This tutorial describes how to connect an SSL certificate to Nextcloud based on the apache2 web server. Apache2 is installed as a separate service on Debian 10. We will use the Certbot client software to automate this process. You will need:
- A registered domain name for your Nextcloud server. You can get this from free services like Namecheap or Freenom or any other domain name registrar.
- A record on the public DNS server, where your_domain refers to the public IP address of your server. A record where www.your_domain refers to the public IP address of your server.
- Access to the Nextcloud through this domain name. To do this, you need to configure trusted domains on Nextcloud. You can learn how to do it in this article.
- Configured Apache2 configuration file for your Nextcloud virtual host
Step 1 Certbot Installation
To get a certificate from Let's Encrypt, you'll need to install the Certbot software. You need to install two packages, certbot and python3-certbot-apache. The latter is needed to integrate with Apache2 to automatically get a certificate for it. Run the command:
sudo apt install certbot python3-certbot-apache
Confirm installation by pressing Y, then ENTER
Step 2 Verify Apache2 virtual host configuration
To automatically obtain a certificate from Let's Encrypt for Apache2-based Nextcloud, certbot needs to find your Nextcloud virtual host configuration file.
The domain names for your servers are obtained by CertBot from the ServerName and ServerAlias directives in your virtual host configuration file for Nextcloud.
The virtual host configuration file for Nextcloud should be located in /etc/apache2/sites-available and named your_domain.conf. Where your_domain is the domain name of your Nextcloud server.
You should also have the ServerName and ServerAlias directives correctly configured in the VirtualHost block of your configuration file. To do this, open the configuration file in a text editor with the command:
sudo nano /etc/apache2/sites-available/your_domain.conf
Find the lines ServerName and ServerAlias. They should look like this:
..............................
ServerName your_domain
ServerAlias www.your_domain
....................................
After changing the file save it by pressing CTRL + O
Then quit the editor by pressing CTRL + X
Then check these changes against Apache2 with a command:
sudo apache2ctl configtest
If Syntax OK appears, the changes are correct. If there are any errors, reopen the configuration file and check for errors and typos. If the changes are correct, run the command to make the changes effective:
sudo systemctl reload apache2
With these changes, Cerbot will be able to find the correct VirtualHost block and update it.
Step 3: Obtain an SSL certificate
Obtain a Nextcloud certificate with Certbot using the Apache plugin. To do this, run the command:
sudo certbot –apache
This script will ask you to answer a series of questions in order to obtain a certificate. First, it asks for an email address to receive renewal and security notifications.
Output
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): you@your_domain
Once you have entered your email address, press Enter.
You will then be asked to agree to the Let's Encrypt Terms and Conditions. You can press A and then press Enter.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
You will then be asked to give the Electronic Frontier Foundation your email address so that they can send you news and other information. If you do not wish to receive their newsletter, enter N. If you do, enter Y. Then press ENTER to proceed to the next step.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
In the next step you will be asked which domains you want to enable HTTPS for. Cerbot takes the domain names from the ServerName and ServerAlias directives. So these need to be configured correctly. If you want to get one certificate for all domains (recommended), press Enter. Otherwise, select all the domains for which you want a certificate, list them separated by commas or spaces, and then press Enter.
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: your_domain
2: www.your_domain
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
The conclusion will be as follows:
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for your_domain
http-01 challenge for www.your_domain
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/your_domain-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/your_domain-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/your_domain-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/your_domain-le-ssl.conf
Next you will be asked if you want to redirect HTTP traffic to HTTPS. Accept if you want to do this, otherwise do not if you want to keep both http and https for your server. Then press Enter.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
At this point, the Let's Encrypt configuration is complete and you'll be shown final instructions and how to test the authenticity of your certificate using third-party tools.
Congratulations! You have successfully enabled https://your_domain and
https://www.your_domain
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=your_domain
https://www.ssllabs.com/ssltest/analyze.html?d=www.your_domain
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/your_domain/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/your_domain/privkey.pem
Your cert will expire on 2020-07-27. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Your certificate is now installed and loaded. Reboot your site using https:// and check for a lock in the address bar, indicating that the site is secured.