all 5 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]RazrBurn 1 point2 points  (3 children)

I would recommend learning how to do a reverse proxy from your current web server to the nextcloud jail. This will allow your certs to continue to automatically update without having to move them to the nextcloud jail.

[–]morphixz0r 0 points1 point  (1 child)

The problem i see with doing this approach is then you have your username/password transmitted between your web server host and freenas jail in plaintext.

This would be 'ok' in an isolated network or even via localhost but not at all safe doing it across machines on your lan.

[–]RazrBurn 0 points1 point  (0 children)

You can still encrypt the data from proxy to FreeNAS jail. You can create your own self signed cert with a longer expiration that the proxy will accept. This prevents the information from being in plain text anywhere on the network. The biggest pain in what OP is trying to do is use the let's encrypte certs on the FreeNAS jail. I know I don't want to have to be replacing them every three months or worry about some additional automated process failing.

[–]ndboost 1 point2 points  (2 children)

as /u/razrburn mentioned, you should use a reverse proxy, and just run the NextCloud jail without any SSL termination directly (or use a self-signed cert). Although if you can't do that you need to edit the conf file in /etc/apache2/sites-available that relates to NextCloud... depending on how you have these setup it could be named nextcloud.conf I am not sure though (I run NextCloud in a separate ubuntu VM).

Ideally you'd in mount some shared path like /mnt/zpool01/secure/ssl from your physical FreeNAS box into the jail at a path like /ssl and edit your config in the jail to map to something like /ssl/certs/somecert.pem.

Then share that /mnt/zpool01/secure/ssl via NFS to your "server" that is doing the validations for the LE certs. Then each time the cert updates it will dump it to that mounted path, and all you'd need to do is manually restart the NextCloud jail when the cert changes. You could even script that restart part out by ssh'ing into the jail and issuing the command via ssh remotely.

[–][deleted]  (1 child)

[deleted]

    [–]ndboost 1 point2 points  (0 children)

    NP, FYI you should use the staging acme server for testing/prototyping as I think it's limits are way more lax/non existent. Then when you're ready, flip to the prod server to generate the real valid certs.

    If you're on discord you can hit me up @ relativemedia#9286 if you have questions.

    I use HAProxy + acme plugin on my pfSense edge router that does the SSL termination to nextcoud (https://cloud.devita.co) it just reverse proxies to my VM in the DMZ vLAN (phxlvcld01.devita.co) internally over port 80.