

This post will go over the basic steps to enable HTTPS for an intranet Nextcloud service. I have to mess with this every three months when Let's Encrypt expires my certs, and it's always annoying.

This kind of setup might be useful for when you self-host a Nextcloud instance and don't want to open your home network to the public. I use Zerotier to provide a static IP address and connect to my Nextcloud server.


Step 1 – Generate new certs

This will start the cert generation process using the challenge method to prove domain ownership.

  1. ~$ sudo certbot certonly --manual --preferred-challenges dns
  2. Enter the FULL domain for the certs
  3. Copy the value that it returns for the next step

Step 2 – Create TXT records

On whatever DNS service you use, create a TXT record using the “acme-challenge” domain Let's Encrypt created and the random string it generated.

  1. Create TXT record.
    1. Domain should be _acme-challenge.<your domain>
    2. Value should be whatever random string was generated by LetsEncrypt
  2. Verify that the record has been updated by using https://toolbox.googleapps.com/apps/dig

NOTE: For subdomains, only the “subdomain” portion is needed for the domain record

NOTE: When verifying, you should see the value of the TXT record. If you don't wait until the record has been verified, you'll need to start the process over again.

Step 3 – Copy the certs into Nextcloud

We will now copy the generated certs into the Nextcloud directory.

  1. Copy the certs from where Let's Encrypt dumped them /etc/letsencrypt/live/<your domain> into /var/snap/nextcloud/common
  2. Rename privkey.pem to key.pem

NOTE: Certs must be a directory that the Nextcloud snap has access to. The easiest is to place them into /var/snap/nextcloud/common. These can be removed once the process is over.

Step 4 – Apply the certs

We will now apply the new certs.

  1. Disable HTTPS for Nextcloud

    ~$ sudo nextcloud.disable-https
  2. Stop the Nextcloud snap service

    ~$ sudo snap stop nextcloud
  3. Enable HTTPS with new certs

    ~ $ sudo nextcloud.enable-https custom -s \n
    /<path to cert.pem>\n
    /path to key.pem> \n
    /<path to chain.pem>
  4. Start Nextcloud

    ~$ sudo snap start nextcloud

You should now be able to access Nextcloud using HTTPS.

Hopefully someone else finds this helpful! Most people don’t have this setup (#Nextcloud Snap with #zerotier) and it took a lot of tinkering to get it to work.

The main source that used was this blog from David Augustat. It’s a nice read on how to set up HTTPS for #intranet #domains for general use cases!
