Repairing NextCloud SAML when Certs expire

October 22, 2023 - 2 mins read

Summary

If your Nextcloud instance is returning “invalid requester” after SAML has been working for some time there is a chance the certificate has expired. Many tutorials online for setting up Nextcloud with SAML+Keycloak have the user use the “Regenerate” button for creating the key/cert pair. This is perhaps more complicated and the renewal time is sub 3 months, so this process needs to be done fairly often. Below is a set of simple steps to update those certs and keys.

Steps

1. Generate the new cert and key

From any host with openssl installed you can run the following command (tweak values to your needs).

openssl req -newkey rsa:2048 -nodes -keyout keycloak-server.key.pem -x509 -days 3650 -out keycloak-server.crt.pem

This will output a key and cert that we can import into both Keycloak and Nextcloud.

2. Import cert into Keycloak

The cert can be imported easily into the client. Simply switch to your realm, select your Nextcloud SAML client, then ‘Keys’. Simply click import key, then import keycloak-server.crt.pem that was generated from above.

3. Update Nextcloud cert and key

In my case Nextcloud is in a Kubernetes cluster, so I need to get a shell into the pod. Below will help you if you are in the same position:

apt update -y && apt install sudo && chsh www-data -s /bin/bash

The changes made to the pod can be reverted by simply killing it after the cert/key is updated. occ needs to run as www-data hence the need for installing sudo then we set www-data’s shell to bash so the users account can actually be used. Now from the CLI we can update the cert and key:

sudo -u www-data php -d memory_limit=1G ./occ saml:config:set --sp-privateKey="Your key here" 1
sudo -u www-data php -d memory_limit=1G ./occ saml:config:set --sp-x509cert="Your cert here" 1

The “1” referenced is the index (starting at 1) of the idp provider Keycloak.