Using Acme/LetsEncrypt for TLS Certificate for NextCloud and for VPN on Firewall

ℹ️ Support
,
1
Support intro

Sorry to hear you’re facing problems. :slightly_frowning_face:

The community help forum (help.nextcloud.com) is for home and non-enterprise users. Support is provided by other community members on a best effort / “as available” basis. All of those responding are volunteering their time to help you.

If you’re using Nextcloud in a business/critical setting, paid and SLA-based support services can be accessed via portal.nextcloud.com where Nextcloud engineers can help ensure your business keeps running smoothly.

Getting help

In order to help you as efficiently (and quickly!) as possible, please fill in as much of the below requested information as you can.

Before clicking submit: Please check if your query is already addressed via the following resources:

(Utilizing these existing resources is typically faster. It also helps reduce the load on our generous volunteers while elevating the signal to noise ratio of the forums otherwise arising from the same queries being posted repeatedly).

I use pfSense for my firewall at home. Apart from as a general firewall I use pfSense for two purposes:

  1. NextCloud, hosted on a virtual machine. I use nextcloud.enable-https lets-encrypt to manage the certificate. I do not use a proxy. Instead what I do is just forward ports 443 and 80 straight to the NextCloud VM. I may need to change this.

  2. VPN. For this I went down the self-signed route, which is clumsy, but at the time was the easy way to just get it going. But now I want to manage this certificate with Let’s Encrypt too.

I want to use ACME to manage the certificate for both applications. By this I mean that I would like to:

  1. Have pfSense use ACME to automatically manage the certificate used for my VPN. I will need to do this using a file stored on a web server because my dynamic DNS hoster won’t support the DNS method without me paying them even more money.

  2. Have NextCloud still use its own ACME implementation to manage its certificate directly.

The problem then becomes that I will need the firewall to also host a file at port 80 for ACME to work. But that would break Let’s Encrypt on NextCloud. I think this means I will need to install a reverse proxy. But even if I do that, I think nextcloud.enable-https lets-encrypt will still not work because when Let’s Encrypt reaches back to me it will just go to http:// and not to something like http:///nextcloud.

I guess I could just terminate TLS at the firewall using the reverse proxy, but then I think that might break my phone client when I am at home because NextCloud would change from HTTPS to HTTP.

Is there a way to get the two to co-exist so that both certificates can be managed automatically?

2

Hey @rjarratt welcome to the Nextcloud community and thanks for supporting Nextcloud snap :handshake:

you’re obviously using the snap :+1: that’s great

you’d need to pass through to be able to let the snap manage SSL and thats not so easy!

for your use case a reverse proxy managing certificates would be the easiest, see
Reverse proxy configuration and Hosts & FQDN configuration recommended NGINX proxy manager reverse proxy with termination

not necessarily, as forwarding Nextcloud snap through the reverse proxy will be using HTTPS too and nothing will change?

Below are some links to how-to’s answering frequently asked questions and may help you help yourself;

3

Thanks for the suggestions. To keep things simple I have renewed my self-signed cert for my VPN so i can continue the way I was for now. I will refer back to this if I decide to use a reverse proxy as it is probably a good idea anyway

4

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.