Mageia forum

[xboxboy]

Hi all, I've got a Mageia OS webserver, hosting a manual install of Nextcloud. It has been working fine, until a recent update, where a new check/diagnostic check must have been added.

TLDR;

I get this warning in the admin page:

Code: Select all

Your webserver is not set up to serve `.js.map` files. Without these files, JavaScript Source Maps won't function properly, making it more challenging to troubleshoot and debug any issues that may arise.
Unable to run check for JavaScript support. Please remedy or confirm manually if your webserver serves `.mjs` files using the JavaScript MIME type. To allow this check to run you have to make sure that your Web server can connect to itself. Therefore it must be able to resolve and connect to at least one of its `trusted_domains` or the `overwrite.cli.url`. This failure may be the result of a server-side DNS mismatch or outbound firewall rule.


Which leads me to try this command:

Code: Select all

curl -I https://localhost/apps/settings/js/esm-test.mjs

I have apache configured to redirect http to https.
It will work when I try http://localhost, but when I try https://localhost it fails.
First it complained of expired certificate: Which it was, by over 12months.
I've since created new key/certificate, installed them as /etc/pki/tls/certs/certSept24.pem and /etc/pki/tls/private/keySept24.pem
I then updated /etc/httpd/conf/site.d/00_default_ssl to use this key and certificate.

Of course apache wouldn't start then due to not having the pass phrase, so in order to test/get it working, I then created NOkeySept24.pem, I again updated apache vhosts file. Apache no starts and hosts Nextcloud with the same warnings.

Now, curl is back to complaining about the self signed certificate. I have installed the certificate in various directories and run

Code: Select all

update-ca-trust

Then restarted apache, but curl continues with the same complaint

Code: Select all

curl -I https://localhost/apps/settings/js/esm-test.mjs
curl: (60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.html


Where are we supposed to put the certificate, and update trusted certificates so curl can work on this server with no complaint?

[doktor5000]

I have installed the certificate in various directories

What various directories ?

Apart from that, for your curl test you can simply pass -k or --insecure to curl for your query to work.

[xboxboy]

Code: Select all

What various directories ?

The new certificate I've called certSept24.pem, and put in these directories:

/etc/pki/ca-trust/extracted/openssl
/etc/pki/ca-trust/extracted/pem
/etc/pki/tls/certs

(I've just discovered my old certificate was also in /etc/pki/ca-trust/source/anchors, hence my question where the certificate should be placed, the internet and various distro's all have different concepts).

Although, the /etc/pki/tls/certs/certSept24.pem file is weird:

Code: Select all

ls -al
total 32
drwxr-xr-x 2 root root 4096 Sep 20 21:14 ./
drwxr-xr-x 7 root root 4096 Sep 20 21:15 ../
lrwxrwxrwx 1 root root   60 Feb 21  2024 ca-bundle.crt -> ../../../../etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx 1 root root   66 Feb 21  2024 ca-bundle.trust.crt -> ../../../../etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rw-r--r-- 1 root root 2049 Sep 20 21:13 certSept24.pem
-rw-r--r-- 1 root root 1192 May 27  2022 httpd.pem
-rw-r--r-- 1 root root 1192 Sep 20 20:25 httpd.pem.orig
-rw-r--r-- 1 root root 2516 Sep  6 22:31 Makefile


So it is a normal file, yet in dolphin, under properties, it's shown as a link, pointing to:

Code: Select all

../../../etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

So running the Curl line again, I'm not really sure what I'm looking at, here's output using both localhost and the IP:

When run as https: self-signed certificate issue.

Code: Select all

[root@localhost /etc/pki/tls/certs]# curl -I https://localhost/apps/settings/js/esm-test.mjs
curl: (60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

[root@localhost /etc/pki/tls/certs]# curl -I https://10.0.0.99/apps/settings/js/esm-test.mjs
curl: (60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.


And when run as http (remembering I have apache set to redirect http to https), I get some response.

