Hello All,
I just got the Nextcloud plug-in properly configured with the Let's Encrypt SSL Certs, so I wanted to post my How-to. I based this off the following guides:
http://aairey.github.io/owncloud-letsencrypt
https://certbot.eff.org/#freebsd-apache
First, find the jail and execute from in there:
Nextcloud for me was 1, so to execute in it I used
Then, install the certbot:
Stop Apache, start the set-up wizard, and start apache again. I choose the stand alone mode:
Next you will need to tell Apache which files to use. If you use Owncloud, go to:
For Nextcloud:
I backup httpd-ssl.conf so if theres an issue, I can go back to it:
Edit httpd-ssl.conf (find the lines that start with those variables and alter as needed). Also, change "your.domain.org" to the domain you own:
Restart apache
I got the following error, I believe you can safely ignore it:
Next, do a dry-run of the update:
I got that same error as above, but it ran happily.
Let's encrypt recommends running it twice a day (if it doesn't need to renew it will not shut down apache), so I added this to my crontab:
I believe (I'm not an expert on cron, so please forgive me if this is wrong) that the scriptt will run at 11:45 am and 11:45 PM every day to check for renewing.
Check it is there with:
As of now, I do not have HSTS working on this configuration. If you know how to I would appreciate knowing how to.
I just got the Nextcloud plug-in properly configured with the Let's Encrypt SSL Certs, so I wanted to post my How-to. I based this off the following guides:
http://aairey.github.io/owncloud-letsencrypt
https://certbot.eff.org/#freebsd-apache
First, find the jail and execute from in there:
#jls
Nextcloud for me was 1, so to execute in it I used
#jexec 1 tcsh
Then, install the certbot:
#pkg install py27-certbot
Stop Apache, start the set-up wizard, and start apache again. I choose the stand alone mode:
#service apache24 stop
#certbot certonly
#service apache24 start
Next you will need to tell Apache which files to use. If you use Owncloud, go to:
#cd /usr/pbi/owncloud-amd64/etc/apache24/extra
For Nextcloud:
#cd /usr/pbi/nextcloud-amd64/etc/apache24/extra
I backup httpd-ssl.conf so if theres an issue, I can go back to it:
#cp httpd-ssl.conf httpd-ssl.conf.backup
Edit httpd-ssl.conf (find the lines that start with those variables and alter as needed). Also, change "your.domain.org" to the domain you own:
Code:
SSLProtocol all -SSLv2 -SSLv3 SSLCertificateFile "/usr/local/etc/letsencrypt/live/your.domain.org/cert.pem" SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/your.domain.org/privkey.pem" SSLCACertificateFile "/usr/local/etc/letsencrypt/live/your.domain.org/chain.pem" SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLHonorCipherOrder on SSLCompression off
Restart apache
#service apache24 onerestart
I got the following error, I believe you can safely ignore it:
Code:
Error output from None: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message Syntax OK AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
Next, do a dry-run of the update:
#certbot renew --pre-hook "service apache24 stop" --post-hook "service apache24 start" --dry-run
I got that same error as above, but it ran happily.
Let's encrypt recommends running it twice a day (if it doesn't need to renew it will not shut down apache), so I added this to my crontab:
#crontab -e
Code:
45 11,23 * * * certbot renew --pre-hook "service apache24 stop" --post-hook "service apache24 start" --quiet
I believe (I'm not an expert on cron, so please forgive me if this is wrong) that the scriptt will run at 11:45 am and 11:45 PM every day to check for renewing.
Check it is there with:
#crontab -l
As of now, I do not have HSTS working on this configuration. If you know how to I would appreciate knowing how to.
Last edited: