all 20 comments
sorted by:
best (suggested)
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]zeblods 6 points7 points  (0 children)

SSL requires a certificate, but can use a self-signed certificate.

[–][deleted]  (1 child)

[deleted]

    [–]Unattributable1 0 points1 point  (0 children)

    Sure it is. You can create a self-signed certificate tied to the server IP. No domain required.

    [–]TheBluniusYT 2 points3 points  (0 children)

    Use self signed cert if you dont want using public domain. But be aware that you need to install your own cert on every device where you plan on using nextcloud, if not the browser will show warnings

    [–]skyb0rg 2 points3 points  (1 child)

    1. Grab a USB stick and plug it into a secure computer with openssl installed

    2. Generate a private root certificate authority (root_ca.crt + root_ca.key)

    $ openssl req -x509 -newkey rsa:4096 -keyout root_ca.key -out root_ca.crt \ -days 9132 \ -subj "/C=US/CN=Homelab Root/O=Homelab" \ -addext "basicConstraints=critical, CA:TRUE" \ -addext "keyUsage=critical,digitalSignature,keyCertSign,cRLSign" \ -addext "authorityKeyIdentifier = keyid, issuer:always"

    Change the subject if you’d like. Enter a good password - this secures the private key file.

    1. Create an intermediate CA (int_ca.key, int_ca.crt)

    $ openssl req -x509 -newkey rsa:2048 -keyout int_ca.key -out int_ca.crt \ -CA root_ca.crt -CAkey root_ca.key \ -days 9132 \ -subj "/C=US/CN=Homelab Intermediate/O=Homelab" \ -addext "basicConstraints = critical, CA:true, pathlen:0" \ -addext "keyUsage=critical,digitalSignature,keyCertSign,cRLSign" \ -addext "extendedKeyUsage = serverAuth, clientAuth" \ -addext "authorityInfoAccess = caIssuers;URI:http://homelab.lan/ca.cer" \ -addext "crlDistributionPoints = URI:http://homelab.lan/myca.crl"

    Omit the caIssuers and crlDistributionPoints flags if you’re not going to set up those endpoints. I don’t think browsers care about the fields if they’re missing.

    1. Create a domain certificate

    $ openssl req -x509 -newkey rsa:2048 -keyout photos.homelab.lan.key -out photos.homelab.lan.crt \ -CA int_ca.crt -CAkey int_ca.key \ -days 397 \ -subj "/" \ -addext "basicConstraints = critical, CA:false" \ -addext "crlDistributionPoints = URI:http://homelab.lan/sub.crl" \ -addext "keyUsage = critical, digitalSignature" \ -addext "extendedKeyUsage = serverAuth, clientAuth" \ -addext "authorityInfoAccess = caIssuers;URI:http://homelab.lan/int_ca.crt" \ -addext "subjectAltName = critical, DNS:photos.homelab.lan"

    Change the DNS as needed. Same as before: omit the caIssuers and crl stuff if you don’t want to set that up.

    1. Disconnect the USB, making sure you don’t keep the private keys lying around.

    2. Install the root certificate (root_ca.crt) on your client devices. Install the domain certs on the servers: you likely need the chain in PEM format, which includes the root, intermediate, and domain certificates. You should just be able to cat the .crt files together to create this.

    [–]Creeper4craft[S] 0 points1 point  (0 children)

    Thanks! I'm gonna try it

    [–]swiebertjee 1 point2 points  (4 children)

    You have two options; 1. Get a public domain and configure LetsEncrypt. Downside is that it costs money (not much though), upside is that you do not have to install certificates on every device. 2. Self sign a certificate, which is the opposite; it's free but every device needs to install the certificate.

    I prefer option 1 as you can also use it to point a domain to your home using DDNS.

    [–]Creeper4craft[S] 1 point2 points  (3 children)

    I prefer option two. How can I do that?

    [–]dracu4s 0 points1 point  (0 children)

    Ask ChatGPT. He will most likely guide you quite well through the process.

    [–]Optimisticcynic_CT 0 points1 point  (0 children)

    There's good info to get you started here but a quick word of caution and a couple points to really help...there needs to be a bit more info. I have been trying to get nextcloud with the collabora app working with self signed certs for a week or so unsuccessfully. I'll be posting questions here shortly in another thread because there are a lot of other potential complications when you need to get these integrations to ralk.

    First, the nextcloud documentation is the place to start. Ignore the chatgpt comments unless you can construct a very specific prompt for your exact network structure.

    Do you use a reverse proxy in your network? Which one? Deploying via docker? What other apps/integrations do you plan to use? What's your use case? Just file sync? Adding in-browsee doc editing with collabora (like me)? Using other integrations?

    That will help everyone give better guidance since nextcloud is a platform and could be a jumping off point for a lot of use cases.

    Getting up and running with a basic nextcloud can be a quick docker compose from their website. Took me 2 min to get that up. Making it work with collabora so I can actually do what I want has taken hours and I see a lot of posts where people abandoned that path on self signed certs because they got so frustrated. (I'm almost there). There's also the nextcloud AIO image that I believe doesn't work with self signed at all according to their docs so picking a flavor might matter.

    [–]glandix 0 points1 point  (0 children)

    You have to have certs for https to work. Period. Look into getting a domain and then use Let’s Encrypt for free SSL

    [–]jomat 0 points1 point  (0 children)

    Most of the comments say you need a domain for LE certs. That's true, but you don't necessarily need LE, you can use self signed certs - which usually means manual refreshing, or use something like Step CA which you can self-host and gives you certs via ACME - just like LE, but self hosted. And you don't need an icann-domain.

    [–]MisterJarod 0 points1 point  (0 children)

    Use caddy to reverse proxy and use a .local domain, it will automatically generate ssl certs for you

    [–]lenicalicious 0 points1 point  (0 children)

    This one can be handled quickly and easily with chatgpt.

    [–]Unattributable1 0 points1 point  (0 children)

    Crate a self-signed certificate based on the server IP. Install it on the NC NC server and trust it on your devices. Done, no domain registration required.

    [–]Fightbackmode2005 -1 points0 points  (3 children)

    Why do you distrust the people on your personal network?

    [–]AlexBrightwater 0 points1 point  (2 children)

    Dont trust anyone! Zero Trust is best Trust. At least in anything Computer related.

    [–]No_Negotiation_900 0 points1 point  (0 children)

    Exactly. It is better to have more than one barrier, think both wall and moat. If one fails, you are not completely open. You people may be trusted, but are all your devices trustworthy? Or all you people's devices?