My ownCloud adventures, Part 2: Certificates and Windows access

This is the second part of my postings about ownCloud, an Open source solution for managing your data in the cloud. The first part covered the installation and initial configuration of the BitNami ownCloud stack virtual appliance. I will continue with explaining how to secure access to your data with SSL certificates and using WebDAV in Windows to access your ownCloud files.

After the installation you have immediate access to ownCloud through the built-in web interface that allows you to upload and download files, manage a calendar and contacts, viewing pictures and playing music:

The ownCloud web interface
This interface works well on all sorts of end user devices. But if you want to actually work (edit, copy etc.) with your files on a Windows system then you will prefer to have them available on a Windows drive that you can access directly with any application.

There are basically two ways to achieve this: You can either use one of the ownCloud sync clients that are available for different platforms and allow you to synchronize a local directory with your ownCloud files (just like the Dropbox client for your Dropbox storage). This way you can make your files available on a fast local drive and independently from a network connection. On the other hand having multiple copies of your files on different devices somewhat defeats the idea of centralized storage, and if you store Gigabytes and Terabytes of data in ownCloud it is just not practical to sync all of it to any device.

Luckily you can choose to sync only parts of your ownCloud data. For the remaining files I would recommend to access them online through a WebDAV share. WebDAV is an open standard protocol to access files through an http(s) connection. Therefore it is firewall and proxy server friendly (unlike the traditional file sharing protocols SMB/CIFS and NFS), and it is available for all different client platforms.

Use SSL and get it right

On the other hand plain http is not really secure. No problem if you use it on an internal or firewalled network, but I would not recommend to send your login data and private files over an unencrypted Internet connection. You want to use an SSL encrypted https link for the WebDAV connection, and this is possible with ownCloud out-of-the-box, but ... like with every application using https you will run into the issue that it initially uses auto-generated self-signed certificates that no browser will trust by default.

It is easy though to install a custom certificate for ownCloud and get rid of all the browser security warnings. Here are the required steps:

1. Configure a DNS resolvable server name

You need to have authoritative access to a public DNS domain and register your ownCloud server's name in it. For the following instructions I assume that the name owncloud.example.org resolves to the IP address of your ownCloud server.

Configure the server's Linux OS and apache/httpd installation to use this name. For the BitNami ownCloud appliance the following steps are required:
  • Edit /etc/hostname to include the short name (owncloud)
  • Edit /etc/hosts to include a line that resolves both the short name and the FQDN to the server's public IP address:
       1.2.3.4   owncloud owncloud.example.org
  • Edit the apache config file /opt/bitnami/apache2/conf/httpd.conf. Find the line starting with ServerName and change it to:
       ServerName owncloud.example.org:80
  • Edit the apache config file /opt/bitnami/apache2/conf/extra/httpd-ssl.conf. Find the line starting with ServerName in the SSL virtual host definition and change it to:
       ServerName owncloud.example.org
2. Get a trusted certificate

There are many commercial providers that offer trusted SSL certificates. I chose Startcom's StartSSL service, because they offer Class 1 certificates for free and use a very fast and purely electronical/automated way to validate that you are the legitimate domain holder. If you use their services for the first time then I suggest to choose their Express Lane to get a free certificate for your domain really quick. With the StartSSL certificate wizard you can even auto-generate a private key and the certificate request (CSR) without the need to run cryptic openssl commands in a shell.

Of course you can also use any other provider to get your own certificate. In the end you will only need a certificate that matches your server's fully qualified DNS name (like owncloud.example.org) stored in a server.crt file and a corresponding private key file. When generating the certificate in StartSSL's web interface be sure to save the password protected private key in a text file. For usage with apache httpd you need to have the private key in decrypted format. You can use the "Decrypt private key" function from the StartSSL's toolbox to generate that. Store it in a file named server.key.

3. Configure apache to use the custom certificate

Once you have the files server.crt and server.key just copy them to the directory /opt/bitnami/apache2/conf of the ownCloud server replacing the existing files there. If there are one or more intermediate CAs in your server's certificate trust chain then you need to create a file named /opt/bitnami/apache2/conf/server-ca.crt, put all intermediate certificates in there and uncomment the line
   SSLCertificateChainFile "/opt/bitnami/apache2/conf/server-ca.crt"
in the config file /opt/bitnami/apache2/conf/extra/httpd-ssl.conf.

