i am new to nextcloud. For a project I installed on a Ubuntu 22.04 TLS VM the Nextcloud Snap. I have nothing else on this machine. I just set the trusted doamin to my domain and on our Firewall i made portforwarding from internet on Port 4431.
that worked and now i want to make it to a https site.
but with certbot there is a error.
i dont have apache or nginx as webserver because i fear that i cant configure it.
i want to make a workaround that i only have to put the SSL docs into a sort of Folder, so its certificated.
is that possible or does anyone have a way to make it work a other way ?
Very poor prerequisites for operating a Nextcloud yourself with perhaps important data. Can you recover your Nextcloud in an emergency?
Even if you use Snap. Be sure to improve your Linux and Nextcloud knowledge. Alternatively, run Nextcloud as a Managed Nextcloud with a hoster on the internet. Make regular backups and consider the maximum damage to your data that you can tolerate.
This is why certbot throws an error. You need to forward ports 80 and 443 as described in the wiki linked by the previous posters.
Alternatively, you could use self-signed certificates, or put a reverse proxy in front of it that handles HTTPS, and then get the certificates via DNS challenge if for some reason you absolutely must use an arbitrary port.
@Moritz_Bader, changing that port to 4431 will require a reverse proxy. the reason being that the encryption service expects ports 80 and 443 see port configuration.
not quite sure what you expect your firewall to be managing here?
setting up a reverse proxy is not as daunting as it may seem. especially with NPM (NGINX Proxy Manager) which is simple to install and maintain. NPM is well documented see configuration for NPM with ssl termination.
Thanks for the response, i will try it and read more into it.
im just started my training in the IT a year ago and my collegues dont know what they´re doing and cant answer any questions, about setting up a Ubuntu server.
this is sort of a personal project to look into work improvement for the firm I´m working for.
I assume he means port forwarding in the router. @Moritz_Bader Is my assumtion correct?
Yes, but it depends on why he is using port 4431. If it’s because he already has another service running on port 443, NPM would be the solution for both services.
If he is using port 4431 because, for example, his ISP is blocking ports 80 and 443, he would have exactly the same problem with NPM or any other reverse proxy and he would have to use the DNS challenge to get a certificate.
Question: is it possible to use the DNS challenge with the nextcloud.enable-https lets-encrypt command? As far as I know Certbot should support this.
@Moritz_Bader Use ports 80 and 443 if you can, and it’ll likely just work, assuming you have a domain name, and a corresponding (Dyn-)DNS record in place that points to the public IP address of your router/firewall/internet connection.
I’m afraid I can’t answer that as I have no experience… I use NPM myself. assuming that if certbot supports DNS challenge, that will probably work in the snap. maybe @kyrofa could answer that?
No worries. I was just curious. However, if it were possible, it might be worth documenting and officially supporting it, as it might be interesting for users who don’t want to expose their instances but still want a valid certificate.
Not last I checked. Certbot supports it, but each renewal requires your DNS to be updated with a new challenge, which either requires authentication and API support at your registrar, or manual interaction, neither of which the snap is setup to do. See this issue for more details.
Yeah that was my second thought as well, in many cases it would be a manual process and you probably also don’t want to deal with any issues people might have getting an API key or other trouble they might run into with their DNS providers
I guess we’re d’accord on the DNS challenge question, but @Moritz_Bader is fighting a lonely battle
@Moritz_Bader versuch das mal ohne Änderung der Ports, dann brauchst du auch keinen Reverse Proxy. Also lasse die Ports auf 80 und 443, dann funktioniert das mit den Zertifikaten.
Es sei denn, dein ISP sperrt tatsächlich diese Ports. Dann bin ich aber auch außerstande dir zu helfen.
@bb77 was spot on way up in the thread: you can’t use Let’s Encrypt with non-standard ports. i.e. if you want Nextcloud available to the internet on port 4431, you cannot use Let’s Encrypt. You’ll need to use either self-signed or custom certs.
Yeah, the whole thing got a bit off topic, sorry about that.
@Moritz_Bader. I hope at least the answers and parts of other posts that were directly addressed to you were still helpful, otherwise feel free to ask.
die Ports 443 und 80 sind halt schon belegt. Dort haben wir unseren OWA zugriff für Mails.
Ich habe eine Portumleitung geschaltet in dem ich in der Firewall ein Netzwerkobjekt (die VM) angelegt habe und 2 Dienste konfiguriert habe die den jeweiligen dienst ob https oder http aus dem Internet kommend auf den Port 4431 weiterleitet.
an sich sind die Ports halt offen.
ich habe es mit dem Befehl nextcloud.enable-https lets encrypt
probiert.
dort meckert er aber, das die Ports nicht offen sind.
dann wirst du nicht um einen Reverse Proxy herum kommen, weil der enthaltene Zertifizierungs-Dienst in der Snap eben genau diese beiden Ports zwingend benötigt.
Reverse Proxy ist definitiv die eleganteste Lösung, zumal ihr dann auch keine Portnummern mitgeben müsst, um auf die Nextcloud zuzugreifen.
Allerdings müsste man dann auch den OWA hinter diesem Reverse Proxy laufen lassen (es sei denn man hat mehrere öffentliche IP-Adressen), wenn er nicht sowieso schon hinter einem/einer separaten Webserver/Reverse Proxy/Security Appliance läuft, was meines Wissens eigentlich empfohlen wird, denn MS-Produkte direkt ins Netz zu stellen ist ja so eine Sache
Mal angenommen, der läuft bereits hinter einem Proxy, könnte man ja vielleicht diesen nutzen, um auch die Nextcloud zugänglich zu machen. Allenfalls könnte man sogar das selbe SSL Zertifikat nutzen, wenn es ein wildcard cert ist. Falls nicht, sollte man auf die gleiche Weise wie für den OWA auch eins für die Nextcloud erstellen können.
