In our last article, we explored how to install Nextcloud on TrueNAS CORE inside a jail. Here, we will go a bit further and obtain an SSL certificate for our setup from Let’s Encrypt, assuming you have a static IP from your ISP. So, let’s dive in and set up an SSL certificate for Nextcloud on TrueNAS CORE.
If you don’t have a static IP, follow this article for DDNS.
Things to do before installation:
- Point your domain to your static IP
- Open port 443 in the router and forward it to the Nextcloud jail IP
Install Certbot
We will install the Certbot package for standalone certificates. Log in to the Nextcloud jail and run the following command.
pkg install py39-certbotConfigure Apache
With our Nextcloud setup, we installed the Apache web server. Let’s go ahead and add port 443 to it.
vim /usr/local/etc/apache24/httpd.confJust below Listen 80, add Listen 443.
Check the configuration file and restart Apache.
apachectl -t
service apache24 restartQuickly check what ports are open.
netstat -na | grep LISTENGet certificates
We are now ready to get SSL certificates for our setup.
certbot certonly --webroot -w /usr/local/www/nextcloud -d DOMAIN.COMChange DOMAIN.COM and path to the web root if it’s different in your case.
If everything goes smoothly, you will receive the certificates. Note down the path to them.
Auto renew via cron
To automatically renew the certificates, we will set up a cron job for it.
crontab -eAdd the following in it:
30 05 * * * certbot renewThis will run at 5:30 AM every day.
Update virtual host
We are almost done; in the last step, we will now update the Nextcloud virtual host file and add the port 443 section.
vim /usr/local/etc/apache24/Includes/nextcloud.conf<VirtualHost *:443>
ServerName DOMAIN.COM
DocumentRoot /usr/local/www/nextcloud
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
Protocols h2 http/1.1
<Directory "/usr/local/www/nextcloud">
AllowOverride All
Options -Indexes +FollowSymLinks
Require all granted
</Directory>
<FilesMatch ".(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf|ttf|woff)$">
Header set Cache-Control "max-age=31536000, public"
</FilesMatch>
ErrorLog /var/log/nextcloud/error_ssl.log
SSLEngine on
SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/DOMAIN.COM/privkey.pem
SSLCertificateFile /usr/local/etc/letsencrypt/live/DOMAIN.COM/fullchain.pem
</VirtualHost>Change DOMAIN.COM to your actual domain.
Check the configuration and restart Apache afterward.
apachectl -t
service apache24 restartTo automatically redirect from port 80 to 443, add the following in the port 80 section.
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