Code: Select all

[root@localhost /etc/pki/tls/certs]# curl -I http://localhost/apps/settings/js/esm-test.mjs
HTTP/1.1 301 Moved Permanently
Date: Sun, 22 Sep 2024 12:31:10 GMT
Server: Apache/2.4.62 (Mageia) OpenSSL/3.0.15 PHP/8.2.23
Location: https://10.0.0.99/apps/settings/js/esm-test.mjs
Content-Type: text/html; charset=iso-8859-1

[root@localhost /etc/pki/tls/certs]# curl -I http://10.0.0.99/apps/settings/js/esm-test.mjs
HTTP/1.1 301 Moved Permanently
Date: Sun, 22 Sep 2024 12:31:45 GMT
Server: Apache/2.4.62 (Mageia) OpenSSL/3.0.15 PHP/8.2.23
Location: https://10.0.0.99/apps/settings/js/esm-test.mjs


Here's using curl "-k" and "--insecure" on https://localhost, internal server error:

Code: Select all

[root@localhost /etc/pki/tls/certs]# curl -k -I https://localhost/apps/settings/js/esm-test.mjs
HTTP/1.1 500 Internal Server Error
Date: Sun, 22 Sep 2024 12:28:44 GMT
Server: Apache/2.4.62 (Mageia) OpenSSL/3.0.15 PHP/8.2.23
Strict-Transport-Security: max-age=15552000; includeSubDomains
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: noindex, nofollow
X-XSS-Protection: 1; mode=block
X-Powered-By: PHP/8.2.23
[b]REDACTED[/b]
Set-Cookie: nc_sameSiteCookielax=true; path=/owncloud; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
Set-Cookie: nc_sameSiteCookiestrict=true; path=/owncloud; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
Set-Cookie: [b]REDACTED[/b]; path=/owncloud; secure; HttpOnly; SameSite=Lax
Connection: close
Content-Type: text/html; charset=UTF-8

[root@localhost /etc/pki/tls/certs]# curl --insecure -I https://localhost/apps/settings/js/esm-test.mjs
HTTP/1.1 500 Internal Server Error
Date: Sun, 22 Sep 2024 12:30:01 GMT
Server: Apache/2.4.62 (Mageia) OpenSSL/3.0.15 PHP/8.2.23
Strict-Transport-Security: max-age=15552000; includeSubDomains
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: noindex, nofollow
X-XSS-Protection: 1; mode=block
X-Powered-By: PHP/8.2.23
[b]REDACTED[/b]
Set-Cookie: nc_sameSiteCookielax=true; path=/owncloud; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
Set-Cookie: nc_sameSiteCookiestrict=true; path=/owncloud; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
Set-Cookie: [b]REDACTED[/b]; path=/owncloud; secure; HttpOnly; SameSite=Lax
Connection: close
Content-Type: text/html; charset=UTF-8


Here's using curl "-k" and "--insecure" on https://10.0.0.99, Internel Server Error

Code: Select all

[root@localhost /etc/pki/tls/certs]# curl -k -I https://10.0.0.99/apps/settings/js/esm-test.mjs
HTTP/1.1 500 Internal Server Error
Date: Sun, 22 Sep 2024 12:30:14 GMT
Server: Apache/2.4.62 (Mageia) OpenSSL/3.0.15 PHP/8.2.23
Strict-Transport-Security: max-age=15552000; includeSubDomains
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: noindex, nofollow
X-XSS-Protection: 1; mode=block
X-Powered-By: PHP/8.2.23
[b]REDACTED[/b]
Set-Cookie: nc_sameSiteCookielax=true; path=/owncloud; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
Set-Cookie: nc_sameSiteCookiestrict=true; path=/owncloud; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
Set-Cookie: [b]REDACTED[/b]; path=/owncloud; secure; HttpOnly; SameSite=Lax
Connection: close
Content-Type: text/html; charset=UTF-8

