In this post, I’ll show you how to install Nextcloud on TrueNAS CORE and enforce Let’s Encrypt/ZeroSSL certificate with Acme.sh script.
Here is the video version for this tutorial, if you don’t like reading 🙂
➡️ Step 1: Install Nextcloud Plugin
To install Nextcloud plugin on TrueNAS CORE, go to Plugins ‣ Nextcloud ‣ Install
1.1 Plugin Name: yourCoolPluginName or nextcloud (default value)
1.2 Jail Name: yourCoolJailName
1.3 Select DHCP
1.4 Save
Once the installation is finished, you should have the address to access the admin portal like the screenshot below. You can access this portal using the provided Admin Portal IP address or FQDN. In this example, sysadmin102cloud is the host name, so the Fully Qualified Domain Name (FQDN) would be sysadmin102cloud.sysadmin102.org.
You should get the error Access through untrusted domain. Well, don’t panic; we will address this in Step 3.
➡️ Step 2: Enable SSH Service
I have gone over this many times. If you are not familiar with establishing an SSH connection, please watch the video below. Although the video was made for FreeNAS, it’s not much different on TrueNAS Core.
After you have established an SSH session with TrueNAS, you will need to access nextcloud Jail shell using the below command:
┌──(sysadmin102㉿sysadmin102)-[~]
└─$ ssh root@truenas.sysadmin102.org
root@truenas.sysadmin102.org's password:
Last login: Tue Aug 29 18:42:14 2023 from 10.13.2.25
FreeBSD 13.1-RELEASE-p7 n245428-4dfb91682c1 TRUENAS
TrueNAS (c) 2009-2023, iXsystems, Inc.
All rights reserved.
TrueNAS code is released under the modified BSD license with some
files copyrighted by (c) iXsystems, Inc.
For more information, documentation, help or support, go here:
http://truenas.com
Welcome to TrueNAS
Warning: the supported mechanisms for making configuration changes
are the TrueNAS WebUI and API exclusively. ALL OTHERS ARE
NOT SUPPORTED AND WILL RESULT IN UNDEFINED BEHAVIOR AND MAY
RESULT IN SYSTEM FAILURE.
root@truenas[~]# iocage console sysadmin102cloud
root@sysadmin102cloud:~ #
Notice that root@truenas has changed to your jail name.
➡️ Step 3: Adding trusted domain to config.php file
3.1 Before we do anything, let’s make a backup of the config.php file using the command below:
cp /usr/local/www/nextcloud/config/config.php /usr/local/www/nextcloud/config/backup_config.php
root@sysadmin102cloud:~ # cp /usr/local/www/nextcloud/config/config.php /usr/local/www/nextcloud/config/backup_config.php
root@sysadmin102cloud:~ # cd /usr/local/www/nextcloud/config/
root@sysadmin102cloud:/usr/local/www/nextcloud/config # ls
.htaccess config.documented.php config.sample.php
backup_config.php config.php truenas.config.php
root@sysadmin102cloud:/usr/local/www/nextcloud/config #
Use the cd command to change the directory to /usr/local/www/nextcloud/config
Use the ls command to list all the files within the config directory.
If anything goes wrong, use the below command to restore from backup:
cp /usr/local/www/nextcloud/config/backup_config.php /usr/local/www/nextcloud/config/config.php
3.2 Edit trusted domain using the built-in Easy Text Editor to modify the config.php
ee config.php
root@sysadmin102cloud:/usr/local/www/nextcloud/config # ee config.php
Use the Arrow down key to go down to line 30. Modify your local host to FQDN and the correct IP address. Change the overwtire.cli.url to the FQDN. Do not remove the quote marks (‘ ‘)
‘trusted_domains’ =>
array (
0 => ‘localhost‘,
1 => ‘10.13.2.189‘,
),
‘datadirectory’ => ‘/usr/local/www/nextcloud/data’,
‘dbtype’ => ‘mysql’,
‘version’ => ‘27.0.2.1’,
‘overwrite.cli.url’ => ‘http://localhost‘,
It should look like this after modification:
'trusted_domains' =>
array (
0 => 'sysadmin102cloud.sysadmin102.org',
1 => '10.13.2.192',
),
'datadirectory' => '/usr/local/www/nextcloud/data',
'dbtype' => 'mysql',
'version' => '27.0.2.1',
'overwrite.cli.url' => 'https://sysadmin102cloud.sysadmin102.org',
Press ESC to exit the Menu when you are finished. Press Enter twice to Save the file.
