How to obtain SSL certificate in my setup?

I have Nextcloud running on a Raspberry Pi 3 Model B+, currently version 13, but I’d like to update to version 14.

My problem is that I would like to get an SSL certificate, so I can access the Nextcloud using https.

My setup is as follows:

My domain name is hosted with an ISP. The ISP has controls for DNS, so I have an A record for e.g. pointing to the public IP address of the router in my house, which has a static IP address.

The router won’t let me port forward port 80, so I forward ports 443 and 8080 to the IP address of my Raspberry Pi.

This work fine, I can access the Nextcloud from the internet on But I would like to switch to https.

But as I understand the process of obtaining an SSL certificate from e.g. I will need to put files on the web server for, but that’s on the ISP server, which already has an SSL certificate.

Before I try I would like to ask whether I can make this work or not.



use certbot from letsencrypt which will do everything automatically.
The only problem i see is, that certbot need port 80 to be forwarded to your nc-installation.

I have a similar setup.
Domain is hosted by the ISP.
Subdomain is hosted on my server at home. DNS records are updated using ddclient to point the subdomain to my public visible adress.

Best regards

I was able to obtain a certificate using the DNS TXT record challenge, so now I have a certificate.
But since that is a manual operation Apache has not been configured to use the certificate.
How do I do that?

After generating the SSL certificate /etc/apache2/sites-available/default-ssl.conf needs to have the following entries configured:

SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/


sudo a2enmod ssl
sudo a2ensite default-ssl.conf
sudo systemctl reload apache2

I finished with an SSL test:

I also updated to Nextcloud 14.0.3, but that required a few manual steps, as the /var/www/html/nextcloud folder (and files under that) was not owned by www-data.

you may want to try dns challenge validation.