SSL certificate for Nextcloud on TrueNAS CORE

In our last article, we explored how to install Nextcloud on TrueNAS CORE inside a jail. Here, we will go a bit further and obtain an SSL certificate for our setup from Let’s Encrypt, assuming you have a static IP from your ISP. So, let’s dive in and set up an SSL certificate for Nextcloud on TrueNAS CORE.

If you don’t have a static IP, follow this article for DDNS.

Things to do before installation:

• Point your domain to your static IP
• Open port 443 in the router and forward it to the Nextcloud jail IP

Install Certbot

We will install the Certbot package for standalone certificates. Log in to the Nextcloud jail and run the following command.

pkg install py39-certbot

Configure Apache

With our Nextcloud setup, we installed the Apache web server. Let’s go ahead and add port 443 to it.

vim /usr/local/etc/apache24/httpd.conf

Just below Listen 80, add Listen 443.

Check the configuration file and restart Apache.

apachectl -t
service apache24 restart

Quickly check what ports are open.

netstat -na | grep LISTEN

Get certificates

We are now ready to get SSL certificates for our setup.

certbot certonly --webroot -w /usr/local/www/nextcloud -d DOMAIN.COM

Change DOMAIN.COM and path to the web root if it’s different in your case.

If everything goes smoothly, you will receive the certificates. Note down the path to them.

Auto renew via cron

To automatically renew the certificates, we will set up a cron job for it.

crontab -e

Add the following in it:

30 05 * * * certbot renew

This will run at 5:30 AM every day.

Update virtual host

We are almost done; in the last step, we will now update the Nextcloud virtual host file and add the port 443 section.

vim /usr/local/etc/apache24/Includes/nextcloud.conf

<VirtualHost *:443>
	ServerName DOMAIN.COM
	DocumentRoot /usr/local/www/nextcloud

	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
	SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
	SSLHonorCipherOrder On
	Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
	Header always set X-Frame-Options DENY
	Header always set X-Content-Type-Options nosniff

	Protocols h2 http/1.1

	<Directory "/usr/local/www/nextcloud">
		AllowOverride All
		Options -Indexes +FollowSymLinks
		Require all granted
	</Directory>

	<FilesMatch ".(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf|ttf|woff)$">
		Header set Cache-Control "max-age=31536000, public"
	</FilesMatch>

	ErrorLog /var/log/nextcloud/error_ssl.log

	SSLEngine on
	SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/DOMAIN.COM/privkey.pem
	SSLCertificateFile /usr/local/etc/letsencrypt/live/DOMAIN.COM/fullchain.pem
</VirtualHost>

Change DOMAIN.COM to your actual domain.

Check the configuration and restart Apache afterward.

apachectl -t
service apache24 restart

To automatically redirect from port 80 to 443, add the following in the port 80 section.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}