This tutorial describes how to connect an SSL certificate to Nextcloud based on the apache2 web server. Apache2 is installed as a separate service on Debian 10. For this purpose, we will use Certbot client software that can automate this process. To do this you will need:
- A registered domain name for your Nextcloud server. You can get it from free services like Namecheap or Freenom or any other domain name registrars.
- A record on the public DNS server, where your_domain refers to the public IP address of your server. A record where www.your_domain refers to the public IP address of your server.
- Nextcloud accessibility by this domain name. For this, you need to configure trusted domains on Nextcloud. You can learn how to do it in this article.
- Configured Apache2 configuration file for your Nextcloud virtual host
Step 1 Certbot Installation
To get a certificate from Let's Encrypt you need to install the Certbot software. You need to install two packages certbot and python3-certbot-apache. The latter is needed to integrate with Apache2 to automatically obtain a certificate for it. Run the command:
sudo apt install certbot python3-certbot-apacheConfirm installation by pressing Y, then ENTER
Step 2 Checking the Apache2 virtual host configuration
To automatically obtain a certificate from Let's Encrypt for Apache2-based Nextcloud, certbot must find your virtual host configuration file for Nextcloud.
The domain names for your servers CertBot will retrieve from the ServerName and ServerAlias directives from your virtual host configuration file for Nextcloud.
The virtual host configuration file for Nextcloud should be hosted in /etc/apache2/sites-available, called your_domain.conf. Where your_domain is the domain name of your Nextcloud server.
You should also have the ServerName and ServerAlias directives correctly configured in the VirtualHost block in your configuration file. To do this, open the configuration file with a text editor with the command:
sudo nano /etc/apache2/sites-available/your_domain.conf
Find the lines ServerName and ServerAlias. They should look as follows:
..............................
ServerName your_domain
ServerAlias www.your_domain
....................................After changing the file save it by pressing CTRL + O
Then quit the editor by pressing CTRL + X
Then check these changes against Apache2 with a command:
sudo apache2ctl configtest
If Syntax OK appears then the changes are correct. If any errors appear, re-open the configuration file and check for errors and typos. Once the changes have been made correctly, run the command so that the changes are effective:
sudo systemctl reload apache2With these changes, Cerbot will be able to find the correct VirtualHost block and update it.
Step 3 Getting an SSL certificate
Obtain a Nextcloud certificate using Certbot using the Apache plugin. To do this, run the command:
sudo certbot –apacheThis script will ask you to answer a series of questions to obtain a certificate. First, it will ask for an email address to receive notifications of renewals and security.
Output
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): you@your_domainAfter entering your email address, press Enter.
You will then be asked to agree to the Let's Encrypt terms of use. You can press A and then confirm by pressing Enter
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
You will then be asked to provide your e-mail address to the Electronic Frontier Foundation so you can receive news and other information. If you do not wish to subscribe to their newsletter, enter N. If you do, enter Y. Then press ENTER to proceed to the next step.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
The next step will prompt you for which domains to activate HTTPS. Cerbot takes the domain names from the ServerName and ServerAlias directives. Therefore, these must be configured correctly. If you want to obtain a certificate for all domains (recommended), then press Enter. Otherwise, select all domains for which you want a certificate, list them separated by commas or spaces, and then press Enter
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: your_domain
2: www.your_domain
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):The conclusion will be as follows:
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for your_domain
http-01 challenge for www.your_domain
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/your_domain-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/your_domain-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/your_domain-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/your_domain-le-ssl.confNext, you will be prompted to redirect HTTP traffic to HTTPS. If you want to do this, accept it, and if not, do not accept it if you want to keep both http and https for your server. Then press Enter.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2At this point the Let's Encrypt configuration is complete and you will be shown the final notes and how to test the authenticity of your certificate with third-party tools
Congratulations! You have successfully enabled https://your_domain and
https://www.your_domain
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=your_domain
https://www.ssllabs.com/ssltest/analyze.html?d=www.your_domain
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/your_domain/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/your_domain/privkey.pem
Your cert will expire on 2020-07-27. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-leYour certificate is now installed and loaded. Reboot your site using https:// and check for a lock in the address bar, indicating that the site is secured.
Have you tried Virtual cloud servers by Cloud4Y? Not yet?
Leave a request and get a 10-day free trial.
 |
 |