You should now be able to access the Nextcloud admin portal using an IP address or FQDN
➡️ Step 4: Download the Acme.sh script from GitHub
Return to the default directory using the cd command:
root@sysadmin102cloud:/usr/local/www/nextcloud/config # cd
root@sysadmin102cloud:~ # ls
.cshrc .login config dbuser ncuser tls
.history .profile dbname migrations PLUGIN_INFO
.k5login .shrc dbpassword ncpassword post_install.sh
root@sysadmin102cloud:~ #
4.1 Download the acme.sh bash script using curl. Replace my@example.com with the email you want to get the certificate renewal or expiration notice.
curl https://get.acme.sh | sh -s email=my@example.com
root@sysadmin102cloud:~ # curl https://get.acme.sh | sh -s email=techsupport@sysadmin102.com
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1032 0 1032 0 0 2155 0 --:--:-- --:--:-- --:--:-- 2158
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 216k 100 216k 0 0 437k 0 --:--:-- --:--:-- --:--:-- 437k
[Tue Aug 29 19:35:17 PDT 2023] Installing from online archive.
[Tue Aug 29 19:35:17 PDT 2023] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Tue Aug 29 19:35:18 PDT 2023] Extracting master.tar.gz
[Tue Aug 29 19:35:18 PDT 2023] It is recommended to install socat first.
[Tue Aug 29 19:35:18 PDT 2023] We use socat for standalone server if you use standalone mode.
[Tue Aug 29 19:35:18 PDT 2023] If you don't use standalone mode, just ignore this warning.
[Tue Aug 29 19:35:18 PDT 2023] Installing to /root/.acme.sh
[Tue Aug 29 19:35:18 PDT 2023] Installed to /root/.acme.sh/acme.sh
[Tue Aug 29 19:35:18 PDT 2023] Installing alias to '/root/.profile'
[Tue Aug 29 19:35:18 PDT 2023] OK, Close and reopen your terminal to start using acme.sh
[Tue Aug 29 19:35:18 PDT 2023] Installing alias to '/root/.cshrc'
[Tue Aug 29 19:35:18 PDT 2023] Installing cron job
[Tue Aug 29 19:35:20 PDT 2023] OK
[Tue Aug 29 19:35:20 PDT 2023] Install success!
root@sysadmin102cloud:~ #
➡️ Step 4: Edit the account.conf file
- DNS-01: This is the most reliable challenge type and thus highly recommended. It requires that you control the DNS for your domain name and that your DNS provider is supported by acme.sh
In order for acme.sh script to access your domain and verify domain ownership using DNS-01 validation. You will need to provide your credentials (ex. user name, password, or API Token) for your particular DNS within the account.conf. The use of user name and password, or Global API, is strongly discouraged due to security concerns. The login credential stored in account.conf is in plain text; anyone accessing and viewing this file can get your domain credential. API Token is preferred and a much safer approach.
Obtain the required parameters for your DNS from acme.sh Wiki:
https://github.com/acmesh-official/acme.sh/wiki/dnsapi
In this example, I will be using Cloudflare. Below are the parameters required for Cloudflare:
CF_Token="<token>"
CF_Account_ID="<id>"
CF_Zone_ID="<zone>"
You can restrict the API Token only for write access to Zone.DNS for a single domain, and then specify the CF_Zone_ID
directly.
