Replace self signed certificate on NextcloudPI


I have a nextcloud instance backed by nextcloudPi which is only available in my local network. So I can’t use let’s encrypt to general a certificate.

During installation (some years ago), nextcloudpi apparently created a self-signed certificate. So when I access my Nextcloud instance via the browser, I get the security prompt. I can explicitly trust this certificate there, so far so good.

Today I installed Les pas photo gallery application on Android. On connect, the app displays a “Site certificate error”. Looking in their readme, it mentions:

About server using self-signed certificate

You need to install your certificates in your phone first. A quick search on instructions points to here and here.

I tried to trust my self-signed certificate on an OS level, but Android 11 refuses to install it. One of the linked articles mentions that in android 11, self-signed certificates need to have CA:TRUE flag set.

Sadly, this flag seems to be not set on the certificate I have.

   X509v3 extensions:
       X509v3 Basic Constraints: 

I wonder now how to approach this problem best.

  1. Should I create a new certificate with the flag set?
  2. Where should I put it in my NextcloudPi instance?
  3. Should this actually be part of the default flow of NextcloudPI?

Thanks in advance!