"CapDrop":null,"GroupAdd":null,"RestartPolicy":{"Name":"unless-stopped","MaximumRetryCount":0},"SecurityOpt":null,"ReadonlyRootfs":false,"Ulimits":null,"LogConfig":{"Type":"","Config":{}},"CgroupParent":"","ConsoleSize":[0,0],"VolumeDriver":""}
\ No newline at end of file
---
> {"Binds":["/mnt2/share123:/var/www/html","/etc/localtime:/etc/localtime:ro"],"ContainerIDFile":"","LxcConf":[],"Memory":0,"MemoryReservation":0,"MemorySwap":0,"KernelMemory":0,"CpuShares":0,"CpuPeriod":0,"CpusetCpus":"","CpusetMems":"","CpuQuota":0,"BlkioWeight":0,"OomKillDisable":false,"MemorySwappiness":-1,"Privileged":false,"PortBindings":{"443/tcp":[{"HostIp":"","HostPort":"8445"}],"443/udp":[{"HostIp":"","HostPort":"8445"}]},"Links":null,"PublishAllPorts":false,"Dns":[],"DnsOptions":[],"DnsSearch":[],"ExtraHosts":null,"VolumesFrom":null,"Devices":[],"NetworkMode":"default","IpcMode":"","PidMode":"","UTSMode":"","CapAdd":null,"CapDrop":null,"GroupAdd":null,"RestartPolicy":{"Name":"unless-stopped","MaximumRetryCount":0},"SecurityOpt":null,"ReadonlyRootfs":false,"Ulimits":null,"LogConfig":{"Type":"","Config":{}},"CgroupParent":"","ConsoleSize":[0,0],"VolumeDriver":""}
\ No newline at end of file
# colordiff config.json ~/config.json 
1c1
< {"State":{"Running":true,"Paused":false,"Restarting":false,"OOMKilled":false,"Dead":false,"Pid":17753,"ExitCode":0,"Error":"","StartedAt":"2016-12-03T14:58:56.965629219Z","FinishedAt":"2016-12-03T14:45:17.638967978Z"},"ID":"bb9a51bb52f6917c65c1d30f4bcd907681ca449c532068069a7085f5fef61b72","Created":"2016-12-03T13:02:52.273259407Z","Path":"/entrypoint.sh","Args":["apache2-foreground"],"Config":{"Hostname":"bb9a51bb52f6","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"ExposedPorts":{"443/tcp":{},"443/udp":{},"80/tcp":{}},"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","PHPIZE_DEPS=autoconf \t\tfile \t\tg++ \t\tgcc \t\tlibc-dev \t\tmake \t\tpkg-config \t\tre2c","PHP_INI_DIR=/usr/local/etc/php","APACHE_CONFDIR=/etc/apache2","APACHE_ENVVARS=/etc/apache2/envvars","PHP_EXTRA_BUILD_DEPS=apache2-dev","PHP_EXTRA_CONFIGURE_ARGS=--with-apxs2","GPG_KEYS=0BD78B5F97500D450838F95DFE857D9A90D90EC1 6E4F6AB321FDC07F2C332E3AC2BF0BC433CFC8B3","PHP_VERSION=5.6.28","PHP_URL=https://secure.php.net/get/php-5.6.28.tar.xz/from/this/mirror","PHP_ASC_URL=https://secure.php.net/get/php-5.6.28.tar.xz.asc/from/this/mirror","PHP_SHA256=07187ba2870f89cef334cd2ad6cb801aeec5eaf283da0293a9a6be75d6786d11","PHP_MD5=1e01c66b2e67ab3b56a6180ee560fe4c","OWNCLOUD_VERSION=9.1.2"],"Cmd":["apache2-foreground"],"Image":"owncloud","Volumes":{"/var/www/html":{}},"WorkingDir":"/var/www/html","Entrypoint":["/entrypoint.sh"],"OnBuild":null,"Labels":{},"StopSignal":"SIGTERM"},"Image":"be5ebe1228116706f8496830f2c80bc584f8f9edd6818e3c1a2f8a2c3b103bc4","NetworkSettings":{"Bridge":"","SandboxID":"c14d568249783df86799db337fceb2b77218c0e2977707e8de9340a196c18ce9","HairpinMode":false,"LinkLocalIPv6Address":"","LinkLocalIPv6PrefixLen":0,"Networks":{"bridge":{"EndpointID":"b9572291cabe60aa51543f95e9b57fcd4e5ee1c6577d77e295bfaf8d10bc12bf","Gateway":"172.17.0.1","IPAddress":"172.17.0.2","IPPrefixLen":16,"IPv6Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"MacAddress":"02:42:ac:11:00:02"}},"Ports":{"443/tcp":[{"HostIp":"0.0.0.0","HostPort":"8445"}],"443/udp":[{"HostIp":"0.0.0.0","HostPort":"8445"}],"80/tcp":null},"SandboxKey":"/var/run/docker/netns/c14d56824978","SecondaryIPAddresses":null,"SecondaryIPv6Addresses":null,"IsAnonymousEndpoint":false},"LogPath":"","Name":"/owncloudHTTPS","Driver":"btrfs","ExecDriver":"native-0.2","MountLabel":"","ProcessLabel":"","RestartCount":14,"HasBeenStartedBefore":false,"HasBeenManuallyStopped":false,"AppArmorProfile":"","HostnamePath":"/mnt2/rockon-root/containers/bb9a51bb52f6917c65c1d30f4bcd907681ca449c532068069a7085f5fef61b72/hostname","HostsPath":"/mnt2/rockon-root/containers