This post can also be read over on my federated WriteFreely blog
This post will go over the basic steps to enable HTTPS for an intranet Nextcloud service. I have to mess with this every three months when Let's Encrypt expires my certs, and it's always annoying.
This kind of setup might be useful for when you self-host a Nextcloud instance and don't want to open your home network to the public. I use Zerotier to provide a static IP address and connect to my Nextcloud server.
Environment:
- Ubuntu 22.04.1 LTS
- Nextcloud 24.0.7snap1
- DNS is managed using Namecheap
- Zerotier for external network access
Step 1 - Generate new certs
This will start the cert generation process using the challenge method to prove domain ownership.
-
~$ sudo certbot certonly --manual --preferred-challenges dns
- Enter the FULL domain for the certs
- Copy the value that it returns for the next step
Step 2 - Create TXT records
On whatever DNS service you use, create a TXT record using the "acme-challenge" domain Let's Encrypt created and the random string it generated.
- Create TXT record.
- Domain should be
_acme-challenge.<your domain>
- Value should be whatever random string was generated by LetsEncrypt
- Domain should be
- Verify that the record has been updated by using https://toolbox.googleapps.com/apps/dig
NOTE: For subdomains, only the "subdomain" portion is needed for the domain record
NOTE: When verifying, you should see the value of the TXT record. If you don't wait until the record has been verified, you'll need to start the process over again.
Step 3 - Copy the certs into Nextcloud
We will now copy the generated certs into the Nextcloud directory.
- Copy the certs from where Let's Encrypt dumped them
/etc/letsencrypt/live/<your domain>
into/var/snap/nextcloud/common
- Rename
privkey.pem
tokey.pem
NOTE: Certs must be a directory that the Nextcloud snap has access to. The easiest is to place them into
/var/snap/nextcloud/common
. These can be removed once the process is over.
Step 4 - Apply the certs
We will now apply the new certs.
- Disable HTTPS for Nextcloud
~$ sudo nextcloud.disable-https
- Stop the Nextcloud snap service
~$ sudo snap stop nextcloud
- Enable HTTPS with new certs
~ $ sudo nextcloud.enable-https custom -s \n
/<path to cert.pem>\n
/path to key.pem> \n
/<path to chain.pem>
- Start Nextcloud
~$ sudo snap start nextcloud
You should now be able to access Nextcloud using HTTPS.
Hopefully someone else finds this helpful! Most people donβt have this setup (Nextcloud Snap with Zerotier) and it took a lot of tinkering to get it to work.
The main source that used was this blog from David Augustat. Itβs a nice read on how to set up HTTPS for intranet domains for general use cases!
https://davidaugustat.com/web/set-up-lets-encrypt-on-intranet-website
Top comments (1)
Just created an account to say a big thank you! This worked perfectly. Just want to add that to create the missing chain you can copy the contents of the crt file in tools.keycdn.com/certificate-chain website and generate a complete certificate. You can then copy the conrents of the co.plete certificate to a separate .chain.crt file which tou can add to the command line.