Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

Enable Let's Encrypt SSL in Nextcloud on FreeNAS

Joined
Sep 6, 2019
Messages
1
First off, apologies I don't explain everything perfectly, I will try my best.
Constructive criticism is always welcome.

Prerequisites:

Must have a FQDN that points to your outside IP address, duckdns.org is a good place to start.
Test this by pinging your FQDN ("ping example.duckdns.org") from the internet and check that it resolves to your outside IP.

MUST HAVE port forwarded :80 and :443 on your router to your NextCloud jail IP.
If not cert creation will fail.

Instructions:

1. SSH into your FreeNAS as root user
"SSH root@ip_of_your_freenas"

2. SSH into nextcloud jail
"iocage console nextcloud"

3. install nano text editor so we can edit a few config files.
"pkg update -f"
"portsnap fetch extract"
"cd /usr/ports/editors/nano/ && make install clean BATCH=yes"

4. Edit nginx.conf to add our FQDN
"nano /usr/local/etc/nginx/nginx.conf"
Then add and change example.duckdns.org to your FQDN name you created earlier;

server {
listen 80;
listen [::]:80;
server_name example.duckdns.org;
return 301 https://$server_name$request_uri;
}

Be sure to save the file when finished.

5. Restart the nextcloud jail from your freenas webGUI, then log back into nextcloud SSH.

6. install ACME.SH
You can either run this script,
"curl https://get.acme.sh | sh"
or checkout the git page, https://github.com/Neilpang/acme.sh

8. Issue a CERT
change example.duckdns.org to your FQDN name you created earlier;
"acme.sh --issue -d example.duckdns.org -w /home/wwwroot/example.duckdns.org"

9. Copy the output of the cert to notepad to refer to later, taking special note of the locations of
Your cert is in /root/.acme.sh/example.duckdns.org/example.duckdns.org.cer
and
Your cert key is in /root/.acme.sh/example.duckdns.org/example.duckdns.org.key

10. Edit nextcloud.conf to enforce HTTPS
"nano /usr/local/etc/nginx/conf.d/nextcloud.conf"

Change example.duckdns.org to your FQDN
ssl_certificate is your .cer file location from acme.sh output
ssl_certificate_key is your .key file location from acme.sh output

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.duckdns.org;
ssl_certificate /root/.acme.sh/example.duckdns.org/example.duckdns.org.cer;
ssl_certificate_key /root/.acme.sh/example.duckdns.org/example.duckdns.org.key;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";

Be sure to save the file when finished.

11. Add your new FQDN to nextcloud trusted domains.
"nano /usr/local/www/nextcloud/config/config.php"

then add;

1 => 'example.duckdns.org',

You could also remove the local IP and just have your FQDN here.
Be sure to save the file when finished.

12. Restart the nextcloud jail from your freenas webGUI.

13. Test by going to your FQDN example.duckdns.org

If I missed something please let me know and I will edit accordingly.

Hope this helps someone :)
 
Joined
Oct 13, 2015
Messages
9
Did anybody try this? Does it work?

And what are the implications if I want to upgrade the plugin later on?
 

ddaenen1

FreeNAS Aware
Joined
Nov 25, 2019
Messages
84
Did anybody try this? Does it work?

And what are the implications if I want to upgrade the plugin later on?
And what when the cert expires? I have been looking for a good way to get secure external access to my nextcloud without having to install all from scratch and at the same time low maintenance. I have been looking at introducing pfsense as my router and using the ACME package and the HAproxy to set up let's encrypt and a reverse proxy but i seem to be running into some issues with opening up port 80 in pfsense at the time which is needed for ACME to generate the cert.
 

ddaenen1

FreeNAS Aware
Joined
Nov 25, 2019
Messages
84
And what when the cert expires? I have been looking for a good way to get secure external access to my nextcloud without having to install all from scratch and at the same time low maintenance. I have been looking at introducing pfsense as my router and using the ACME package and the HAproxy to set up let's encrypt and a reverse proxy but i seem to be running into some issues with opening up port 80 in pfsense at the time which is needed for ACME to generate the cert.
Just as an update. I completed the process and it works like a charm. I replaced my Mikrotik router with a Dell R210 running pfsense and followed THIS guide to install and set up let's encrypt certs using the ACME package in pfsense and after that THIS guide from the same publisher to set up a reverse proxy using HAProxy and this really works as a charm. The good part is that you can very easily renew the cert and secondly, it also redirects http to https. To me, this is a better solution then embedding it in Nextcloud as it allows you to add more certs, and servers to the back end.
 
Top