How to enable HTTPS for a local network Nextcloud instance

December 7, 2022

This post will go over the basic steps to enable HTTPS for an intranet Nextcloud service. I have to mess with this every three months when Let's Encrypt expires my certs, and it's always annoying.

This kind of setup might be useful for when you self-host a Nextcloud instance and don't want to open your home network to the public. I use Zerotier to provide a static IP address and connect to my Nextcloud server.

Environment:

#Ubuntu 22.04.1 LTS
#Nextcloud 24.0.7snap1
#DNS is managed using #Namecheap
#Zerotier for external network access

Step 1 – Generate new certs

This will start the cert generation process using the challenge method to prove domain ownership.

~$ sudo certbot certonly --manual --preferred-challenges dns
Enter the FULL domain for the certs
Copy the value that it returns for the next step

Step 2 – Create TXT records

On whatever DNS service you use, create a TXT record using the “acme-challenge” domain Let's Encrypt created and the random string it generated.

Create TXT record.
1. Domain should be _acme-challenge.<your domain>
2. Value should be whatever random string was generated by LetsEncrypt
Verify that the record has been updated by using https://toolbox.googleapps.com/apps/dig

NOTE: For subdomains, only the “subdomain” portion is needed for the domain record

NOTE: When verifying, you should see the value of the TXT record. If you don't wait until the record has been verified, you'll need to start the process over again.

Step 3 – Copy the certs into Nextcloud

We will now copy the generated certs into the Nextcloud directory.

Copy the certs from where Let's Encrypt dumped them /etc/letsencrypt/live/<your domain> into /var/snap/nextcloud/common
Rename privkey.pem to key.pem

NOTE: Certs must be a directory that the Nextcloud snap has access to. The easiest is to place them into /var/snap/nextcloud/common. These can be removed once the process is over.

Step 4 – Apply the certs

We will now apply the new certs.

Disable HTTPS for Nextcloud
```
~$ sudo nextcloud.disable-https
```
Stop the Nextcloud snap service
```
~$ sudo snap stop nextcloud
```

Enable HTTPS with new certs

~ $ sudo nextcloud.enable-https custom -s \n
/<path to cert.pem>\n
/path to key.pem> \n
/<path to chain.pem>

Start Nextcloud
```
~$ sudo snap start nextcloud
```

You should now be able to access Nextcloud using HTTPS.

Hopefully someone else finds this helpful! Most people don’t have this setup (#Nextcloud Snap with #zerotier) and it took a lot of tinkering to get it to work.

The main source that used was this blog from David Augustat. It’s a nice read on how to set up HTTPS for #intranet #domains for general use cases!

https://davidaugustat.com/web/set-up-lets-encrypt-on-intranet-website