Where to place LetsEncrypt files created from a reverse proxy server

I utilized the “installation script” to install on a Ubuntu 18.04 VM and had no issues. I skipped the installer for LetsEncrypt as I already have the files on a reverse proxy server. I want to utilize the fullchain.pem, privkey.pem, and lets-encrypt-x3-cross-signed.pem that is generated from my reverse proxy server; however, I’m not finding any information on how to directly enable that on the NCserver. Would someone be able to point me in the right direction?

I’m not exactly sure of your question. Your nextcloud installation needs a reverse proxy sitting in front of app which calls the back application. Your nextcloud SSl certs most likely will be on the reverse proxy, however there are other ways to set things up – its just probably the most common setup. When you say reverse proxy server and NC server – are they not running on the same machine or are the physically two different pieces of hardware or virtualized hardware?

If you´re NC-Server is behind a Reverse-Proxy infrastructure, SSL will terminate at the Reverse Proxy and not at NC-Server. So you have to include your SSL Certificate on Reverse Proxy, where the connection from the internet terminates. The path, where you store the certificates you define in conf-files of the reverse proxy (f.e. nginx or apache…) Behind the reverse proxy you don´t need SSL encryption. But if you want that, you can use a self signed certificate on the nextcloud server for internal SSL communication between Reverse Proxy an NC Server.

My reverse proxy server is a completely different VM. The reverse proxy has letsencrypt cerfs on it and I know they need to mirror on the NC side of things. I believe they need to be identified in the Apache conf files, I just don’t know which files and where those conf files are located on the NC VM server.


Ok your reverse proxy is on a different machine than nextcloud. Awesome
What are you using for your reverse proxy in terms of software (apache, nginx, traefik, other??)
Can you share a config?

Are you trying to re-encrypt to the Nextcloud backend? Do you have Apache in front of Nextcloud?

In the short time that this thread has been going, I was able to spin up a separate vm, install NextCLoud via SNAP, and found a resolution. In the spirit that others may read this seeking resolution, I’ll not only answer the question, I’ll post what eventually solved the problem for me.

For the reverse proxy I use nginx and have a config file setup that looks like the following:

# nextcloud configuration file
 server {
    listen 80;
    server_name http://example.com; # External address used to access internal NextCloud
    return 301 https://$host$request_uri;

server {
listen 443 ssl http2;
server_name example.com;

ssl_certificate           /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key       /etc/letsencrypt/live/example.com/privkey.pem;
ssl_ecdh_curve prime256v1;

ssl_session_cache  builtin:1000  shared:SSL:10m;

 ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
 ssl_prefer_server_ciphers on;

location / {
  proxy_set_header        Host $host;
  proxy_set_header        X-Real-IP $remote_addr;
  proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header        X-Forwarded-Proto $scheme;

  # Fix the “It appears that your reverse proxy set up is broken" error.

  proxy_pass          https://192.168.x.x; # This is the address of your NextCloud server
  proxy_read_timeout  60;
  proxy_ssl_name $host;
  proxy_ssl_server_name on;
  proxy_ssl_protocols  TLSv1.1 TLSv1.2;
  proxy_ssl_session_reuse off;

I then placed the .pem files on the NextCloud server using the following commands to retrieve them from a nfs share located on a nas drive within my internal network where “certs” is the nfs share:

sudo cp -RLv /home/user/certs/{fullchain.pem,privkey.pem,lets-encrypt-x3-cross-signed.pem} /var/snap/nextcloud/common/

sudo nextcloud.enable-https custom /var/snap/nextcloud/common/fullchain.pem, /var/snap/nextcloud/common/privkey.pem /var/snap/nextcloud/common/lets-encrypt-x3-cross-signed.pem

sudo nextcloud.occ config:system:set trusted_domains 1 --value=example.com

sudo nextcloud.occ config:system:set trusted_domains 2 --value=localip

sudo nextcloud.occ config:system:set trusted_domains 3 --value=reverse_proxyip

sudo snap restart nextcloud

One point of interest is that you need to have the reverse proxy listed as a trusted domain in order to upload files from an external network, hence the 3rd entry.

Hopefully this helps others, or at least gives more breadcrumbs in case someone is still looking for a solution to my original issue.

Thank you!

Thanks for your post. It clears things up…however just some information. You don’t necessarily need to copy the certs to the nextcloud server since they way you have things ngnix doesn’t verify the proxy address. Any cert would work. There isn’t a problem with what your doing…just an FYI. Nginx by default doesn’t verify upstream certificates. If you wanted to do things with verification you would need two sets of certificates. One for the reverse proxy and the other for the backend nextcloud installation. You would then need to include within the location / block on the reverse proxy…the directive proxy_ssl_verify on. You would also need to proxy pass by domain name rather than ip address to the backend and likely you would need a dns host override either within the /etc/hosts file or at the router level to associate the ip address of the upstream server with the domain name. Just to be clear the upstream server is the nextcloud server. These requirements are only needed if reverse proxy is on different machine or vm than nextcloud and you would want to properly verify the upstream servers certificates.

Sorry about the detail