I’ve probably made a huge mess of the self-signed certificates for docker-nextcloud, and I don’t know what to do next.
I’m using the main docker Nextcloud image and was able to get the Nextcloud up and running on my local network. I changed my docker-compose.yml to add encryption for access outside the local network. I’m trying to self-sign like the example says using omgwftssl, and I can’t figure out a few things.
One: What should go in the environment variables?
Two: Will this container create a new certificate every time I run docker-compose up -d?
Three: If the container has been creating more new certificates than I need, how do I find out which one is the correct certificate (I’ve used different combinations of environment variables trying to get it working).
Four: How does this communicate with my domain?
Thanks.
The docker-compose.yml I’m trying to get running is this example.
Any particular reason for not using certbot and having a real certificate instead? The example you linked also uses certbot.
No. Mostly I didn’t know certbot was included in the LetsEncrypt container. Another obvious problem I found when I came back to it: I hadn’t included the certs volume under the volumes top-level element. That was why LetsEncrypt didn’t run certbot the first time… 
I deleted everything from my certs volume and refactored my docker-compose.
docker-compose.yml
version: '3.9'
services:
db:
image: mariadb:10.6
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --innodb-file-per-table=1 --skip-innodb-read-only-compressed
restart: always
volumes:
- './db:/var/lib/mysql'
environment:
- MYSQL_ROOT_PASSWORD=REDACTED
- MARIADB_AUTO_UPGRADE=1
env_file:
- db.env #MYSQL_PASSWORD, MYSQL_DATABASE, MYSQL_USER
redis:
image: redis:alpine
restart: always
app:
image: nextcloud:apache
restart: always
volumes:
- './nextcloud:/var/www/html'
- './data:/var/www/html/data'
environment:
- VIRTUAL_HOST=mysubdomain.example.com
- LETSENCRYPT_HOST=mysubdomain.example.com
- LETSENCRYPT_EMAIL=my.email@gmail.com
- MYSQL_HOST=db
- REDIS_HOST=redis
env_file:
- db.env #MYSQL_PASSWORD, MYSQL_DATABASE, MYSQL_USER
depends_on:
- db
networks:
- proxy-tier
- default
cron:
image: nextcloud:apache
restart: always
volumes:
- './nextcloud:/var/www/html'
entrypoint: /cron.sh
depends_on:
- db
- redis
proxy:
build: ./proxy
restart: always
ports:
- 80:80
- 443:443
labels:
com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
volumes:
- './certs:/etc/nginx/certs:ro'
- './vhost.d:/etc/nginx/vhost.d'
- './html:/usr/share/nginx/html'
- '/var/run/docker.sock:/tmp/docker.sock:ro'
networks:
- proxy-tier
letsencrypt-companion:
image: nginxproxy/acme-companion
restart: always
volumes:
- './certs:/etc/nginx/certs'
- './acme:/etc/acme.sh'
- './vhost.d:/etc/nginx/vhost.d'
- './html:/usr/share/nginx/html'
- '/var/run/docker.sock:/var/run/docker.sock:ro'
networks:
- proxy-tier
depends_on:
- proxy
networks:
proxy-tier:
volumes:
acme:
db:
data:
certs:
html:
nextcloud:
vhost.d:
When I ran docker-compose up -d, LetsEncrypt created the certificate and seems to be working, from the subject and issuer of the certificate. Unfortunately, now I’m receiving a Privacy Error when trying to connect to my subdomain.
NET::ERR_CERT_AUTHORITY_INVALID
Subject: letsencrypt-nginx-proxy-companion
Issuer: letsencrypt-nginx-proxy-companion
I’m thinking I might have a problem with the VIRTUAL_HOST and LETSENCRYPT_HOST environment variables in the app container? I believe the only other change I made to the default example was choosing to move the volumes to the same directory as the docker-compose.yml – I did that because I want the file storage for nextcloud to be on a separate partition on my hard drive from / and /home.