Lets encrypt dns validation setup

Hello ladies and gents,

I’ve been using nextcloud for about a year. Started with vm had issues(https),moved to snap (http) worked great at first but now realize the limitations and its slow, wanting to move back to the VM with https. Issue is I already have a webserver running on 443 and 80 and my first VM I ruined trying to renew the letsencrypt via DNS, so here I am again I have Google DNS and am hoping for some commands for a techie but not a Linuxie. I’m not strong in Linux. I’m running on a SUPERMICRO 4u dual Xeon server with no current restrictions on ram or cpu (have plenty to throw at it) and a few TB of harD drives in RAID6 all in ESXI 6.7. but not trying to brag just give a background I could use help like step by step please of setting up let’s encyrpt with auto renewing DNS challenge. Anyone that has done it please give details. Last I looked at letsencrypt site I was very confused on how to implement the DNS challenge. Once that is up and working I need to figure out how to migrate all data but I don’t think that will be hard

Many thanks,

P.S. I tried searching both the forum and Google without confidence in what I found.

apt -y install certbot / yum -y install certbot
certbot --some-options-depending-on-your-domain-and-webserver

Wow your guide is AMAZING,

Quick question:

What is meant by

Install restic backup tool if backup_folder is not empty

more info about restic: https://restic.readthedocs.io/en/latest/

backup_folder = ‘’ # e.g. /var/nc-backup

crontab settings restic for restic

backup_day = *
backup_hour = 4
backup_minute = 0

If not empty? does that mean that if there is files in the backup folder it will auto import?

AlsoFor ubuntu 1804 which do you suggest postgresql or mariadb and why

quick answer:

i read somewhere that postgres has better utf-8 support.
both (all three) are supported by nextcloud. both are working well.
if you have an existing nextcloud and you want to move you have no choice. you can’t import a postgres dump into mysql/mariadb. (it’s possible but complicate.)

if you start a new small home nextcloud. don’t care. i guess you won’t see any difference. i could find one.

if you start an enterprise class installation and plan to move to aws aurora i would advice postgres. (i attended a tech session where the differences between postgres and aurora were introduced and i understood that aurora has some advantages when it come to heavy load.)

p.s.: right now in the playbook postgres is implemented as a docker container. there is a version without the docker container. but i’m still testing.
you can try it by using:

git clone https://github.com/ReinerNippes/nextcloud
# change to nextcloud directory
cd nextcloud
git checkout postgres.socket
# install ansible and needed python modules
# edit variables
vim inventory
ansible-playbook nextcloud.yml

i removed the link to my playbook because it didn’t feed to dns challenge question.

if you want to use it anyway:
you have to change the following line to get dns challenge to work

is short for if the variable backup_folder is not empty
in the playbook is a when clause checking if backup_folder =! '' then install restic
normally you mount an external disc/nfs share to /var/nc-backup (or where you) and would get a restic repo there. check the restic docs for more info.

Hi orm1server,

I see you want to start from square one directly on a decent hardware? Here’s my M.O. that has proven to work great for me ( and hopefully for you aswell ).

I have started to install Debian Stretch as a minimum with SSH and Standard system Utilities ( No Desktop ).
Next in line was “apt install snapd” ( Notice the “d” at the end? )
Followed by “snap install nextcloud” ( no “d” this time! ), wait for somewhat 250MB of installation data rolling down and moving into your new server. You may need to reboot once after that, or wait some 60 secs for the server to settle in.
Then call up your server’s IP you have given during installation. If the NextCloud admin account creation page shows up, you’re all set so far.
SSH into your server, switch to root user if necessary, “cd /snap/bin” and “nextcloud.enable-https lets-encrypt” to obtain a Let’s Encrypt certificate ( Keep port 80 & 443 open on your router(s) ) and you’re good to go.

If I’m not mistaken, then the certificate auto-renewal also takes place without the server admin ( in this case YOU ) being obliged to manually renew them every 2 months.

Good luck with that one! :wink:

Thank you. But I currently have the snap on http installed though it’s not performing to my liking wanted to move to VM but wanted to use let’s encrypt DNS since port 443 and 80 are used. Any walkthrough available for nextcloud to use let’s encyrpt DNS validation?

Another possibility would be to manually enter the FQDN ( Fully Qualified Domain Name ) in the config.php file in order for your NextCloud server to accept being logged in from.

Example: myserver.domain.com

The file is located at “/var/snap/nextcloud/XXXXX/nextcloud/config/config.php” ( XXXXX = Build number, like 11336 ). Once in, locate a section called ‘trusted_domains’ =>. The first line below sould read your server’s IPv4 address, such as " 0 => ‘’, ". Add another line below as follows: " 1 => ‘myserver.domain.com’, ". Save the file ( and eventually reboot your server ). Now your server should accept your FQDN without any hassle.

Hello Bandicoot,

I think you have my issue confused with another. I don’t need any help logging in I ONLY need help ATM with using let’s encrypt with DNS validation

Thank you,

Do you have any guidance on what to change L27 to to use DNS validation and would any other software or packages be needed?

you’ll find that in the docs of the certbot dns plugin (second link in my first post). it depends on your dns registrar.

you can test it on the command line. just install certbot as described in the certbot manual and follow the instructions in the below linked chapter.


(and you don’t need my playbook in your existing installation. it’s just usefull if you decide to septup a complete new nectcloud.)
(and maybe it’s easier to setup your first webserver additional as reverse proxy. then only this server what need certificates from letsencrypt. :wink: )

I want to use your guide and DNS let’s encyrpt validation but have some basic questions that I don’t want to fill this topic with simple back and forth. Anyway to PM you? Once I get it sorted out I will add to topic with final result so everyone can see


here is the list with 5 steps to migrate your SSL certs to a new server

  • Archive certificates on the old servers
  • Move them to a new server
  • Extract to the correct location
  • Create symlinks
  • Redirect domain