Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

FreeNAS 11 Nextcloud / Owncloud Letsencrypt SSL/TLS

Sep 15, 2017
This is a guide for setting up FreeNAS 11 using the plugin for nextcloud / owncloud. I used nextcloud, so just replace that with owncloud if you're following this since it should be basically the same.

Disclaimer: I have no idea what I'm doing so feel free to tell me what I did wrong to make this guide better.

  1. Figure out why TLSv1.1 and TLSv1.2 don't work, probably because of an old version of openssl that apache was compiled with
  2. Figure out why plugin jails don't start apache like a normal service and instead spawn a bunch of httpd processes and leave the status of apache24 in an unknown state
Install Plugin
Pick your poison install nextcloud / owncloud plugin from the FreeNAS GUI and then chroot into the jail in my example my storage array is called storage so: chroot /mnt/storage/jails/nextcloud_1

Setup your router's port forwarding
You will need to forward ports 80 and 443 to the IP address of your jail for nextcloud / owncloud instructions vary depending on what router you have. Also setup your domain I'll be using and as a domain for the rest of the guide.

SSL certs using letsencrypt and certbot
pkg install py27-certbot
certbot certonly

Follow the steps in certbot to configure your server and follow the wizard doing the following:
  1. Use the webroot option not standalone since you already have an apache server running available on port 80 may as well not have to shutdown your cloud to renew your certs
  2. Input BOTH and as your domains since they are two separate domains
  3. use /usr/pbi/nextcloud-amd64/www/nextcloud as your webroot. You should now have a few certs and key files of letsencrypt located at /usr/local/etc/letsencrypt/live/
Setup cron job to check for cert renewal every 12 hours
  1. crontab -e
  2. Add 0 */12 * * * certbot renew to your cron jobs file
Update apache configs to use certs and for hardening
Some apache config work make sure to copy to a .bak file and try stopping / starting the plugin to verify it still works while doing this. I'm in the www camp and not the naked url camp so just swap the www for naked urls if you're a heathen. You should use www if you ever intend to use subdomains or something I don't know If you want to try to debug why the plugin doesn't start run service apache24 onestart and look at the errors.
  1. Forward all http requests to https by adding the following to /usr/pbi/nextcloud-amd64/etc/apache24/httpd.conf
    <VirtualHost *:80>
    		Redirect permanent /
    <VirtualHost *:80>
    		Redirect permanent /
  2. Set the following values in /usr/pbi/nextcloud-amd64/etc/apache24/extra/httpd-ssl.conf I actually made symlinks to my certs to change the extensions, but referencing them directly is probably fine. Otherwise do something similar to
    SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder on
    SSLCertificateFile "/usr/local/etc/letsencrypt/live/"
    SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/"
    SSLCACertificateFile "/usr/local/etc/letsencrypt/live/"
  3. Add the following header stuff before the last </virtualhost> to enforce https
    #   Require https
    <IfModule mod_headers.c>
    		Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
  4. Add a forward to the end from your naked domain to www whatever you pick be consistent
    <VirtualHost *:443>
    		Redirect /
Restart your plugin
Congrats your done! All of the url combinations of naked domain vs www and http/https should all forward to the same address. You should now get a C rating on qualys ssllabs because TLSv1.1 and TLSv1.2 don't work but for our purposes I guess that's good enough.

**Bonus** Updating Nextcloud from the webpage
Once you login nextcloud may alert you there's an update and nextcloud has a web update tool which is pretty nice, but will immediately fail the file checks. This is pretty straightforward, but the certbot created a folder called .well-known in your webroot /usr/pbi/nextcloud-amd64/www/nextcloud make sure to move it out of the directory before updating or else the updater will complain about unknown files. Move the directory back when you're done.
Last edited:


FreeNAS Experienced
Aug 3, 2017
[QUOTE="b4bblefish, post:

Setup your website
You will need to forward ports 80 and 443 to the IP address of your jail for nextcloud / owncloud instructions vary depending on what router you have. Also setup your domain I'll be using and as a domain for the rest of the guide.

By setup your website i assume you mean "nextcloud server"

and by domain i assume you mean the IP and or no-IP,dyns handle for which one would access server externally
Mar 7, 2019
I have to forward ports 80 and 443, but can't login.

Get messager

You are accessing the server from an untrusted domain.
Please contact your administrator. If you are an administrator of this instance, configure the "trusted_domains" setting in config/config.php. An example configuration is provided in config/config.sample.php.
Depending on your configuration, as an administrator you might also be able to use the button below to trust this domain.

Add "" as trusted domain

Try do steps by step bet get error

[root@freenas /mnt/Data/jails/nextcloud_1]# pkg install py27-cerbot
Updating local repository catalogue...
pkg: Repository local load error: access repo file(/var/db/pkg/repo-local.sqlite) failed: No such file or directory
pkg: file:///usr/ports/packages/meta.txz: No such file or directory
repository local has no meta file, using default settings
pkg: file:///usr/ports/packages/packagesite.txz: No such file or directory
Unable to update repository local
Error updating repositories!