rustyrangejoe
Cadet
- Joined
- Jan 6, 2019
- Messages
- 2
Hi Colleagues,
I am new to the FreeNAS Community and I am asking you to help me to validate if I did my HTTPS configuration for NextCloud (11.2-RELEASE-p7) right. I did several hours of research and could not find a solution that helped me in my configuration (NextCloud/nginx/let's encrypt) so I need some Input if I did it the "right way". From my perspective everything is working like expected (site is called via https / certificate is shown as valid in browser, ...)
Preparation Steps:
regards,
Joe
Sources:
FreeNAS-11.2-RELEASE-U1
Intel(R) Celeron(R) CPU G3900 @ 2.80GHz (2 cores)
16 GiB
I am new to the FreeNAS Community and I am asking you to help me to validate if I did my HTTPS configuration for NextCloud (11.2-RELEASE-p7) right. I did several hours of research and could not find a solution that helped me in my configuration (NextCloud/nginx/let's encrypt) so I need some Input if I did it the "right way". From my perspective everything is working like expected (site is called via https / certificate is shown as valid in browser, ...)
Preparation Steps:
- I installed NextCloud from the Plugins
- I adjusted the NextClouds Jail /etc/ssh/sshd_config and adjusted the line PermitRootLogin yes
- I changed the root password within the Jail with passwd and started ssh once service sshd onestart
- I used putty to ssh into the Nextcloud Jail
- Temporarily allow Jail to get FreeBSD Repositories ee /usr/local/etc/pkg/repos/FreeBSD.conf and adjust line FreeBSD: { enabled: no } to FreeBSD: { enabled: yes }
- Install let's encrypt pkg install py27-certbot and follow instructions
- I set webroot to /usr/local/www/nextcloud
- I got the message: IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at:
/usr/local/etc/letsencrypt/live/xx.duckdns.org/fullchain.pem
Your key file has been saved at:
/usr/local/etc/letsencrypt/live/xx.duckdns.org/privkey.pem
- Edit nextcloud.conf ee /usr/local/etc/nginx/conf.d/nextcloud.conf
- Change/Add following Parameters:
server {
listen 443;
ssl on;
ssl_certificate "/usr/local/etc/letsencrypt/live/xx.duckdns.org/fullchain.pem";
ssl_certificate_key "/usr/local/etc/letsencrypt/live/xx.duckdns.org/privkey.pem";
...
- Testing the renewal with a dry run: certbot renew --dry-run
- SSH into your FreeNAS and run the command jls - this will show you the JID (Jail ID), in my case it was ID=8
- Go to the FreeNAS WebGUI and add a monthly cron job that renews the certificate and restarts nginx
jexec 8 certbot renew --quiet --rsa-key-size 4096 && jexec 8 service nginx reload
regards,
Joe
Sources:
- https://www.howtogeekpro.com/10/how-to-gracefully-restart-nginx-and-why/
- https://fleximus.org/blog/freebsd/switching-into-a-jail-by-name-0x50
- https://mujahidjaleel.blogspot.com/2016/10/how-to-install-and-configure-certbot-in.html
- http://wiki.ssdcougars.tv/NextCloud/Installation
- https://certbot.eff.org/lets-encrypt/freebsd-nginx
FreeNAS-11.2-RELEASE-U1
Intel(R) Celeron(R) CPU G3900 @ 2.80GHz (2 cores)
16 GiB