SOLVED: self-signed cert

Questions and discussions about Indie Computing's UBOSbox
Post Reply
tbbrown
Posts: 6
Joined: Sun Nov 18, 2018 3:37 am

SOLVED: self-signed cert

Post by tbbrown » Sat Nov 24, 2018 7:20 pm

i am trying to set up tls for my ubosbox nextcloud on my home network. the doc at https://ubos.net/docs/users/create-ssl-site.html includes the following command:

Code: Select all

% sudo ubos-admin createsite --tls --selfsigned
however, as my ubosbox already has a site for the various nextcloud services, i receive the following result:

Code: Select all

ERROR: There is already a site with hostname * (any), so no other site can be created.
what is the best option for adding a self-signed tls cert to my existing site?



j12t
Posts: 59
Joined: Tue Dec 12, 2017 9:17 pm
Contact:

Re: self-signed cert

Post by j12t » Sat Nov 24, 2018 11:00 pm

To do this, you basically need to redeploy your existing site (not: create a new site) while telling UBOS what TLS keys and certs it is supposed to use.

Now, TLS needs an actual hostname (not any='*' as we do in UBOS for the "respond to any virtual host" site that you have deployed) inside the cert. So this will work better if you access your site with a consistent DNS name, even if it isn't an "official" one and only resolves on your local area network. If you have the ability to set that up on your local area network, that would be the recommended way to do this. Some router allow you to "pin" a DHCP dynamic IP address to a particular Mac address.

Let's say you decide on hostname "ubosbox.example.com" and you have set of your networks' DNS and DHCP so that your existing site comes up at that hostname. Now on the UBOS end, the Site JSON to be deployed needs to have two changes compared to the existing one:
  • the hostname needs to change from "*" to "ubosbox.example.com"
  • the TLS keys and certificate need to be added
To see your existing Site JSON, execute:

Code: Select all

sudo ubos-admin showsite --json --hostname '*'
Note that UBOS determines the identity of the site, and the app(s) deployed at it by the long identifiers in that file, not the hostname. So you can update the site by redeploying, as long as the identifiers remain the same.

Write that to a file, edit the hostname field, generate self-signed keys and insert them as documented here. Then redeploy the site with the updated Site JSON with:

Code: Select all

sudo ubos-admin deploy --file <your-modified-site-json-file>
Now if that sounds complicated :-), here's a way to cheat:
  • export your existing Site JSON with "ubos-admin showsite" as above
  • create a new Site JSON without deploying it, as you did with "ubos-admin createsite" but add the flags "-n -o <file>". UBOS won't let you deploy a conflicting site, as you found out, but you can create any Site JSON with the command as long as you don't deploy it (-n).
  • copy-paste the TLS entries, and hostname from the second file into the first
  • deploy the updated file.
This is still complicated, I'm afraid, and we have had this feature request open for a long time, but that's because there are so many variations of what one might want to do to an existing site, it is not obvious that creating a command with a gazillion different ways of invoking it is any simpler than editing the JSON file directly...

P.S. Make a backup of your existing site first, of course.

tbbrown
Posts: 6
Joined: Sun Nov 18, 2018 3:37 am

Re: self-signed cert

Post by tbbrown » Sun Nov 25, 2018 1:39 am

my bad. i chose the 2nd option (so i could copy the tls info) and then ran the deploy command but then realized i had left hostname as '*' so i killed the process and tried to rerun it but then i got:

Code: Select all

[shepherd@ubosbox ~]$ sudo ubos-admin deploy --file site3.json
ERROR: Cannot create a temporary backup; the backup directory is not empty.
Did a previous ubos-admin operation fail? If so, please create an issue at
    https://github.com/uboslinux/ubos-admin/issues/new
To restore your data, run:
    ubos-admin update-stage2
so i tried that restore command and got:

