Securing NextCloud jail using https and let’s encrypt (part two)

In part one of this tutorial we installed TrueNAS and created a NextCloud jail which makes the NAS content available using a web browser or the NextCloud app locally. In part two we will secure our NextCloud instance using https and make it reachable from the Internet.

To do this we need the following requirements:

  1. A domain name which can be resolved from the Internet: Select oder register a domain name and make a DNS record pointing to the public IP-Address of your internet connection. I you have a dynamic IP-Address, you can use Dynamic DNS providers like NoIP to register a domain name.
  2. NAT and/or Port Forwarding for 80 and 443 on your Firewall and/or Router to the NextCloud IP-address: Configure your firewall for NAT or Port Forwarding that your TrueNAS server is reachable from outside using port 80 and 443.
    Because there is a huge variety of devices I cannot not go into detail. If you are unsure check the documentation of your Modem/Router/Firewall for NAT and Port Forwarding.

After we have prepared the requirements we will start securing our NextCloud instance with Let’s Encrypt. To do this, login to the backend of your TrueNAs server select the NextCloud jail and enter the command line:

Step 1 – Add the server name to the nginx config

We need to set the server name that certbot can verify it. To do this enter the following command to switch into the config folder of nginx:

cd /usr/local/etc/nginx/conf.d/

Use vim to open the config file:

vim nextcloud.conf

Replace the _ by the server name as displayed in the following screenshot:

Save the changes and exit vim.

Step 2 – Installing Certbot

The following lines are more or less a copy of the real good tutorial from digitalocean.com describing How To Secure Nginx with Let’s Encrypt on FreeBSD. If have adjusted some commands (in the jail we do not need to use sudo) and skipped the part “Setting Up a Firewall and Allowing HTTPS Access” because we do not need to do this in the jail.

The certbot client is needed to obtain an SSL certificate. To do this we will use FreeBSD’s ports system. Enter the following commands in the command line of the jail:

Fetch a snapshot of the ports tree:

portsnap fetch

Extract the snapshot:

portsnap extract

Navigate to the py-certbot directory:

cd /usr/ports/security/py-certbot

Use the “make” command to download and compile the Certboot source:

make install clean

During this installation it is possible that some dialogs appear, you can safely confirm them.

Navigate to the py-certbot-nginx directory:

cd /usr/ports/security/py-certbot-nginx

There run the make command to install the certbot plugin for nginx:

make install clean

After a certain time the certbot Let’s Encrypt client is ready to use

Step 3 – Obtaining a SSL Certificate

Remember the requirements I have mentioned before. If they are fullfilled we can now obtain and validate a certificate by using the following command:

certbot --nginx -d nc.florian-rhomberg.net

Replace the domain nc.florian-rhomberg.net by your domain name.

Enter an E-Mail address and press enter:

Accept the terms of service by pressing y:

Accept or not that your E-Mail address will be shared with the EFF:

In the next stepped your are asked if HTTP should redirected to HTTPS, I would suggest to do this. I everything is working the SSL certificate is installed and you will get the following message:

Congratulation your NextCloud instance is now available from the Internet using HTTPS.

Step 4 – Verifying Certbot Auto-Renewal

In the last step we ensure that the Auto-Renewal of the SSL certificate is working.

First make a simulation of the renewal process manually by using the following command:

certbot renew --dry-run

If this command succeed we can define a cron job for Auto-Renewal. For this enter the following command:

crontab -e

Now you can define the cron job for renewal:

0 0,12 * * * /usr/local/bin/certbot renew

This line will tell cron to run the certbot renew command twice every day. It checkss if there is any certificate on the system which is close to expire and will attempt to renew them when necessary.

Congratulation, now your NextCloud instance is reachable from the Internet and is using HTTPS per default.

Any kind of feedback is highly appreciated.

Print Friendly, PDF & Email

7 comments

  1. Hi,
    Thank you for this how to do. I followed part 1 without problem. But in this one, impossible to use the „make“ command to download and compile the Certboot source. I get several errors :
    Building new INDEX files… done.
    root@nextcloud:/usr/local/etc/nginx/conf.d # cd /usr/ports/security/py-certbot
    root@nextcloud:/usr/ports/security/py-certbot # make install clean
    ===> Building/installing dialog4ports as it is required for the config dialog
    ===> Cleaning for dialog4ports-0.1.6
    /!\ ERROR: /!\

    Ports Collection support for your FreeBSD version has ended, and no ports are
    guaranteed to build on this system. Please upgrade to a supported release.

    No support will be provided if you silence this message by defining
    ALLOW_UNSUPPORTED_SYSTEM.

    *** Error code 1

    Stop.
    make[3]: stopped in /usr/ports/ports-mgmt/dialog4ports
    *** Error code 1

    Stop.
    make[2]: stopped in /usr/ports/ports-mgmt/dialog4ports
    ===> Options unchanged
    /!\ ERROR: /!\

    Ports Collection support for your FreeBSD version has ended, and no ports are
    guaranteed to build on this system. Please upgrade to a supported release.

    No support will be provided if you silence this message by defining
    ALLOW_UNSUPPORTED_SYSTEM.

    *** Error code 1

    Stop.
    make[1]: stopped in /usr/ports/security/py-certbot
    *** Error code 1

    Stop.
    make: stopped in /usr/ports/security/py-certbot
    root@nextcloud:/usr/ports/security/py-certbot #

    1. Hi,
      try the following command this should solve your problem:
      make -DALLOW_UNSUPPORTED_SYSTEM install clean
      instead of
      make install clean
      The reason for this error is, that Portsnap has been deprecated in upstream FreeBSD, for some time. I wanted to revise the entry, but I had no time last week.

      Hope this helps,
      Florian

  2. Muchas gracias después de varios días intentadolo ha sido la única pagina que ha funcionado,
    Use make -DALLOW_UNSUPPORTED_SYSTEM install clean, tarda unos cuantos minutos y salen algunos fallos que hay que ignorar, después de eso hay que irse a la raíz cd / y entrar al otro directorio y ejecutar de nuevo el comando anterior.
    Yo lo hice en un Truenas con un plugin de nextcloud y ese plugin tiene en su interior un S.0 FreeBSD

  3. This step-by-step guide is great! Thank you for putting it together. One question, what if I already have a valid SSL Certificate that I would like to use? How do get in working with Certbot or is there another way?

    Thank you.

    1. Hi, yes this is possible. If you are using certbot the client puts the ssl settings into (based on this tutorial) usr/local/etc/nginx/conf.d/nextcloud.con. At the end of this file you file find some settings according to ssl:
      listen443 ssl;
      ssl_certificate /path2/public/key.key
      ssl_certificate_key /path2/private/key.key

      Replace the path of the second and third line by your path to the public and private key of your certificate. I dod not test ist, but after restart of ngnix you should be fine.
      For more details I refer to the official nginx documentation: https://nginx.org/en/docs/http/configuring_https_servers.html

      Greetings,
      Florian

  4. I’m receiving a challenge failed type: unauthorized when I try to complete the ssl certification, my ports are forwarded and my dns is correctly pointing to the IP address. I’m not sure why I am receiving this error.

    1. What is the exact error message? Is it possible that you have forgotten to allow http traffic to your NextCloud instance on port 80? For the ssl challenge the instance must be reachable through port 80!

      Florian

Leave a Reply to isalado Cancel reply

Your email address will not be published. Required fields are marked *