Install self-signed certificate in NextCloudPi

Hi all,

I would like NextCloud (installed on a Raspberry PI using NextCloudPi) to use a self-signed certificate. Because I only want the server to be accessible locally, my understanding is that I cannot use Let’s Encrypt?

More specifically, I was trying to follow this tutorial, which generates certificates using mkcert. My problem starts when the tutorial describes where I should put the certificate files: A subdirectory in the nextcloud install dir that is a “string of numbers or something else”. The certificates should be moved into something like “/var/snap/nextcloud/directory with nummbers/certs/live”.

Because the author appears to use a Snap installation, it looks a bit different in on my system: /var/www/nextcloud doesn’t contain a directories named like this, nor a directory called ‘certs’.

I would like to know where I should move the certificates…or alternatively, if there is a better way to do this. Thanks for any help!

NCP comes with

/etc/ssl/certs/ssl-cert-snakeoil.pem
and
/etc/ssl/private/ssl-cert-snakeoil.key

You can store cert and key anywhere you want as long as you point to the correct path in

/etc/apache2/sites-enabled/nextcloud.conf

If you want it for local use only, why not use the snakeoil cert and key installed by default?

Thanks for the reply! When I stick to the default cert and key that comes with NextCloudPi, I get error messages about self-signed certificates that are not trusted when I try to sync within the app I would like to use (Joplin). What I’m still unsure about: The tutorial I mentioned in the first post lists three files: cert.pem, privatekey.pem and chain.pem (the root certificate used by mkcert to create the cert.pem and privatekey.pem). I’m not really an expert in this. Where would that be in NextCloudPi?

Afaik the only way to get rid of those, is to get a certificate that is issued by a trusted organization, like Lets-encrypt, or buy one from one of the others on the market.

Can check https://www.globalsign.com/en/blog/certificates-for-internal-servers for more info on what your options are.

Maybe to better explain what I want to achieve: I would like my local network to be accessible from the outside only via VPN. My understanding is that I cannot use Let’s Encrypt for that scenario. I would like to be able to turn on the VPN app on my phone to synchronize calendar, notes from the notes app etc. The tutorial I linked to in the first post claims to describe how to create trusted certificates in this scenario.

Can check https://www.globalsign.com/en/blog/certificates-for-internal-servers for more info on what your options are.

Thanks, I will read it!