Nextcloud with Lets Encrypt (certbot) now behind nginx with LE

Hi.

Maybe I have a brain freeze right now, but I’m confused with nextcloud and nginx.
I installed nextcloud with a lamp-stack on one lxc container and at this time is also get a LE certificate with certbot. Let’s say the domain is nc.mydomain.com.

Yesterday I installed nginx proxy manager on another lxc (another IP address) and set up my DDNS and everything is working fine. nginx also gets a LE certificate for my domain nc.mydomain.com

But now, nextcloud cant get a new certficate because I forwarding every traffic to the 443 port. What will happen, when the nextcloud certificate expires? Does nextcloud itself need this LE certificate any longer? If not, how can I deactivate it? I mean by editing the nextclound configs.

Or does nextcloud need its own certificate but then, how can nc gets a renewal while behind nginx pm?

It’s like a Vicious circle in my head. Please help.

Nextcloud Server itself doesn’t have anything to do with LE or even awareness of your certificates associated with your inbound HTTPS traffic.

But the broader answers to your questions depend on your overall stack. Please fill out the support template so we can help you out and perhaps point you in the right direction.

The Basics

Nextcloud Server version: *29.0.11*
Operating system and version: *Ubuntu 24.04*
Web server and version: *Apache 2.4.58 (Ubuntu)*
Reverse proxy and version: *nginx reverse proxy v2.12.2 with Proxmox VE Helper-Scripts*
PHP version: *8.3.6*
Installation method (e.g. AIO, NCP, Bare Metal/Archive, etc.)  *LXC on proxmox*
Are you using Cloudflare, mod_security, or similar? (Yes / No) *Yes > Cloudflare DNS*

Summary of the issue you are facing:

nginx pm running on another lxc, forwarding requests from nc.domain.com to internal IP of nextcloud via 443. also providing a LE certificate.

Nextcloud was installed before nginx pm and used its own LE certificate with certbot.

Question: Do I disable certbot and the LE certificates on Nextcloud? Or must I share the LE certificate from nginx to Nextcloud?

Cloudflare DNS is configured and links to domain.com (A) with nc.domain.com (CNAME).
nginx is working as it should be.