/bb9a51bb52f6917c65c1d30f4bcd907681ca449c532068069a7085f5fef61b72/hosts","ShmPath":"/mnt2/rockon-root/containers/bb9a51bb52f6917c65c1d30f4bcd907681ca449c532068069a7085f5fef61b72/shm","MqueuePath":"/mnt2/rockon-root/containers/bb9a51bb52f6917c65c1d30f4bcd907681ca449c532068069a7085f5fef61b72/mqueue","MountPoints":{"/var/www/html":{"Name":"","Destination":"/var/www/html","Driver":"","RW":true,"Source":"/mnt2/share123","Relabel":""}},"ResolvConfPath":"/mnt2/rockon-root/containers/bb9a51bb52f6917c65c1d30f4bcd907681ca449c532068069a7085f5fef61b72/resolv.conf","Volumes":{"/var/www/html":"/mnt2/share123"},"VolumesRW":{"/var/www/html":true}}
\ No newline at end of file
---
> {"State":{"Running":false,"Paused":false,"Restarting":false,"OOMKilled":false,"Dead":false,"Pid":0,"ExitCode":0,"Error":"","StartedAt":"2016-12-03T13:02:52.765204987Z","FinishedAt":"2016-12-03T13:50:43.463390822Z"},"ID":"bb9a51bb52f6917c65c1d30f4bcd907681ca449c532068069a7085f5fef61b72","Created":"2016-12-03T13:02:52.273259407Z","Path":"/entrypoint.sh","Args":["apache2-foreground"],"Config":{"Hostname":"bb9a51bb52f6","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"ExposedPorts":{"443/tcp":{},"443/udp":{},"80/tcp":{}},"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","PHPIZE_DEPS=autoconf \t\tfile \t\tg++ \t\tgcc \t\tlibc-dev \t\tmake \t\tpkg-config \t\tre2c","PHP_INI_DIR=/usr/local/etc/php","APACHE_CONFDIR=/etc/apache2","APACHE_ENVVARS=/etc/apache2/envvars","PHP_EXTRA_BUILD_DEPS=apache2-dev","PHP_EXTRA_CONFIGURE_ARGS=--with-apxs2","GPG_KEYS=0BD78B5F97500D450838F95DFE857D9A90D90EC1 6E4F6AB321FDC07F2C332E3AC2BF0BC433CFC8B3","PHP_VERSION=5.6.28","PHP_URL=https://secure.php.net/get/php-5.6.28.tar.xz/from/this/mirror","PHP_ASC_URL=https://secure.php.net/get/php-5.6.28.tar.xz.asc/from/this/mirror","PHP_SHA256=07187ba2870f89cef334cd2ad6cb801aeec5eaf283da0293a9a6be75d6786d11","PHP_MD5=1e01c66b2e67ab3b56a6180ee560fe4c","OWNCLOUD_VERSION=9.1.2"],"Cmd":["apache2-foreground"],"Image":"owncloud","Volumes":{"/var/www/html":{}},"WorkingDir":"/var/www/html","Entrypoint":["/entrypoint.sh"],"OnBuild":null,"Labels":{},"StopSignal":"SIGTERM"},"Image":"be5ebe1228116706f8496830f2c80bc584f8f9edd6818e3c1a2f8a2c3b103bc4","NetworkSettings":{"Bridge":"","SandboxID":"","HairpinMode":false,"LinkLocalIPv6Address":"","LinkLocalIPv6PrefixLen":0,"Networks":{"bridge":{"EndpointID":"","Gateway":"","IPAddress":"","IPPrefixLen":0,"IPv6Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"MacAddress":""}},"Ports":null,"SandboxKey":"","SecondaryIPAddresses":null,"SecondaryIPv6Addresses":null,"IsAnonymousEndpoint":false},"LogPath":"","Name":"/owncloudHTTPS","Driver":"btrfs","ExecDriver":"native-0.2","MountLabel":"","ProcessLabel":"","RestartCount":0,"HasBeenStartedBefore":false,"HasBeenManuallyStopped":true,"AppArmorProfile":"","HostnamePath":"/mnt2/rockon-root/containers/bb9a51bb52f6917c65c1d30f4bcd907681ca449c532068069a7085f5fef61b72/hostname","HostsPath":"/mnt2/rockon-root/containers/bb9a51bb52f6917c65c1d30f4bcd907681ca449c532068069a7085f5fef61b72/hosts","ShmPath":"/mnt2/rockon-root/containers/bb9a51bb52f6917c65c1d30f4bcd907681ca449c532068069a7085f5fef61b72/shm","MqueuePath":"/mnt2/rockon-root/containers/bb9a51bb52f6917c65c1d30f4bcd907681ca449c532068069a7085f5fef61b72/mqueue","MountPoints":{"/etc/localtime":{"Name":"","Destination":"/etc/localtime","Driver":"","RW":false,"Source":"/etc/localtime","Relabel":"ro"},"/var/www/html":{"Name":"","Destination":"/var/www/html","Driver":"","RW":true,"Source":"/mnt2/share123","Relabel":""}},"ResolvConfPath":"/mnt2/rockon-root/containers/bb9a51bb52f6917c65c1d30f4bcd907681ca449c532068069a7085f5fef61b72/resolv.conf","Volumes":{"/etc/localtime":"/etc/localtime","/var/www/html":"/mnt2/share123"},"VolumesRW":{"/etc/localtime":false,"/var/www/html":true}}
\ No newline at end of file
  1. systemctl start docker

