SOLVED General Advise Welcome.

[felthamn]

I'm reasonably new to FreeNAS and thus far managed to get quite a bit setup myself, but I was wondering if it is possible to use a self signed certificate with a manually (non -plugin) next cloud setup. I have found various tutorials implementing lets-encrypt etc, however i'm only running nextcloud as a "family" cloud storage setup, hence the reason why I am looking to implement a self signed certificate.... Iv'e setup the certificate just not sure how I would implement it in a jail. Any advice or guidance would be gratefully received.

 

[SweetAndLow]

I would assume it's exactly the same as lets-encrypt. A cert is a cert and there should not be any difference.

 

[felthamn]

just wondering where on earth do I place the certs within the jail, would it be within the apache24 folders or the nextcloud folders. Sorry I did warn you that I was a newby.

I had another alternative which I think will suffice. I have a Raspberry PI setup in a role to act as a VPN server which can only be accessed if a certificate is installed on the client device. So the connection is encrypted..... and therefore any communications between client machine and jails should be encrypted as well. All external traffic attempting to connect to the network is port forwarded to the vpn server therefore to connect they have to have the certificate authority to do so.... Any thoughts on that setup?

I'm still going to try and get the independent setup sussed out if anything just for a learning experience and my own personal development.

 

[danb35]

Iv'e setup the certificate just not sure how I would implement it in a jail.

You'd implement it in the web server configuration; Nextcloud itself doesn't care whether the connection is encrypted or not. But using a VPN connection would be more secure.

 

[felthamn]

@danb35 thanks for the response will stick to the exisiting vpn solution then.

 

[toadman]

I would think you can put the cert and key where you want. In the vhost you would just give the path to both. letsencrypt normally puts them in /etc/letsencrypt/live (or a link anyway). But you can put them in a /home or wherever.

 

[felthamn]

Thanks for the advice folks. Finally managed to get lets encrypt working. Took a bit of time but got there in the end.

 

[wblock]

@felthamn, please describe what you did to get it working so others can also.

 

[felthamn]

In the end I opted to setup a vpn server using a Raspberry PI. This would be used to access the likes of my nextcloud, and OnlyOffice document server instances (OnlyOffice runs on an Ubuntu VM). Only devices with a current security certificate will be able to connect. It's not the fastest of connections but it's only meant for family to access (with the occasional coffee shop laptop edits). There is a really good tutorial via https://marcstan.net/blog/2017/06/25/PiVPN-and-Pi-hole/ which I made use of (including the add-blocker) which made this possible.

I did end up using lets encrypt for one Jail and that is going to be used for my projects blog which is publicly accessible hence the reason for the separation from the VPN, I figured that this would be the best way to deal with this which was confirmed by @danb35. Creating a publicly accessible jail without a VPN was achieved through using the noip update client updater with the most obscure host name! The SSL bit was achieved in part through a tutorial on Techmint https://www.tecmint.com/install-lets-encrypt-ssl-certificate-for-apache-on-freebsd/and some suggestions from @Jailer (Thanks, those links will come in handy if I want to swap things around). Time will tell If I got the Cron job setup correctly but so far so good.

I did run into a couple of issues but I resisted the temptation to run to the forums I decided to read the error logs and managed to drill the problem down to a director not being created. It was just a matter of creating the directory and everything sprung to life. If there was anything more important to learn there it's read the logs..... The answer to the issue will either be there or at least give you some vital information which may be of use if you require forum assistance.

Depending on how the projects blog public site runs, I may make use of one of the tutorials referenced to me from @Jailer where there is a good one on reverse proxy. I may use this if I decide to move my two other sites out of commercial hosting and bring them "in-house".

So thank you to all concerned.