Web server / Reverse Proxy

-//-

Configuration
Nextcloud

The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "192.168.1.41",
            "***REMOVED SENSITIVE VALUE***"
        ],
        "default_phone_region": "DE",
        "filelocking.enabled": true,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379,
            "timeout": 0
        },
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "29.0.11.1",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/192.168.1.41",
        "maintenance_window_start": 1,
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "enable_previews": true,
        "enabledPreviewProviders": [
            "OC\\Preview\\Movie",
            "OC\\Preview\\PNG",
            "OC\\Preview\\JPEG",
            "OC\\Preview\\GIF",
            "OC\\Preview\\BMP",
            "OC\\Preview\\XBitmap",
            "OC\\Preview\\MP3",
            "OC\\Preview\\MP4",
            "OC\\Preview\\TXT",
            "OC\\Preview\\MarkDown",
            "OC\\Preview\\PDF"
        ],
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "ssl",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "defaultapp": "",
        "log_type": "file",
        "logtimezone": "Europe\/Berlin",
        "logfile": "\/var\/log\/nextcloud.log",
        "syslog_tag": "Nextcloud"
    },
    "apps": {
        "activity": {
            "enabled": "yes",
            "installed_version": "2.21.1",
            "types": "filesystem"
        },
        "admin_audit": {
            "enabled": "yes",
            "installed_version": "1.19.0",
            "types": "logging"
        },
        "backgroundjob": {
            "lastjob": "588"
        },
        "bruteforcesettings": {
            "enabled": "yes",
            "installed_version": "2.9.0",
            "types": ""
        },
        "calendar": {
            "enabled": "yes",
            "installed_version": "4.7.16",
            "types": ""
        },
        "circles": {
            "enabled": "yes",
            "installed_version": "29.0.0-dev",
            "loopback_tmp_scheme": "https",
            "maintenance_run": "0",
            "maintenance_update": "{\"3\":1738621802,\"2\":1738623301,\"1\":1738623601}",
            "migration_22": "1",
            "migration_run": "0",
            "types": "filesystem,dav"
        },
        "cloud_federation_api": {
            "enabled": "yes",
            "installed_version": "1.12.0",
            "types": "filesystem"
        },
        "comments": {
            "enabled": "yes",
            "installed_version": "1.19.0",
            "types": "logging"
        },
        "contacts": {
            "enabled": "yes",
            "installed_version": "6.0.2",
            "types": "dav"
        },
        "contactsinteraction": {
            "enabled": "yes",
            "installed_version": "1.10.0",
            "types": "dav"
        },
        "core": {
            "backgroundjobs_mode": "cron",
            "default_encryption_module": "OC_DEFAULT_MODULE",
            "emailTestSuccessful": "1",
            "installedat": "1736861417.0491",
            "lastcron": 1738623601,
            "lastupdateResult": "{\"version\":\"30.0.5.1\",\"versionstring\":\"Nextcloud 30.0.5\",\"url\":\"https:\\\/\\\/download.nextcloud.com\\\/server\\\/releases\\\/nextcloud-30.0.5.zip\",\"web\":\"https:\\\/\\\/docs.nextcloud.com\\\/server\\\/30\\\/admin_manual\\\/maintenance\\\/upgrade.html\",\"changes\":\"https:\\\/\\\/updates.nextcloud.com\\\/changelog_server\\\/?version=30.0.5\",\"autoupdater\":\"1\",\"eol\":\"0\"}",
            "lastupdatedat": 1738622575,
            "metadataGenerationDone": true,
            "moveavatarsdone": "yes",
            "previewsCleanedUp": "1",
            "public_files": "files_sharing\/public.php",
            "updater.secret.created": 1738170258,
            "vendor": "nextcloud",
            "files_metadata": {
                "photos-original_date_time": {
                    "value": null,
                    "type": "int",
                    "etag": "",
                    "indexed": true,
                    "editPermission": 0
                },
                "photos-size": {
                    "value": null,
                    "type": "array",
                    "etag": "",
                    "indexed": false,
                    "editPermission": 0
                },
                "photos-exif": {
                    "value": null,
                    "type": "array",
                    "etag": "",
                    "indexed": false,
                    "editPermission": 0
                },
                "photos-ifd0": {
                    "value": null,
                    "type": "array",
                    "etag": "",
                    "indexed": false,
                    "editPermission": 0
                },
                "blurhash": {
                    "value": null,
                    "type": "string",
                    "etag": "c4c421a76bc7d688d87d0ac5287b2362",
                    "indexed": false,
                    "editPermission": 0
                }
            },
            "oc.integritycheck.checker": []
        },
        "dashboard": {
            "enabled": "yes",
            "installed_version": "7.9.0",
            "types": ""
        },
        "dav": {
            "buildCalendarReminderIndex": "yes",
            "buildCalendarSearchIndex": "yes",
            "builtSocialSearchIndex": "yes",
            "enabled": "yes",
            "generateBirthdayCalendar": "yes",
            "installed_version": "1.30.1",
            "regeneratedBirthdayCalendarsForYearFix": "yes",
            "types": "filesystem"
        },
        "encryption": {
            "enabled": "no",
            "installed_version": "2.17.0",
            "masterKeyId": "master_00a6a190",
            "publicShareKeyId": "pubShare_00a6a190",
            "recoveryKeyId": "recoveryKey_00a6a190",
            "types": "filesystem"
        },
        "federatedfilesharing": {
            "enabled": "yes",
            "installed_version": "1.19.0",
            "types": ""
        },
        "federation": {
            "enabled": "yes",
            "installed_version": "1.19.0",
            "types": "authentication"
        },
        "files": {
            "enabled": "yes",
            "installed_version": "2.1.1",
            "mimetype_version": "29.0.10.1",
            "types": "filesystem"
        },
        "files_downloadlimit": {
            "enabled": "yes",
            "installed_version": "2.0.0",
            "types": ""
        },
        "files_external": {
            "allow_user_mounting": "no",
            "enabled": "yes",
            "installed_version": "1.21.0",
            "types": "filesystem",
