NextCloud 13, Integrity Protection Failure, .well-known Let's Encrypt

Hi,

This issue is being created in hopes of finding a solution to NextCloud 13 installation with Let's Encrypt Certificate.

NextCloud has file integrity protection which will cause .well-known folder and the .htaccess file to be flagged as a security issue.

Does anyone have a proposal on how we might work around this issue?

Please find the integrity check notice generated by Nextcloud below.

Technical information
=====================
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.

Results
=======
- core
- EXTRA_FILE

- .well-known/acme-challenge/.htaccess

Raw output
==========
Array
(
    [core] => Array
        (
            [EXTRA_FILE] => Array
                (
                    [.well-known/acme-challenge/.htaccess] => Array
                        (
                            [expected] =>
                            [current] => d1c54aa5adc100187bee69c06d79c6a9a54dc6338c398c21c8dd48c8fbdfd72a2f2ca73433ae5bf4255a61c6d2806ba8ba3fff12d3e677273345eea85ed47bc5
                        )

                )

        )

)
Status: 
Active

Comments

Background information:

We are using subdomains for Nextcloud installations as clients may already have their website in the root domain, ie. example.com

In some instances we may be only hosting the Nextcloud installation and not the client's website.

The issue that is of concern is that using subdirectory requires a redirect from the root subdomain root to the new subdirectory.

i.e. https://nc.example.com/nextcloud/

If the .well-know were be deleted after a successful domain validation, would it be re-created upon certificate renewal?

Yes, it will be re-created if missing after each validation.

Ok.

Trying to look at this from a script agnostic perspective ...

Perhaps Nextcloud is affected by this file integrity verification at this junction. Perhaps at a later junction more scripts/app may decide to go the route the of integrity verification as these security concepts begin to become more mainstream.

I know this might be a big ask...

Could we have an option that is added to Server Templates and to Let's Encrypt module to 'Clean up' validation files after successful certificate renewal?

Something along the lines of a checkbox that reads 'Remove .well-known directory upon success'

This would cover both initial certificate creation and also any renewal requests.

If available as part of a Server Template then Virtual Servers that are dedicated to Nextcloud instances could be assigned a NextCloud specific Server Template that would ensure a clean root. The server admin can also configure this Server Template to exclude awstats-icon, awstatsicons, icon, stats and other folders that cause the integrity validation scan to find issues.

Thoughts on this approach?

That's not a bad idea ... I will look into implementing it and update this bug.

Thanks Jamie. Much appreciated.

I was re-reading what was written yesterday and I suppose if the 'Remove .well-known directory upon success' is checked by default then this would effectively remove the need to create a Nextcloud specific Server Template for this specific feature.

The Server Template for Nextcloud would then simply be one that has an Apache SSL site enabled by default, without Webalizer and without AWStats.

I'll do some testing on my end and report back to this thread.

Matomo (formerly Piwik) also implements file integrity protection and complains about awstats-icon, awstatsicons, icon, and stats.

Any chance the stats could be put somewhere else aside from the document root?

In the next Webmin release, any well-known directory created as part of the cert request process will be cleaned up automatically.