If you use Cloudflare DNS, the following permission should be set for your API Token:
After you locate the required parameters for your DNS, we will add them to the account.conf using Easy Text Editor:
root@sysadmin102cloud:~ # cd .acme.sh/
root@sysadmin102cloud:~/.acme.sh # ls
account.conf acme.sh.csh deploy http.header
acme.sh acme.sh.env dnsapi notify
root@sysadmin102cloud:~/.acme.sh # ee account.conf
Below is the sample output:
#LOG_FILE="/root/.acme.sh/acme.sh.log"
#LOG_LEVEL=1
#AUTO_UPGRADE="1"
#NO_TIMESTAMP=1
CF_Token="fhtsdfm61mHiHm6E3g6FGNwAt8WhoSh4oRcOp5qwT"
CF_Account_ID="a67fb1df975cb439523f7e9c5749a0d2e"
CF_Zone_ID="dfgh4564cb439523gff757567dgfd2e"
ACCOUNT_EMAIL='techsupport@sysadmin102.com'
UPGRADE_HASH='0da568cce35f4ab014a6d5656fac03c8f4c6979'
Press ESC to exit the Menu when you are finished. Press Enter twice to Save the file.
➡️ Step 5: Issuing ZeroSSL or Let’s Encrypt certificate
Acme.sh script is using the ZeroSSL server by default. However, you have the option to select Let’s Encrypt server instead.
Before we can run the acme.sh script. We will need to give it execute and read permission using chmod command.
chmod 755 acme.sh
root@sysadmin102cloud:~/.acme.sh # ls
account.conf acme.sh.csh deploy http.header
acme.sh acme.sh.env dnsapi notify
root@sysadmin102cloud:~/.acme.sh # chmod 755 acme.sh
root@sysadmin102cloud:~/.acme.sh # ls -l
total 180
-rw-r--r-- 1 root wheel 297 Aug 29 19:53 account.conf
-rwxr-xr-x 1 root wheel 221414 Aug 29 19:35 acme.sh
Ok, let’s issue the certificate with the default server, ZeroSSL
A single host certificate will only be valid for that host. A wild card certificate would be valid for any host belonging to that domain.
Issuing a single host certificate with the following command:
./acme.sh --issue --dns dns_cf -d example.com -d host.example.com
Issuing a wildcard certificate:
./acme.sh --issue --dns dns_cf -d example.com -d "*.example.com"
If you want to use the Let’s Encrypt server instead, add –server letsencrypt to the end of the command
./acme.sh --issue --dns dns_cf -d example.com -d "*.example.com"
--server letsencrypt
If you are following the steps correctly, acme.sh script should download your certs to the corresponding folders.
root@sysadmin102cloud:~/.acme.sh # ./acme.sh --issue --dns dns_cf -d sysadmin102.org -d "*.sysadmin102.org"
[Tue Aug 29 20:25:44 PDT 2023] Using CA: https://acme.zerossl.com/v2/DV90
[Tue Aug 29 20:25:44 PDT 2023] Create account key ok.
[Tue Aug 29 20:25:44 PDT 2023] No EAB credentials found for ZeroSSL, let's get one
[Tue Aug 29 20:27:14 PDT 2023] Cert success.
[Tue Aug 29 20:27:14 PDT 2023] Your cert is in: /root/.acme.sh/sysadmin102.org_ecc/sysadmin102.org.cer
[Tue Aug 29 20:27:14 PDT 2023] Your cert key is in: /root/.acme.sh/sysadmin102.org_ecc/sysadmin102.org.key
[Tue Aug 29 20:27:14 PDT 2023] The intermediate CA cert is in: /root/.acme.sh/sysadmin102.org_ecc/ca.cer
[Tue Aug 29 20:27:14 PDT 2023] And the full chain certs is there: /root/.acme.sh/sysadmin102.org_ecc/fullchain.cer
➡️ Step 6: Create a CronJob for autorenewal
Enter the below command to create a CronJob for autorenewal:
./acme.sh --install-cronjob
➡️ Step 7: Modifying the nginx.conf file
Let’s make a backup of the original folder in case anything goes wrong:
cp /usr/local/etc/nginx/nginx.conf /usr/local/etc/nginx/backup_nginx.conf
To restore from the backup file, use the command below:
cp /usr/local/etc/nginx/backup_nginx.conf /usr/local/etc/nginx/nginx.conf
Copy the location of the certs to a text file; you will need them.