Code: Select all

[shepherd@ubosbox ~]$ sudo ubos-admin update-stage2
WARN : Directory exists already /ubos/lib/ubos/appconfigpars/a8a0f9fc890d52d97e6b3997c561a2576a80fcd64
WARN : Directory exists already /ubos/lib/ubos/appconfigpars/a8a0f9fc890d52d97e6b3997c561a2576a80fcd64/nextcloud
WARN : Directory exists already /ubos/http/sites/s9ce350d0feaca00006ee366555d34efe728ca11a/nextcloud
ERROR: Directory::deployOrCheck: exists already: /ubos/http/sites/s9ce350d0feaca00006ee366555d34efe728ca11a/nextcloud/data
ERROR: Directory::deployOrCheck: exists already: /ubos/lib/nextcloud/a8a0f9fc890d52d97e6b3997c561a2576a80fcd64
ERROR: Directory::deployOrCheck: exists already: /ubos/lib/nextcloud/a8a0f9fc890d52d97e6b3997c561a2576a80fcd64/data
ERROR: Directory::deployOrCheck: exists already: /ubos/http/sites/s9ce350d0feaca00006ee366555d34efe728ca11a/nextcloud/config
WARN : Directory exists already /ubos/lib/ubos/appconfigpars/a8a0f9fc890d52d97e6b3997c561a2576a80fcd64/nextcloud-cache-redis
ERROR: Directory::deployOrCheck: exists already: /ubos/lib/nextcloud-cache-redis/a8a0f9fc890d52d97e6b3997c561a2576a80fcd64
ERROR: Directory::deployOrCheck: exists already: /ubos/lib/nextcloud-cache-redis/a8a0f9fc890d52d97e6b3997c561a2576a80fcd64/redis
WARN : Directory exists already /ubos/lib/ubos/appconfigpars/a8a0f9fc890d52d97e6b3997c561a2576a80fcd64/nextcloud-calendar
WARN : Directory exists already /ubos/lib/ubos/appconfigpars/a8a0f9fc890d52d97e6b3997c561a2576a80fcd64/nextcloud-contacts
WARN : Directory exists already /ubos/lib/ubos/appconfigpars/a8a0f9fc890d52d97e6b3997c561a2576a80fcd64/nextcloud-mail
WARN : Directory exists already /ubos/lib/ubos/appconfigpars/a8a0f9fc890d52d97e6b3997c561a2576a80fcd64/nextcloud-markdown
WARN : Directory exists already /ubos/lib/ubos/appconfigpars/a8a0f9fc890d52d97e6b3997c561a2576a80fcd64/nextcloud-news
WARN : Directory exists already /ubos/lib/ubos/appconfigpars/a8a0f9fc890d52d97e6b3997c561a2576a80fcd64/nextcloud-notes
WARN : Directory exists already /ubos/lib/ubos/appconfigpars/a8a0f9fc890d52d97e6b3997c561a2576a80fcd64/nextcloud-spreed
WARN : Directory exists already /ubos/lib/ubos/appconfigpars/a8a0f9fc890d52d97e6b3997c561a2576a80fcd64/nextcloud-tasks


WARN : Something went wrong during restore of update backup. Not deleting update backup.
ERROR: Update failed.
i don't have any data so i'm open to starting an install from scratch if that is a viable option.

j12t
Posts: 59
Joined: Tue Dec 12, 2017 9:17 pm
Contact:

Re: self-signed cert

Post by j12t » Mon Nov 26, 2018 1:28 am

For the future: you can redeploy as many times as you like, e.g. making gradual changes to a Site JSON is perfectly fine. Also, killing ubos-admin is a really bad idea, which is why we disable ^C.

These error messages aren't particularly bad. Look into /ubos/backups/update and see whether there is any valuable data there, specifically files uploaded to Nextcloud. If you haven't put much into your Nextcloud instance, probably not. Then you can move that directory out of the way, and run "ubos-admin update" (perhaps twice). That might set things right again, but no guarantees.

tbbrown
Posts: 6
Joined: Sun Nov 18, 2018 3:37 am

Re: self-signed cert

Post by tbbrown » Mon Nov 26, 2018 2:27 am

thanks! that is great news. i followed those instructions and everything went smoothly (no loss of data) and then i was able to run the deploy command to enable tls!!!

thank you for your patience and help!

Post Reply