[root@localhost /etc/pki/tls/certs]# curl --insecure -I https://10.0.0.99/apps/settings/js/esm-test.mjs
HTTP/1.1 500 Internal Server Error
Date: Sun, 22 Sep 2024 12:30:28 GMT
Server: Apache/2.4.62 (Mageia) OpenSSL/3.0.15 PHP/8.2.23
Strict-Transport-Security: max-age=15552000; includeSubDomains
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: noindex, nofollow
X-XSS-Protection: 1; mode=block
X-Powered-By: PHP/8.2.23
[b]REDACTED[/b]
Set-Cookie: nc_sameSiteCookielax=true; path=/owncloud; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
Set-Cookie: nc_sameSiteCookiestrict=true; path=/owncloud; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
Set-Cookie: [b]REDACTED[/b]; path=/owncloud; secure; HttpOnly; SameSite=Lax
Connection: close
Content-Type: text/html; charset=UTF-8


And here's when using "-k" and "--insecure" on http

Code: Select all

[root@localhost /etc/pki/tls/certs]# curl --insecure -I http://10.0.0.99/apps/settings/js/esm-test.mjs
HTTP/1.1 301 Moved Permanently
Date: Sun, 22 Sep 2024 12:57:05 GMT
Server: Apache/2.4.62 (Mageia) OpenSSL/3.0.15 PHP/8.2.23
Location: https://10.0.0.99/apps/settings/js/esm-test.mjs
Content-Type: text/html; charset=iso-8859-1

[root@localhost /etc/pki/tls/certs]# curl --insecure -I http://localhost/apps/settings/js/esm-test.mjs
HTTP/1.1 301 Moved Permanently
Date: Sun, 22 Sep 2024 12:57:39 GMT
Server: Apache/2.4.62 (Mageia) OpenSSL/3.0.15 PHP/8.2.23
Location: https://10.0.0.99/apps/settings/js/esm-test.mjs
Content-Type: text/html; charset=iso-8859-1

[root@localhost /etc/pki/tls/certs]# curl -k -I http://10.0.0.99/apps/settings/js/esm-test.mjs
HTTP/1.1 301 Moved Permanently
Date: Sun, 22 Sep 2024 12:57:49 GMT
Server: Apache/2.4.62 (Mageia) OpenSSL/3.0.15 PHP/8.2.23
Location: https://10.0.0.99/apps/settings/js/esm-test.mjs
Content-Type: text/html; charset=iso-8859-1

[root@localhost /etc/pki/tls/certs]# curl -k -I http://localhost/apps/settings/js/esm-test.mjs
HTTP/1.1 301 Moved Permanently
Date: Sun, 22 Sep 2024 12:58:04 GMT
Server: Apache/2.4.62 (Mageia) OpenSSL/3.0.15 PHP/8.2.23
Location: https://10.0.0.99/apps/settings/js/esm-test.mjs
Content-Type: text/html; charset=iso-8859-1



So, it appears to work when http is specifically called for, which apache then redirects: but when https is specified it breaks.

[doktor5000]

(I've just discovered my old certificate was also in /etc/pki/ca-trust/source/anchors, hence my question where the certificate should be placed, the internet and various distro's all have different concepts).

Not really, there's mostly only a difference between where RHEL or SLES or Debian derivatives put stuff.
/etc/pki/ca-trust/source/anchors would be correct for RHEL derivatives.
I can recommend https://www.happyassassin.net/posts/201 ... platforms/ if you want to read up on the differences ...

Although since quite some time you don't have to do it manually and can use the trust command from the p11-kit suite: https://p11-glue.github.io/p11-glue/p11 ... trust.html

Apart from that, it doesn't really matter for your certificate issues if it works with http ...
And -k is t he same as --insecure it's just the short version of that option - no need to run all those queries twice.

[xboxboy]

Thanks Doktor.

I spent more time messing around with my warnings, and it seems the latest Nextcloud release is just way too tight with it's self diagnostic tests. Many people hoping next release is a 'cleaner' release: By cleaner I mean, tested more though-roughly.

I'll update when I make progress/get it all sorted.