Your cert is in: /root/.acme.sh/sysadmin102.org_ecc/sysadmin102.org.cer
Your cert key is in: /root/.acme.sh/sysadmin102.org_ecc/sysadmin102.org.key
The intermediate CA cert is in: /root/.acme.sh/sysadmin102.org_ecc/ca.cer
And the full chain certs is there: /root/.acme.sh/sysadmin102.org_ecc/fullchain.cer
Change the directory to where the nginx.conf file is located using the cd command:
cd /usr/local/etc/nginx
Use the Easy Text Editor to modify the path to the above location:
ee nginx.conf
root@sysadmin102cloud:/usr/local/etc/nginx # ls
backup_nginx.conf fastcgi_params-dist mime.types nginx.conf-dist uwsgi_params
conf.d koi-utf mime.types-dist scgi_params uwsgi_params-dist
fastcgi_params koi-win nginx.conf scgi_params-dist win-utf
root@sysadmin102cloud:/usr/local/etc/nginx # ee nginx.conf
Original lines 95-98
If you forgot to record the file paths, you can retrieve it using find command:
find / -name domain.key
find / -name domain.cer
find / -name ca.cer
root@sysadmin102cloud:/usr/local/etc/nginx # find / -name sysadmin102.org.key
/root/.acme.sh/sysadmin102.org_ecc/sysadmin102.org.key
root@sysadmin102cloud:/usr/local/etc/nginx # find / -name sysadmin102.org.cer
/root/.acme.sh/sysadmin102.org_ecc/sysadmin102.org.cer
root@sysadmin102cloud:/usr/local/etc/nginx # find / -name ca.cer
/root/.acme.sh/sysadmin102.org_ecc/ca.cer
Modified lines 95-98
ssl_certificate: path ending with .cer
ssl_certificate_key: path ending with key
ssl_trusted_certificate: path ending with ca.cer
ssl_certificate /root/.acme.sh/sysadmin102.org_ecc/sysadmin102.org.cer;
ssl_certificate_key /root/.acme.sh/sysadmin102.org_ecc/sysadmin102.org.key;
# Verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /root/.acme.sh/sysadmin102.org_ecc/ca.cer;
Press ESC to exit the Menu when you are finished. Press Enter twice to Save the file.
➡️ Step 8: Restart the Nginx service
Nginx will execute a sanity check, it will output error messages if there is a misconfiguration detected:
service nginx restart
Sample error output:
root@sysadmin102cloud:/usr/local/etc/nginx # service nginx restart
Performing sanity check on nginx configuration:
nginx: [emerg] cannot load certificate key “/usr/local/etc/nginx/root/.acme.sh/sysadmin102.org_ecc/sysadmin102.org.key”: BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(‘/usr/local/etc/nginx/root/.acme.sh/sysadmin102.org_ecc/sysadmin102.org.key’,’r’) error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
Sample successful output:
root@sysadmin102cloud:/usr/local/etc/nginx # service nginx restart
Performing sanity check on nginx configuration:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Stopping nginx.
Waiting for PIDS: 17044.
Performing sanity check on nginx configuration:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Starting nginx.
Refresh your Nextcloud Admin Portal, and you should no longer see the red padlock or not secure (varies by browser) signifying a self-signed certificate.
For some browsers, you will need to close the tab and reopen it to retrieve the new certificate from ZeroSSL (or Let’s Encrypt if you chose the Let’s Encrypt Server in Step 5).
➡️ If you think this tutorial is helpful, please support my channel by subscribing to my YouTube channel or by using the Amazon/eBay/ClouDNS Affiliated links below (Full Disclaimer). I will get a small commission from your purchase to grow my channel:
🚀 ClouDNS Affiliated: https://www.cloudns.net/aff/id/255803/
🚀 Things I used for my server: https://amzn.to/3hudohP
🚀 Tools I used: https://amzn.to/3uXaSUr
🚀 Devices I used: https://amzn.to/3FYlfxk
🚀 Networking/Cybersecurity/Programming Books: https://amzn.to/3HEYwb0
🚀 TrueNAS HBA SAS controller IT Mode from the Art of Server: https://ebay.us/cBWEvJ