# NextCloud Linux

Nextcloud 10, HTTPS

Ciao! I assume your Nextcloud environment is up and running. Let's make it more secure by switching to HTTPS connection.

Prerequisites

You need a certificate that matches with your future Nextcloud URL, example cloud.example.com. Get one for free here, any other CA or if you want to use the server only internal (LAN) request one by your internal CA.

Let's start. Log in to your server.

Activate SSL

We need to activate the Apache SSL Module.

a2enmod ssl
service apache2 reload
Clean up

I decided to remove the default config I created in the last tutorial.

This will remove the shortcut in the directory /etc/apache2/sites-enable

a2dissite default.conf

switch to the config directory

cd /etc/apache2/sites-available

and remove the config files itself

rm default.conf
Config

Let's start clean.
We need to redirect all request on Port 80 to 443/HTTPS

nano nextcloud-redirect.conf
<VirtualHost *:80>
   ServerName mycloud.domain.com
   ServerAdmin webmaster@example.com 

   RewriteEngine On
   RewriteCond %{HTTPS} off
   RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

and we need a host config which will handle all the HTTPS Traffic

nano nextcloud.conf
<IfModule mod_ssl.c>
   <VirtualHost *:443>

     ServerAdmin ebmaster@example.com 
     ServerName mycloud.domain.com
     DocumentRoot /var/www/nextcloud

     <Directory /var/www/nextcloud/>
       Options +FollowSymlinks
       AllowOverride All

      <IfModule mod_dav.c>
        Dav off
      </IfModule>

       SetEnv HOME /var/www/nextcloud
       SetEnv HTTP_HOME /var/www/nextcloud
     </Directory>

     <IfModule mod_headers.c>
          Header always set Strict-Transport-Security "max-age=15768000; preload"
     </IfModule>

      SSLEngine on
      SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
      SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

   </VirtualHost>
</IfModule>

As always we need to activate the files

a2ensite nextcloud-redirect.conf
a2ensite nextcloud.conf

The symlinks are now created automatically.

restart apache

service apache2 restart

Test the configuration. Visit your NextCloud webpage. You should now be redirected to the HTTPS page.

As we still use the default SSL Certificate, the browser will not trust the certificate. I will now continue to add my own certificate.

Add Certificate

I have a certificate, but it has the format .pfx
We need a .crt and .key file. Let's convert it.

First, we need the program openssl, install if needed

apt-get install openssl

Push the .pfx on the Linux server by using sFTP or any other method. I like to use Cyberduck, its free and comes with tonnes of features.

Push the file to /etc/ssl/

Move to this folder.
Use this command to export the key to a separate file

openssl pkcs12 -in certANDprivatekey.pfx -nocerts -out key.key

I would not set a password, this will encrypt the key file and the password needs to be entered when you restart the server. This option depends on you environment.

Use this command to export the certificate to a separate file

openssl pkcs12 -in certANDprivatekey.pfx -clcerts -nokeys -out cert.crt

move the files in the specific folder

mv key.key private
mv cert.crt certs

once again open the apache nextcloud host conf file

nano /etc/apache2/sites-available/nextcloud.conf

change the option SSLCertificateFile and SSLCertificateKeyFile. Set the specific file.

SSLCertificateFile /etc/ssl/certs/cert.crt
SSLCertificateKeyFile /etc/ssl/private/key.key

Save and restart apache

service apache2 restart
DNS

I assume you are familiar with DNS and you already set a A Record for the Nextcloud Server. If not... go on... do it.

Now you can visit the Nextcloud Web interface with the appropriate URL. If you set everything correct and the certificate matches the DNS Name, the browser should accept the certificate.

Example

Nextcloud add trusted Domain

You will be prompted with this message

open the nextcloud config file

nano /var/www/nextcloud/config/config.php

and edit the trusted_domains array

'trusted_domains' => 
  array (
    0 => 'x.x.x.x',
    1 => 'cloud.example.com',
  ),

We are done. Restart apache and refresh the webpage.

Troubles
Pass phrase needed

If you restart apache you get this message

While exporting the key file you did set a pass phrase. Enter the pass phrase now or remove the pass phrase.

openssl rsa -in key.key -out keyWithoutPassphrase.key
Cisco NX-OS
Nextcloud 10 , install on Debian 7

Share it

Written by

Martin Schmidli

Welcome! My focus these days is mainly on Modern Workplace, based on Microsoft 365 solutions. Feel free to reach out if you have any questions!

Comments