How To Get An SSL Certificate For Your OwnCloud At Home That Runs On A Dynamic IP Address

I've been running an Owncloud instance at home for a while now and it's been revolutionary for me. It allows me to securely share my calendar and address book between several of my devices over the Internet and it lets me share files with friends and associates as easily as over less secure commercial cloud services. The only shortcoming I grew a bit tired of was that I only had a self-signed SSL certificate for my web server. This means that I either had to send http download links to those I wanted to exchange a file with or to tell them to ignore the stern warning message about a non-authenticated certificate when sending them an https link. Both options are not really acceptable in the long run, at least not to me.

The solution, of course is to get my SSL certificate for my Owncloud web server authenticated by a Certificate Authority. This is a bit tricky, though, as I run my Owncloud at home and my DSL line has a dynamic IP address that changes once a day. Therefore I use a dynamic DNS provider and whenever my IP address at home changes, my DSL router at home contacts the dynamic DNS provider and updates the IP address for my domain name. The catch with this approach is that in order to get an SSL certificate one has to be the owner of the domain name. When using a free dynamic DNS service, the servie provider owns the domain name and distributes sub-domains to users. In other words it's not possible with this setup to get an SSL certificate authenticated by a Certificate Authority for a sub-domain of the dynamic DNS provider.

Some dynamic DNS providers offer to register domain names in the name of the customer that can then be used with their dynamic DNS services but this is obviously not free. I didn't shop around for a cheap solution as I am very happy with the reliability of No-IP whom I've used for a long time now with a free account. It works well so I decided to stay. No-IP offers two variants of using one's own domain name with their dynamic service and this is actually a bit confusing: Their "Plus-DNS" package lets you use a domain name that is already registered to your name. This requires that the company that has registered a domain name for you has to allow you to change the DNS entry to point to No-IP. I have a couple of domains I could use for this purpose but unfortunately my provider does not let me change the DNS entries.

Therefore what I really needed was to get a domain name via No-IP and then link that with their "Plus-DNS" package. Note: Whether No-IP is a suitable dynamic DNS provider for you or not depends on whether your DSL or cable router at home lets you configure them for dynamic DNS services so have a look there first. Unfortunately, No-IP doesn't do a very good job of pointing out that the two packages need to be combined so I got it wrong the first time. So here's how it works if it is done in the correct order: Getting a domain name via them costs $15 a year when you start from this link.  But that's only half the deal as later on you also have to select the "Plus-DNS" package to add the dynamic DNS functionality to the domain name. The package altogether is $32 or around €25 per year. The domain name is registered in an instant and usable straight away. Care should be taken that the email address registered for the domain name is real as later on an email is sent to this address during the SSL certificate authentication process.

Once the domain works and points to the IP address dynamically assigned to the home network, everything is in place to create the SSL certificate and get it authenticated. No-IP also offers to do that part but I found the price a bit too high. So I looked around a bit and found Namecheap that resells Comodo SSL certificates for $9 with a validity period of one year. I tried their certificate later on with Firefox, Internet Explorer on the desktop as well as Safari and Opera on mobile and its accepted by all of them. Creating a certificate and then getting it authenticated is quite straight forward once one knows how to do it and I've described the details in this blog post.

Once the Certificate Authority delivers the signed SSL certificate by email the final step is to configure the web server to use it. In my case I use Apache2 for my Owncloud instance and as I have no virtual hosts configured the only configuration file that needs to be changed is /etc/apache2/sites-enabled/default-ssl. Here's the lines that need to be adapted:

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   A self-signed (snakeoil) certificate can be created by installing
#   the ssl-cert package. See
#   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
#   If both key and certificate are stored in the same file, only the
#   SSLCertificateFile directive is needed.

SSLCertificateFile    /etc/ssl/certs/martin.crt
SSLCertificateKeyFile /etc/ssl/private/martin-server.key

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.

SSLCertificateChainFile /etc/ssl/certs/martin.ca-bundle

If you've read my post about SSL certificates linked above, the lines that use the .crt and the .key file are easy to understand. I'm not sure if the third parameter, SSLCertificateChainFile, needs to be configured as well as it is only used during client authentication which is only done for special applications and Owncloud is not among them. I configured it to one of the ca-bundle files I received from the Certificate Authority.  That was probably not quite correct as the ca-bundle files should perhaps have been linked together before doing so but as it is not used anyway I don't think it hurts. The third parameter points to the file that contains the certificate chain of the certificate issuer. Like the signed certificate file it is also provided by the certificate authority.

There we go, that's it, for less than €35 a year I have my own domain now for my Owncloud instance at home together with a valid SSL certificate!