Nextcloud SSL and private Virtual LAN

I have a bit of an issue. I use Zerotier to bridge several networks that I manage and own. One of the nodes has the Nextcloud server. I have enabled SSL just for good measure in case someone was able to sniff my network, and it seems like a good practice even in a private VPN situation.

Two questions. I was trying to avoid the regeneration of the self signed certificate, it looks like it only created one 3 months from the install date. So I need to make one that lasts for a really long time. Is there a guide for this? I’m using snaps on ubuntu (Pi4 - ubuntu 20.04). My snap is up to date.

Second question. Ive read dozens of forums here and other places where the default response is “Use letsencrypt” or similar. I will not be ever opening ports on any router. This is the whole reason for Zerotier. I guess I don’t really see the problem with self signed certificates if I manage them. can’t I trust them? I’m not using DNS, as the handful of various private IP addresses that I need I can remember and make shortcuts to in browser where necessary.

Just musing here, I’m assuming I can just enable ssl again via the snap to get another 3 months.

Thanks for any thoughts on this. It seems to have been suggested before that I open ports, setup the certificate to my dyndns hostname (I use paid noip and I have private domain I could use), and then close them. Seems like a lot of work. I don’t want to run some kind of split dns as the way I’m using it is running great.

I don’t see the question here. When you’re creating your SSL certificate, just set the expiration to a hundred years in the future. Or ignore the fact that the certificates are expired – they’ll still provide encryption, it will just say they’re expired, which is no different that the notice you already get from using self signed certificates (hint: the main benefit of externally signed certificates like letsencrypt isn’t so much that you can trust them better, its that others will trust them, and they won’t annoy you by saying they aren’t trusted).

Thanks for the reply. 2 questions, more succinct.

  1. I use snap to install and configure nextcloud. Does anyone know the procedure for creating a certificate far into the future using the snap tools, not generic certificate generation tools.

  2. I don’t want to have any public facing ports. Other than the nags about being untrusted, is there a compelling reason to get a signed cert if I’m the only one using the system.



but you could use “DNS Challenge” with to create your certificate. but you would need a domain registrar & name server that is supported by

what are “the snap tools”?

my answer would be: “google: create selfsigned certificate” or just use -days 36500 along with openssl.

Snaps usually have configuration commands specific to the snap. (E.g. sudo nextcloud.enable-https self-signed)

This tool only creates a 3 month certificate

after sudo nextcloud.enable-https self-signed you search for the created certs and replace them with the “-days 36500” ones. or?


doesn’t that mean the selfsigned certs are updated after three month?

and what about putting sudo nextcloud.enable-https self-signed into a cronjob to run run it each month?

Good catch on the “Non-custom certificates will automatically be kept up to date.” I will let it go and see what happens. If not, cron is a good suggestion for that. Thanks!

Thanks for all the replies.