https/SSL in local network for nextcloud

Hi,

I have nextcloud running on Raspberry Pi 4 in localnetwork.
I can access it using either the local IP address or host name (which is http://nextcloud).

How do I get https working for local network?
I would like to generate and install SSL certificate on nextcloud so http is redirected to https.

I will also be accessing nextcloud remotely, for which there is separate certificate.

Thanks,
Sam

Just FYI generating a certificate and redirecting to HTTPS are two completely separate processes.

Why use a separate certificate?

Hi @KarlF12
Thanks for your reply!

I am beginner when it comes to this setup. But to help understand my setup looks like image here-

I will be accessing using WAN IP of Vultr VPS (B). Might use DynamicDNS to this IP.
Then nginx running on Vultr VPS should forward through tinc tunnel to RPI4 nextcloud (A) at 10.0.0.2 tinc VPN address.

Also, when I am in home network, I want to access (A) directly using LAN IP preferably over https.

Hope that clarifies a bit more about my setup.

Right now I also have a problem with nginx-
If I open Firefox in VNC running on Vultr VPS (B) and type 10.0.0.2 I can see Nextcloud login.
(10.0.0.2 is in trusted domain).
But when I forwarded using nginx proxy_pass :80 to 10.0.0.2:80 and then try to open WAN_IP:80 from any browswer, it just keeps loading and finally fails. WAN_IP:80 is changed to 10.0.0.2:80 in browser.

Any help highly appreciated!
Thank you.
Thanks,
Sam

Okay, I think I see where you’re going with that. The main thing you need to decide is how you want to access it on your LAN. You could access it by LAN IP or by another hostname that resolves to it using a self-signed certificate trusted by the client(s). You can generate the cert yourself using OpenSSL or by going to a site like https://zerossl.com. Whichever you choose will have to be added as a trusted hostname in Nextcloud.

One of the pitfalls with doing it this way is you’ll have to change the server address you use based on where you are. That may not be a big deal just accessing via browser, but if you start using the sync client and WebDAV maps it will quickly become a pain.

Another option would be to use split horizon DNS (this is what I do on mine), and then use the same FQDN (and certificate) to access it on your LAN. The cert used on the VPS will be valid on your LAN this way too as long as the FQDN matches.