Enable SSL on your Nextcloud server
Updated: Apr 24, 2020
You need to have completed the first two guides in this series:
In this tutorial, we'll be showing you how to create an SSL certificate for your Nexcloud server. We'll also be doing our best to show you how to configure Port Forwarding on your home router. Port forwarding will essentially provide a path from the Internet to your Nextcloud server. Routers need to be told exactly where information needs to go. Usually, you don't have to worry about such obstacles because 99.9% of home Internet users, only take information from services on the Internet. It's those 0.01%, like yourselves, who need to make something inside your home, available to the Internet. This may sounds scary, however, as long as we use an SSL certificate, along with strong passwords on you Raspberry Pi and your Nextcloud user accounts, then you minimise risk.
Configuring Port Forwarding
You first need to forward ports 80 and 443 (port 80 carries unencrypted website traffic, and port 443 carries encrypted website traffic) to your Raspberry Pi. To do this, you'll need to login to your home router's web page. You'll need to determine your router address to do this. It's usually on a sticker attached to your router. It will almost always start with "192.168..." along with a username and password. Once you have these three things, open up a web browser and enter the address into the address bar. You should then be presented with a web page asking for your username and password, which you grabbed from the sticker.
Now that you're logged into your router, you need to find the Port Forward settings page. It will usually be found under a 'Security' heading. Once you've found it, you'll need to create two rules; one for port 80 and another for port 443.
Here's an example of adding the port 80 rule on a Virgin home router:
Once you've added both rules and your router's rebooted, you should be ready for the next step.
Creating your SSL certificate with Let's Encrypt
You'll first need to install 'Certbot':
$ sudo apt-get install python-certbot-apache
Once that's installed you'll need to run the following to create your certificate. You will need to enter the domain name that you setup in the previous guide:
$ sudo certbot --apache -m firstname.lastname@example.org -d joescloud.dynamic-dns.net -d www.joescloud.dynamic-dns.net
During the installation you may be asked which virtual host you would like to choose. Choose the option that has 'HTTPS' in the third column. You may then be prompted to choose whether or not to redirect HTTP traffic; choose 'Redirect'.
Configuring trusted domains
You'll now need to configure the trusted domains in your Nextcloud configuration file. To do this type the following command:
$ sudo nano /var/www/nextcloud/config/config.php
Now add the four entries which are in bold, changing them to your setup. Save the file by pressing <Ctrl> + x followed by Y and then press <Enter>. (Don't forget the commas at the end of each entry).
<?php $CONFIG = array ( 'instanceid' => 'ocvtfvhdwjai', 'passwordsalt' => 'O18XcdsdsdcQfFuN8AkvVf+e87', 'secret' => 'Mkk/o5h319wsdG/vl1jEZGnlZRZqJYSs9iUM', 'trusted_domains' => array ( 0 => '192.168.0.10', 1 => 'www.joescloud.dynamic-dns.net', 3 => 'https://www.joescloud.dynamic-dns.net', 4 => 'https://joescloud.dynamic-dns.net', ), 'datadirectory' => '/media/data', 'dbtype' => 'mysql', 'version' => '126.96.36.199', 'overwrite.cli.url' => 'http://192.168.0.10/nextcloud', 'dbname' => 'nextcloud', 'dbhost' => 'localhost', 'dbport' => '', 'dbtableprefix' => 'oc_', 'mysql.utf8mb4' => true, 'dbuser' => 'nextcloud', 'dbpassword' => 'nextcloud', 'installed' => true, );
Now is restart the Apache2 service:
$ sudo systemctl restart apache2
The certificate expires after three months, so you'll have to create a cron job to automatically renew the certificate every month. To do this run the command below:
$ sudo crontab -e
You'll be asked which editor to use, choose 'nano'. Add the following line to the bottom of this file and save the file by pressing <Ctrl> + x followed by Y and then press <Enter>:
0 1 * * * /usr/bin/certbot renew & > /dev/null
That's it, you should now be able to visit your Nextcloud server from outside your home, by typing in your domain into a web browser, or downloading the Nextcloud app.