            "user_mounting_backends": "ftp,dav,owncloud,sftp,amazons3,swift,smb,\\OC\\Files\\Storage\\SFTP_Key,\\OC\\Files\\Storage\\SMB_OC"
        },
        "files_pdfviewer": {
            "enabled": "yes",
            "installed_version": "2.10.0",
            "types": ""
        },
        "files_reminders": {
            "enabled": "yes",
            "installed_version": "1.2.0",
            "types": ""
        },
        "files_sharing": {
            "enabled": "yes",
            "installed_version": "1.21.0",
            "types": "filesystem"
        },
        "files_trashbin": {
            "enabled": "yes",
            "installed_version": "1.19.0",
            "types": "filesystem,dav"
        },
        "files_versions": {
            "enabled": "yes",
            "installed_version": "1.22.0",
            "types": "filesystem,dav"
        },
        "firstrunwizard": {
            "enabled": "yes",
            "installed_version": "2.18.0",
            "types": "logging"
        },
        "logreader": {
            "enabled": "yes",
            "installed_version": "2.14.0",
            "types": "logging"
        },
        "lookup_server_connector": {
            "enabled": "yes",
            "installed_version": "1.17.0",
            "types": "authentication"
        },
        "mail": {
            "enabled": "yes",
            "installed_version": "3.7.19",
            "types": ""
        },
        "nextcloud_announcements": {
            "enabled": "yes",
            "installed_version": "1.18.0",
            "pub_date": "Thu, 24 Oct 2019 00:00:00 +0200",
            "types": "logging"
        },
        "notes": {
            "enabled": "yes",
            "installed_version": "4.11.0",
            "types": ""
        },
        "notifications": {
            "enabled": "yes",
            "installed_version": "2.17.0",
            "types": "logging"
        },
        "oauth2": {
            "enabled": "yes",
            "installed_version": "1.17.1",
            "types": "authentication"
        },
        "password_policy": {
            "enabled": "yes",
            "installed_version": "1.19.0",
            "types": "authentication"
        },
        "photos": {
            "enabled": "yes",
            "installed_version": "2.5.0",
            "lastPlaceMappedUser": "odin",
            "lastPlaceMappingDone": "true",
            "types": "dav,authentication"
        },
        "privacy": {
            "enabled": "yes",
            "installed_version": "1.13.0",
            "types": ""
        },
        "provisioning_api": {
            "enabled": "yes",
            "installed_version": "1.19.0",
            "types": "prevent_group_restriction"
        },
        "recommendations": {
            "enabled": "yes",
            "installed_version": "2.1.0",
            "types": ""
        },
        "related_resources": {
            "enabled": "yes",
            "installed_version": "1.4.0",
            "types": ""
        },
        "richdocuments": {
            "disable_certificate_verification": "yes",
            "enabled": "yes",
            "installed_version": "8.4.9",
            "types": "prevent_group_restriction",
            "wopi_url": "https:\/\/192.168.1.41\/apps\/richdocumentscode\/proxy.php?req="
        },
        "richdocumentscode": {
            "enabled": "yes",
            "installed_version": "24.4.1103",
            "types": ""
        },
        "serverinfo": {
            "cached_count_filecache": "2745",
            "cached_count_storages": "8",
            "enabled": "yes",
            "installed_version": "1.19.0",
            "types": ""
        },
        "settings": {
            "enabled": "yes",
            "installed_version": "1.12.0",
            "types": ""
        },
        "sharebymail": {
            "enabled": "yes",
            "installed_version": "1.19.0",
            "types": "filesystem"
        },
        "spreed": {
            "enabled": "yes",
            "has_reference_id": "yes",
            "installed_version": "19.0.12",
            "project_access_invalidated": "1",
            "signaling_token_privkey_es256": "***REMOVED SENSITIVE VALUE***",
            "signaling_token_pubkey_es256": "***REMOVED SENSITIVE VALUE***",
            "types": "dav,prevent_group_restriction"
        },
        "support": {
            "SwitchUpdaterServerHasRun": "yes",
            "enabled": "yes",
            "installed_version": "1.12.0",
            "types": "session"
        },
        "survey_client": {
            "enabled": "yes",
            "installed_version": "1.17.0",
            "types": ""
        },
        "suspicious_login": {
            "enabled": "yes",
            "installed_version": "7.0.0",
            "types": "authentication"
        },
        "systemtags": {
            "enabled": "yes",
            "installed_version": "1.19.0",
            "types": "logging"
        },
        "text": {
            "enabled": "yes",
            "installed_version": "3.10.1",
            "types": "dav"
        },
        "theming": {
            "backgroundMime": "image\/jpeg",
            "cachebuster": "56",
            "color": "#143121",
            "disable-user-theming": "yes",
            "enabled": "yes",
            "faviconMime": "image\/png",
            "installed_version": "2.4.0",
            "logoDimensions": "2045x2052",
            "logoMime": "image\/png",
            "logoheaderMime": "image\/png",
            "name": "NanotekDynamic",
            "slogan": "***REMOVED SENSITIVE VALUE***",
            "types": "logging",
            "url": "***REMOVED SENSITIVE VALUE***"
        },
        "twofactor_backupcodes": {
            "enabled": "yes",
            "installed_version": "1.18.0",
            "types": ""
        },
        "twofactor_totp": {
            "enabled": "yes",
            "installed_version": "11.0.0-dev",
            "types": ""
        },
        "updatenotification": {
            "core": "30.0.5.1",
            "enabled": "yes",
            "installed_version": "1.19.1",
            "mail": "3.7.19",
            "spreed": "19.0.12",
            "types": "",
            "update_check_errors": 0
        },
        "user_status": {
            "enabled": "yes",
            "installed_version": "1.9.0",
            "types": ""
        },
        "viewer": {
            "enabled": "yes",
            "installed_version": "2.3.0",
            "types": ""
        },
        "weather_status": {
            "enabled": "yes",
            "installed_version": "1.9.0",
            "types": ""
        },
        "workflowengine": {
            "enabled": "yes",
            "installed_version": "2.11.0",
            "types": "filesystem"
        }
    }
}