Hint: The free StartSSL certificates use an intermediate CA. Download the StartCom Class 1 Primary Intermediate Server CA certificate and store it as the above mentioned file.

Once you have completed these steps restart apache by running
   /opt/bitnami/ctlscript.sh restart apache
If you encouter errors then check the log files in /opt/bitnami/apache2/logs to get a clue of what's wrong and double check the syntax of the config files and the availability of the certificate files.

Using WebDAV with Windows clients

In the "Personal Settings" dialog of the ownCloud web interface you will find the WebDAV path displayed:

ownCloud configuration screen

The path will be displayed with either a http:// or an https:// prefix depending on what protocol you used to access the web interface. Both ways will work, but remember that https is SSL encrypted and http not.

Windows has built-in WebDAV support. In Windows 7 you just need to make sure that the "WebClient" service is enabled and running. To connect the WebDAV share you need to map it as a network drive in Explorer while using the URL as network path:

Map a WebDAV share in Windows Explorer
Check the "Connect using different credentials" option and enter your ownCloud username and password when prompted. Before you get this to work you might need to edit the following registry values under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters key:

WebClient registry tweaks
  • Create a value named AuthForwardServerList of type REG_MULTI_SZ and enter the URL of your ownCloud server here
  • Change the BasicAuthLevel value to 2
  • Raise the FileSizeLimitInBytes value to the maximum (hex. 0xffffffff)
  • Restart the WebClient service to make these changes effective
Regardless of these registry tweaks you will experience the following limitations when using the Windows built-in WebDAV client:
  • The automatic "Reconnect at logon/sign-in" doesn't work. The connection will still be shown in Explorer, but won't get restored. When selecting it you will be prompted for credentials again (although you already saved them).
  • Using https will only work if you are using a trusted SSL certificate for your ownCloud server (see instructions above)
To overcome these restrictions you can use a third party WebDAV client instead of the Windows built-in one. I have tried NetDrive which is free for personal home use. It worked well for me in Windows 7 and 8 and also showed a better performance.

Here is how to configure NetDrive for ownCloud:

NetDrive connection configurationAdvanced connection settings
To enable https select "Use HTTPS" in the connection's advanced options. You may also need to choose a character encoding other than "System default" here if you use non-english characters in file names. To properly display e.g. German Umlauts I had to choose "UTF-8" here.

7 comments:

  1. Thanks for the articles, you've saved me some time :)
    BTW, didn't you find OwnCloud to be sluggish somehow?

    ReplyDelete
    Replies
    1. OwnCloud itself is not inherently sluggish. Probably the machine that it runs on causes the problems. A second vCPU and more RAM helps. And the more network bandwidth (on both ends) the better ...

      Delete
  2. Thank you for article. How did you increase size of the data folder?

    ReplyDelete
    Replies
    1. I added a second large disk to the VM and mounted in onto the data folder. There might be different ways to do it, but I liked the idea of separating the data from the OS.

      Delete
  3. Thanks a lot for the helpful article

    ReplyDelete
  4. Thanks for the article, is summarises pretty much my own experience. In my case using a synology NAT.

    Microsoft says that it is a feature of basic authentication in Windows, NOT to remember a user’s credentials. See https://support.microsoft.com/en-us/help/943280/prompt-for-credentials-when-you-access-webdav-based-fqdn-sites-in-wind.

    There is a work around though. I use a batch file that runs at log via Task Scheduler that goes like this:
    Net USE z: https://yoursubdomain.synology.me:5006 /user:yourlogin yourpassword /persistent:no
    In this example Z is the drive letter to mount. If you use * it will be the first free letter. Persistent:no switch stops a broken mapping showing at start up, so each login will map the drive afresh.
    Obviously you would put your own URL or IP and or port number that refers to your storage space, along with your login details and password.

    The down side to this approach is that your username and passwords are visible in a batch file, so make sure that it is located in your user account and that the schedule only runs it from there and for the user it relates to.

    ReplyDelete

***** All comments will be moderated! *****
- Please post only comments or questions that are related to this post's contents!
- Advertising and link spamming will not be tolerated!