Understanding letsencrypt on nextcloud

dieterpi · July 6, 2023, 4:10pm

Hey,
is there a possibility to set nextcloud on https just in internal network?
Or is it just possible if you have a domain in www?

I found this tutorial (for I have lighttpd), but as I understand, it’s not possible to activate https within internal subnet as 192.168.178.1/nextcloud, isn’t it?

Cheers
dieterpi

Joulinar · July 6, 2023, 5:29pm

What is the advantage of an SSL certificate that is only valid for your local network?

You can manually create such certificates for local hostnames, but any modern web browser will complain about this, as such certificates are not issued by a corresponding authority. This means that they are not valid

dieterpi · July 6, 2023, 8:54pm

Since I don’t want to open nextcloud to the outside world, I only wanted to secure the intranet (in case it should be compromised). It’s just a bad feeling to send access data openly through the intranet. But it’s probably an overload of security.

How can I create such certificates and integrate them into the lighttpd?

Joulinar · July 7, 2023, 7:31am

there are quite some guide out describing how to create self singed certificates.

A configuration file to activate HTTPS could looks like following

github.com

MichaIng/DietPi/blob/a7fbf18bbe0fef2c3a276c7b8c6c260d88ae65ee/dietpi/dietpi-letsencrypt#L118-L163


      
          			cat << _EOF_ > /etc/lighttpd/conf-available/50-dietpi-https.conf
          # Based on: https://ssl-config.mozilla.org/#server=lighttpd
          server.modules += ( "mod_openssl" )
          # IPv4
          \$SERVER["socket"] == ":443" {
          	protocol = "https://"
          	ssl.engine = "enable"
          	ssl.pemfile = "$fp_cert_dir/fullchain.pem"
          	ssl.privkey = "$fp_cert_dir/privkey.pem"
          
          
	# For DH/DHE ciphers, dhparam should be >= 2048-bit
          	#ssl.dh-file = "/path/to/dhparam.pem"
          	# ECDH/ECDHE ciphers curve strength, see "openssl ecparam -list_curves"
          	ssl.ec-curve = "secp384r1"
          
          
	# Environment flag for HTTPS enabled
          	setenv.add-environment = ( "HTTPS" => "on" )
          
          
	# Intermediate configuration, tweak to your needs
          	ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2", "Options" => "-SessionTicket")

This file has been truncated. show original

Just as an idea how we do it.

As well, you might need to install lighttpd-mod-openssl module

dieterpi · July 7, 2023, 1:03pm

thanks!