Run it only once, the certificate gets replaced every time. Also if you run it too often you get rate limited by let’s encrypt and then you have to wait a certain time before you can renew your certs.
Can this be added in the NextCloud DietPi config by Default?
Ok, clear to me
thx…
Hello Jappe,
How to add the maindomain and a subdomain to the Let’s Encrypt Certbot?
Is this config correct?
Yesterday i ran the YourDomain Certbot
Today I ran the nextcloud.YourDomain Certbot
See the config at:
At my local IP-Address https:///nextcloud/apps/dashboard/
I get the red http sign that the url is not secure
“certificate is not valid”
Is this the correct way to do it?
Certificate are issued for the specific domain. On an IP address, you will get cert warning by design. You need to use your DDNS even if at home to avoid cert warning.
where is the relation between imagick and db:add-missing-indices ??
I just add every domain I wanna use comma-seperated in dietpi-letsencrypt, like
nextcloud.myddns.net,vpn.myddns.net,another.domain.net.
I think if you ran yesterday the script with domain1 and today with domain2, domain1 will not get renewed since it’s missing in the list now.
Ah, ok, thx for clarifying
didn’t know this
another learning moment this week 
have no clue as I’m not an expert
I read it here: How to Install and Configure Nextcloud Hub 21 - Tech Guides
Hello Jappe, thank you!
Tried it, now I’n getting
Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: e
Renewing an existing certificate for YourDomain.com and nextcloud.YourDomain.com
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default
Enhancement Strict-Transport-Security was already set.
Enhancement Strict-Transport-Security was already set.
Traffic on port 80 already redirecting to ssl in /etc/nginx/sites-enabled/default
Traffic on port 80 already redirecting to ssl in /etc/nginx/sites-enabled/default
Failed staple-ocsp for nextcloud.YourDomain.com
Unable to set enhancement staple-ocsp for nextcloud.hemertje.com
An error occurred while enabling OCSP stapling for {'nextcloud.YourDomain.com'}.
IMPORTANT NOTES:
- We were unable to set up enhancement staple-ocsp for your server,
however, we successfully installed your certificate.
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/YourDomain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/YourDomain.com/privkey.pem
Your certificate will expire on 2023-03-30. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again with the "certonly" option. To non-interactively
renew *all* of your certificates, run "certbot renew"
[FAILED] DietPi-LetsEncrypt | Certbot failed, please check its above terminal output. Aborting...
Press any key to return to the DietPi-LetsEncrypt menu ...
Have a look to your configuration file /etc/nginx/sites-enabled/default. Looks like it already contains both domain + sub.domain
have a look if following is already set within default config
ssl_stapling on;
ssl_stapling_verify on;
Yes I see the domains multiple times
For the Subdomain the 'includeSubDomains" ’ is also missing
# /etc/nginx/sites-available/default
server {
root /var/www;
index index.php index.html index.htm index.nginx-debian.html;
server_name YourDomain.com;
include /etc/nginx/sites-dietpi/*.conf;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php(?:$|/) {
include snippets/fastcgi-php.conf;
fastcgi_pass php;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/YourDomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/YourDomain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
ssl_trusted_certificate /etc/letsencrypt/live/YourDomain.com/chain.pem; # managed by Certbot
ssl_stapling on; # managed by Certbot
ssl_stapling_verify on; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # managed by Certbot
}
server {
if ($host = YourDomain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server;
server_name YourDomain.com;
return 404; # managed by Certbot
}
server {
if ($host = YourDomain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name nextcloud.YourDomain.com; # managed by Certbot
return 404; # managed by Certbot
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/YourDomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/YourDomain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot
ssl_trusted_certificate /etc/letsencrypt/live/nextcloud.YourDomain.com/chain.pem; # managed by Certbot
ssl_stapling on; # managed by Certbot
ssl_stapling_verify on; # managed by Certbot
}
server {
if ($host = nextcloud.YourDomain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = YourDomain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name nextcloud.YourDomain.com; # managed by Certbot
return 404; # managed by Certbot
}
what to remove or edit?
When I visit https://nextcloud.YourDomain.com I get an 404 Not Found - nginx Error
I suppose this is related?
is it preferred to use wild card ssl certificate or individual for each sub domain?
I read somewhere they mentioned wild card ssl certificate is better as with individual we can expose our history of domain like with this tool https://crt.sh
Depends how this vhost has been setup. What web root has been defined aso. Usually NC should be reachable on yourdomain.com/nextcloud
Wildcard cert is something that you can’t create that easy. It requires some more work and is not supported by our tools actually. Just search the web on how to create such cert.
Can you have a look with me regarding the confog lines in:
With https:///nextcloud/ I get the error:
Your connection is not private
Cybercriminals may be trying to steal your information from <ip address> (for example, passwords, messages, or credit card information). More information
NET::ERR_CERT_COMMON_NAME_INVALID
and with https://nextcloud.hemertje.com/ I get the error:
404 Not Found
nginx
Only with https://YourDomain.com/nextcloud/login I see the correct Nextcloud Login page
Regarding vhost
If I read here: Nextcloud server installation with NGINX - Mageia wiki
Sub-domain address
In this section, the server will be reachable thanks to a subdomain of your domain name, forwarded by your router to your machine hosting Nextcloud. Your Nextcloud server will then be reachable at http://nextcloud.my_domain, for instance.
Let note the /nextcloud has disappeared.
They refer to /etc/nginx/conf.d/nextcloud.conf
But in DietPi there is no /etc/nginx/conf.d/nextcloud.conf
You should stop trying to setup these sub domain feature. It could be way more simply.
- Better to go back to the beginning and start with an empty clean Nginx configuration file.
- Once done run
dietpi-letsencryptand create the 2 cert you like. Doesn’t matter of these are domain and sub domain. Just enter them both commas separated. - you should have HTTPS access to Nginx default web site on both, domain and sub domain
- the
defaultconfig file contains two nearly same looking sections, for each domain one. - go to section for your sub domain and adjust the root directory. Should looks like this now
server {
root /var/www/nextcloud;
index index.php index.html index.htm index.nginx-debian.html;
server_name sub.domain.com; # managed by Certbot
- go to NC config file
/var/www/nextcloud/config/config.phpand adjust valueoverwrite.cli.url - remove the sub path
/nextcloud. Should looks like this now
'overwrite.cli.url' => 'https://sub.domain.com',
- restart Nginx
- done, NC is reachable on
https://sub.domain.comnow
This is working fine within my test lab