How can I secure connection to nextcloud?

[przemko]

I close now port forwarding for port 80 on my router becouse security. Do I have to open it? Can You tell me also during that tutorial on Emby forum I have to change my certificates to another format. Does this not affect my nextcloud? I have to go to my folder /etc/letsencrypt/live/myserver.ddns.net/ and change my certificates with command:

Code: Select all

openssl pkcs12 -export -out mydomain.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:

Sorry for my questions but I don't know nothing about SSL and I don't want to mess something.
Regards Przemek

[Joulinar]

The port 80 we already discussed some days ago. I guess it would be needed to recreate your certificates once they are going to expire.

Regarding the transformation for emby. I guess it will just create the *.pfx file and do anything with your other files. However you could create a copy of the original files if needed.

[przemko]

On that tutorial they also wants to kill processess listen to port 80. Can I kill those processess:

Code: Select all

cp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      1191/kodi.bin_v8    

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1032/lighttpd       
tcp6       0      0 :::8096                 :::*                    LISTEN      26999/EmbyServer    
tcp6       0      0 :::8080                 :::*                    LISTEN      1191/kodi.bin_v8    
tcp6       0      0 :::80                   :::*                    LISTEN      1032/lighttpd 

?

[Joulinar]

no need to do this because you already created the letsencrypt certificate. So you can skip these steps. Only thing to do is to create the *.pfx file and configure emby.

[przemko]

Thank You very much one more time. It works now. Can You tell me something about renew that certificate. Do I get some info or my nextcloud and emby stops working on https?

[Joulinar]

if the certificate expire, you will get a message on the web browser that the certificate is not valid anymore. basically you could check the lifetime yourselves by opening your https website an display the certificate. there you should see the expatriation date. Usually the validation is 90 days, so renewing the certificates once a month should be sufficient.

[MichaIng]

Btw when using dietpi-letsencryt or certbot, a systemd timer is added which renews the certificate automatically 30 days before or it expires.

And port 80 can or better should stay opened. It is required for certificate renewal in most cases and as long as you have automated redirection to HTTPS active and/or force it though the other web applications, it is no security risk.

[Joulinar]

@MichaIng
thx for pointing to the auto renew feature. Was not aware on it.

[MichaIng]

Can be checked via:

Code: Select all

systemctl status certbot.timer
journalctl -u certbot

It should show a renewal attempt two times a day, skipping it as long as expiry is more then 30 days in the future. Probably we should point that our within dietpi-letsencrypt UI.

[Joulinar]

at least for visualisation it would be a cool thing