Let's Encrypt Certificate stops working

Artichoke1 · February 24, 2022, 2:51am

I am trying nextcloud on my TrueNAS. Below is the procedure I use to install nextcloud and make it accessible over the internet through HTTPS with a Let’s Encrypt certificate.

The procedure works, but every time I restart the nextcloud jail in TrueNAS or restart the machine, the certificate stops working and the browser lets me know that I’m trying to visit a website with a self-signed cert and I have to repeat steps 3 and 6 every time I want to get my certificate back. I have also had the certificate stop seemingly randomly without any jail or machine restart, although I’m not sure on this.

Does anybody have any ideas on what could be causing this?

1. Install the Nextcloud plugin under the Plugins section on the TrueNAS interface.

2. Install certbot with the following command:

pkg install py38-certbot-nginx

3. In my nextcloud jail, edit nextcloud.conf under /usr/local/etc/nginx/conf.d/ and change the server_name from " _ " to my domain name from NoIP.

4. Edit the config.php and add my domain to the trusted_domains list.

5. Open the following ports on my router:

Internal port 8282 > external port 80
Internal port 8283 > external port 443

6. Run the following command from the nextcloud jail:

certbot

and fill the following prompts:
A. enter my email
B. agree ‘yes’ to the terms and conditions
C. select option 1 as my domain to register

And then certbot says the process was completed successfully.

devnull · February 24, 2022, 7:20am

Sorry. I can not help you for your setting. But you can perhaps modify the part of Lets Encrypt of this instrucition.

Command is:
certbot certonly --standalone -d cloud.server.tld

DarkSteve · February 25, 2022, 7:19am

I’m running Nextcloud on FreeBSD (not TrueNAS), and I use Apache (not NginX), but I think @devnull is on the right track.

However I’d use “webroot” instead of “standalone”. You’ll have to manually renew if you use standalone.

I’d try something like :
certbot certonly --webroot --webroot-path /path/to/your/clouds/rootdir/ -d cloud.server.tld

If that works, you’ll only need to add a cron job:
certbot renew

to maintain it.

That will drop a temp token in your Nextcloud’s root directory, which the Let’s Encrypt server see and verify against what certbot says it should be. There are multiple ways the Let’s Encrypt server can verify your control of the domain, but I feel that’s the easiest since you run your own TrueNAS server. (e.g. DNS verification is often the most practical for people using hosted or shared services, where they don’t have control of the machine.)

This is basically from my notes, circa 2016, back when certbot was still called letsencrypt, and I was using ownCloud instead of Nextcloud! (And DNS verification wasn’t a thing!)

Artichoke1 · February 25, 2022, 8:03am

Ok, I’ll give that a try but what where is this cloud root directory. I don’t know where to look for this. Is this the path to the nginx installation?

DarkSteve · February 25, 2022, 10:15am

You can check your nginx config, but I’m going to guess it will be something like:
/usr/local/www/nextcloud
That’s the standard FreeBSD place for Nextcloud, with web related stuff put in /usr/local/www (both my Nextcloud and Roundcube Mail are in there).

I know TrueNAS isn’t FreeBSD, but TrueNAS is based on FreeBSD, so it’s an educated guess!