If all goes well, your owncloud container should be back up and you can bash into it and won’t have problems when apt tries to move /etc/localtime file around.

Well, something seems to have happened somewhere in there and now when I try to open the owncloudHTTPS container at all, it’s unsuccessful (I just stay on the bash prompt on the Rockstor server as if I hadn’t entered any command at all; no error). Doesn’t seem to be related to changing the config files, because when I rever them and restart the Docker service, there’s no change.

You’re probably right that this is too much configuration and I’d be better off waiting for a new image that handles all this stuff itself; in the meantime I think I might be better off trying to fix my issue with owncloud-official.

I don’t know if this is the best thread for troubleshooting, so let me know if I should ask this in a new thread instead, but basically my questions are, what could cause a blank screen when I connect to Owncloud in my browser (empty file, HTML source is blank too)? Is there somewhere I should be looking for logs other than /var/log?

And could the problem be with MariaDB, not Owncloud? I don’t think so, because I think if OC had trouble reading the database it would give me an error, not just a blank page, but I don’t know. (In case I do need to check the MariaDB container, docker exec -it mariadb bash isn’t working, so I may be misremembering what I called the mariadb container; how can I look up its name?)

Thanks again.

Okay, simpler question: how do I read the owncloud logs? Where are they located and what command do I use to read them?

It looks like they’re symlinked to stdout and stderr, but I’m not seeing them when I look at the Nginx stdout and stderr logs, and when I run docker logs owncloud-official I get the following:

"logs" command is supported only for "json-file" and "journald" logging drivers (got: syslog)

When i hit the command in the shell, i get following message:

[Sumpfratte@graefin ~]$ docker ps                                                                      
Cannot connect to the Docker daemon. Is the docker daemon running on this host?                          

Do i start from the right point?

GreeZ;
Nano

Hey. Sorry for Uhr Delay. Is your Rock-on service running?
You can find it under System->Services

@alexey I just made a How-To that doesn’t involved a self-signed cert and passes everything you want over a HTTPS/443 letsencrypt certificate via the Rockstor nginx reverse proxy.

Getting nginx to work remotely and securely over HTTPS/SSL

@Thad You need to add it to your nginx.conf to actually log the error and access portion of the proxy.

For example:

 server {
     listen 443 ssl;
     server_name cloud.your-domain.com;

     error_log /var/log/nginx/owncloud.access.log; 

Then you can just do a service rockstor restart to re-initialize nginx and it will (should) start logging. That is, if you have everything else in your nginx config set up right.

I did a how to using letsencrypt, subdomains, and nginx to pass all my owncloud and other Rock-On containers through HTTPS/SSL.

Getting nginx to work remotely and securely over HTTPS/SSL

Hello,
How do I edit the /etc/mysql/my.cnf file? Just hitting the /etc/mysql/my.cnf path into the command line, is not working. I´m just getting the Message: bash: /etc/mysql/my.cnf: Permission denied even though i am in the mariadb container. Would be nice if someone can help me. I´m a Rockstor newbie and i got stuck on this step.