Apps

Enabled:
  - activity: 2.21.1
  - admin_audit: 1.19.0
  - bruteforcesettings: 2.9.0
  - calendar: 4.7.16
  - circles: 29.0.0-dev
  - cloud_federation_api: 1.12.0
  - comments: 1.19.0
  - contacts: 6.0.2
  - contactsinteraction: 1.10.0
  - dashboard: 7.9.0
  - dav: 1.30.1
  - federatedfilesharing: 1.19.0
  - federation: 1.19.0
  - files: 2.1.1
  - files_downloadlimit: 2.0.0
  - files_external: 1.21.0
  - files_pdfviewer: 2.10.0
  - files_reminders: 1.2.0
  - files_sharing: 1.21.0
  - files_trashbin: 1.19.0
  - files_versions: 1.22.0
  - firstrunwizard: 2.18.0
  - logreader: 2.14.0
  - lookup_server_connector: 1.17.0
  - mail: 3.7.19
  - nextcloud_announcements: 1.18.0
  - notes: 4.11.0
  - notifications: 2.17.0
  - oauth2: 1.17.1
  - password_policy: 1.19.0
  - photos: 2.5.0
  - privacy: 1.13.0
  - provisioning_api: 1.19.0
  - recommendations: 2.1.0
  - related_resources: 1.4.0
  - richdocuments: 8.4.9
  - richdocumentscode: 24.4.1103
  - serverinfo: 1.19.0
  - settings: 1.12.0
  - sharebymail: 1.19.0
  - spreed: 19.0.12
  - support: 1.12.0
  - survey_client: 1.17.0
  - suspicious_login: 7.0.0
  - systemtags: 1.19.0
  - text: 3.10.1
  - theming: 2.4.0
  - twofactor_backupcodes: 1.18.0
  - twofactor_totp: 11.0.0-dev
  - updatenotification: 1.19.1
  - user_status: 1.9.0
  - viewer: 2.3.0
  - weather_status: 1.9.0
  - workflowengine: 2.11.0
Disabled:
  - encryption: 2.17.0 (installed 2.17.0)
  - user_ldap: 1.20.0

