Saturday, 1 November 2014

ownCloud HTTPS External Mount

In the previous article, External storage support of ownCloud has been mentioned briefly. In this article, you will be learning how you can mount an ownCloud instance with self-signed certificate into your to ownCloud instance. Of course, the same procedure can be used for other mounting options.

Self-signed certificates are the most simple and the free way to have a HTTPS-enabled server. However, when a user enters the page, depending on the browser, gets a warning. On Firefox the following page is shown:


On Chrome/Chromium, the https prefix is shown red and padlock is not green:



The warnings here show that the certificate is signed by an untrusted issuer. The risk of a self-signed certificate is that they can never be verified extensively. If you handed the public key to users, they can ignore the warning. If not, there might be the case that the server is under attack and the key was modified by an attacker. See this question for detailed explanation. To continue, on Firefox, you need to add an exception to the certificate by clicking on I understand the risks and Add exception:



Later, you will be shown an Exception dialog where you can confirm this security exception. In the next visits, you will NOT be asked for this certificate again unless the certificate changes.

On Chrome/Chromium, you need to click on Advanced link displayed in the page and choose Continue with ... (unsecured).

Similarly, if you need to mount an SSL-enabled ownCloud instance, you need to tell your ownCloud instance that you trust that server. For this, the users need to import the Root Certificates for this server in their Personal settings page.

So, how do we get the certificate of the server?

On Firefox, click on View in the windows shown above, and choose Details. You will be shown a window similar to below:



Click on Export and save the certificate. If you already confirmed the exception, you may not see this window again. In this case, to see the same window, click on the padlock left of the address bar and click on More information. In Security tab, choose View Certificate.

On Chrome/Chromium, click on the padlock next to address bar. On Connection tab, choose Certificate information. Go to Details tab and click on Export to export the certificate.

Next is to import this certificate into our ownCloud instance. After enabling External storage support in app management, enable user external storage in admin settings. Make sure that ownCloud is checked.

In Personal settings, try to mount the other instance into yours. Enter the URL of the instance without HTTP or HTTPS prefix and check the Secure checkbox. You will (most likely) get a red indicator showing that there is a problem with the setup:



This means that we need to import the server certificate into our instance to tell that the connection can be trusted.

Scroll down and find the SSL root certificates field. Click on Import and find the certificate that you have just exported.




Now back to the External storage field, you will be seeing that the indicator is green and the connection is successful. If you go to Files app, you will be seeing that the new external folder named ownCloud shown using different icon.





If you have imported your certificate, but still getting red indicator, make sure that the Common Name has the same with the URL of the instance.

6 comments:

  1. Any way to force it even if the common name isn't the same?

    ReplyDelete
    Replies
    1. If the common name isn't the same, then the certificate iw made wrong.

      Delete
  2. Hi, my OC instance and the WebDAV folder are on the same Server (Synology DiscStation). I added the certificate but the icon is still red, the log says: SSL certificate problem: unable to get local issuer certificate.
    As far as I read, this has something todo with a previous OC update where certificates are handled stricter. It is a self signed certificate, created with the DiskStation. My DDNS address is used as common name and the internal IP as alternative. Any idea whats wrong?

    ReplyDelete
    Replies
    1. Hi, which OC version and Browser are you using?

      Delete
  3. How do I upload a global root SSL certificate?

    ReplyDelete