I have a NextCloud instance running at home and I need to make sure that the SSL certificate on it is always valid. Since I am using Lets Encrypt for the SSL certificate generation, I have had to run a few extra steps because the LE SSL generation requires the site to be reachable on port 80 and 443.
The challenge I have is that since my NextCloud instance is on a home system and I have a bunch of VMs running providing different services, I cannot use the VirtualHost option of Apache to make this happen on one IP.
I am fortunate that I have my own domain and have full control of the system that it is running on including DNS, I have to do the LE SSL certificate generation be run in a two step process.
Step one: Make sure that subdomain for the NextCloud instance is pointing to the server that is on the Internet (and so benefits from VirtualHost options).
Step two: Ensure that the FQDN (nextcloud.mydom.ain) for the NextCloud is pointing to the IP that is on the public internet
Step three: Run certbot to generate the SSL certs and needed auto redirection from port 80 to 443 done properly.
Step four: Run the following script on the Internet facing system which will gather all the needed LE SSL files and copy it over to the Internal VM. In the example below, “files.tar” is created by the tar command and that would be the file to be copied into the VM and expanded into the VM’s /etc/letsencrypt.
#!/bin/sh cd /etc/letsencrypt tar cvf files.tar renewal/nextcloud.mydom.ain.conf csr/ keys/ live/nextcloud.mydom.ain/ archive/nextcloud.mydom.ain/
Step five: Update the DNS entry for nextcloud.mydom.ain entry in the DNS files of mydom.ain to the IP associated with the home IP#. And with the magic of natting and port forwarding, the instance running at home will be presenting a proper LE SSL certificate.
Step six: Rinse and repeat the process every three months.
If you are doing this for the first time, you wil have to copy the relevant entries form /etc/httpd/conf.d/virtualhosts.conf and /etc/httpd/virtualhosts-le-ssl.conf as well to the internal host for it to work right.