I can’t provide you with detailed instructions, but there are basically four ways to deal with this:

  1. Use Let’s Encrypt only on the reverse proxy and don’t install SSL certificates on the Nextcloud server. The SSL connection will terminate at the reverse proxy, leaving the connection between the proxy and Nextcloud unencrypted. This should only be done if the internal network is trusted or if both the reverse proxy and Nextcloud are running on the same machine.

  2. Use self-signed certificates on the Nextcloud server and Let’s Encrypt on the reverse proxy. The “trusted” SSL connection will still terminate at the reverse proxy, but the connection to Nextcloud will then be encrypted with self-signed certificates. The reverse proxy must be configured to trust the self-signed certificates.

  3. Copy the Let’s Encrypt certificates from the reverse proxy to the Nextcloud server, either manually or automatically using a script. This has to be done every 60-90 days

  4. Use ACME DNS challenge to issue a Let’s Encrypt certificate on the Nextcloud server (or on both servers), this way you could avoid copying the certificates and would still have trusted certificates on both servers.

1 Like

Yeah, solution 1 is my choice. But how can I remove everything from my Nextcloud server? Removing the certificates and disabling certbot will result in a non-reachable website. What am I missing here?

Again, I can’t give you “copy and paste ready” instructions, but on the web server running on the Nextcloud server, you need to move everything configured under the VirtualHost for port 443 to the VirtualHost for port 80, except for any SSL-related stuff of course, and then disable or remove the config file/VirtualHost for port 443. The web server should then only listen on port 80.

On the reverse proxy, you will then need to forward traffic to port 80 instead of port 443.

1 Like

For nginx: forwarding traffix 443 external to 80 internal. Is this a secure connection as seen from the outside?
And for external 80. must it be blocked, right? Because 80 → 80 is http and insecure.

Yes.

It depends…

If you’re using the HTTP Challenge to obtain Let’s Encrypt certificates, it needs to stay open because Let’s Encrypt uses port 80 to validate your domain name when issuing or renewing SSL/TLS certificates via HTTP Challenge.

This is not insecure per se, just make sure you enable ‘ForceSSL’ in the SSL tab of your proxy host in the Nginx Proxy Manager, which will rewrite all requests on port 80 to 443 (HTTPS). You can also enable HSTS as an additional security measure, which will instruct browsers to upgrade all connections to your domain to HTTPS.

If you use DNS Challenge instead, no ports need to be open to issue or renew the certificates, so you can block port 80 or even 443. (443 needs of course to stay open if you want your Nextcloud or any other services behind NPM to be accessible from the internet)

Okay. I switched to the virtual host 80 and nginx is forwarding to http:…:80 with Force SSL. Its working and browsers or apps are seeing the lets encrypt certificate. But:
in the admin menu i see the typical " Accessing site insecurely via HTTP"
Is it a problem or a security risk? There is a reverse proxy in front of it. so…

okay. missed the trusted-proxy entry. Now the warning dissapeared.

1 Like