I have been trying to figure out how to build a personal information infrastructure based on open-source projects. The idea is to have a cloud based at ones own home. As a part of this, here is how to make Owncloud work with self-signed certificates.

As a foreword let me mention that Owncloud is probably fromt he past and today should rather be Nextcloud. I haven’t made the migration yet, though, so I am still running Owncloud. This will change next year I guess. However, since Owncloud version 9 the project features what they call Federation Sharing. What it means is, that you can share with users of other ownclouds without the need to have local user-accounts.

To clarify, assume we both are running instances of owncloud at our homes. Let’s call mine T.home and the remote one (yours) R.home. Then the feature allows me to share, e.g. a folder, with yourusername@R.home. I do not need to create a user-account and password within my owncloud anymore. This is pretty awesome, so I wanted to check it out.

To enable the feature one has to enable the owncloud-app Federation and enable the according options on the admin-page. There are two:

  • Allow users on this server to send shares to other servers
  • Allow users on this server to receive shares from other servers

After this you can start to enter remote names into the sharing dialogues. They do not work though, if the servers are using self-signed certificates. I got a lot of

Sabre\\HTTP\\ClientException: SSL certificate problem: self signed certificate

in the owncloud log. When I started to investigate I found that owncloud offers a mechanism to trust remote instances. It seems this can be done in the admin-section of the web-interface as well, but I decided to go the command-line way. So I opened the remote site (like https://R.home/owncloud) in the browser, which of course complained it cannot trust the certificate. So I verified the fingerprint and afterwards added a permanent exception for this certificate. I then saved the certificate as a file R.home.pem from the browser as well. To import this into owncloud I then did the following:

root@T:/var/www/owncloud# sudo -u www-data ./occ security:certificates:import R.home.pem
root@T:/var/www/owncloud# sudo -u www-data ./occ security:certificates

The second command lists the certificates known to Owncloud, just to verify it is shown there after adding it with the first line. While the remote site will already get a notification about the sharing, it will still not work. The error is being reported as a SSL verification error due to a self-signed certificate. Although this should be known to Owncloud now. Turns out Owncloud uses curl underneath and doesn’t tell curl about the certificate, so one needs to go and do this by hand. See the link (ClearNet!) on how I found out about the following steps. I did this on Debian, so check if paths/names vary if you are using a different distrubtion.

root@T:/var/www/owncloud# cp R.home.pem /usr/share/ca-certificates/
root@T:/var/www/owncloud# vim /etc/ca-certificates.conf
R.home.pem
root@T:/var/www/owncloud# update-ca-certificates

What I did here is to copy the file to the system-wide certificate path, add its name to the according configuration file, and triggered the system-wide update of according changes. Doing this also should make the trust-exception in the browser unneccessary btw.

After this, sharing to yourusername@R.home actually works. And it is a great feature. If both sides use self-signed certificates then the steps need to be performed for the other side, too. At the moment I got this stuff running on the ClearNet, so I don’t have advise for how to set it up on TOR/I2P, yet. Will get there some day …

ClearNet-Links:

  • http://www.onlinesmartketer.com/2009/06/23/curl-adding-installing-trusting-new-self-signed-certificate/