Is it ok to run nextcloud on https without a certificate?

[mvcad]

Warning, Newbie question. I managed to run Nextcloud on my Freenas box and I port forwarded my router to port 443 on my nextcloud IP using my dynamic dns. It works fine, I can access it from outside my network using https, however, I got a warning that it has an invalid certificate. I am not sure of the consequences of doing this. Is the connection encrypted anyway? I understand the certificate its only a way to prove that the website belongs to the person that claims to be the owner. Since It resides on my server Do I need It?. Is my connection more vulnerable to attacks?

Not sure if this is related but I installed the app on my iPhone and tried several times to upload all my photos. I have more than 4000 pics. it starts to upload them but it hangs up when there are about 2300 pics left. I was looking at the phone while uploading and I saw an ssl error halfway through but it went away and kept uploading the files. Also I setup the app to upload the files automatically to an external folder since the jail is installed on a small capacity SSD.

I am not an IT professional just an enthusiast, I appreciate your help.

My specs: FreeNAS-11.1-U4, Intel core i3 7100 @ 3.9 GHz; 2 off Crucial CT8G4DFD824A 8GB (2x8GB) 2400MHz DDR4; boot drives are 2 mirrored SanDisk Ultra Fit 16GB USB 3.0; 3 Off Seagate skywolf HDD 4.0 TB each in RaidZ configuration; 1 off Samsung pro SSD 256 GB for running my jails; ASRock H270M-ITX/ac Motherboard; Cooler Master MasterWatt Series 550W Power Supply; Fractal Design NODE 304 Black Mini ITX Case.

 

[danb35]

It is not possible to do HTTPS without a certificate--there must be some kind of certificate, even if you sign it yourself (as is usually the case with initial installation). A self-signed cert is perfectly valid, and will allow your traffic to be encrypted just as a trusted cert will, but any browser/client will warn you that it wasn't issued by a trusted certificate authority.

Is my connection more vulnerable to attacks?

Somewhat. The encryption itself is no less secure, but it's probably easier for an attacker to do a man-in-the-middle attack. That would still result in a different cert (so you'd be warned again), but it wouldn't be hard for the attacker to make the cert look similar to yours.

If you don't already have a lot of data in your existing Nextcloud installation, you might want to look at redoing it in a way that (1) doesn't store any of your data on your SSD, and (2) gets you a trusted certificate out of the gate. This script should do the trick (discussion here).

 

[mvcad]

It is not possible to do HTTPS without a certificate--there must be some kind of certificate, even if you sign it yourself (as is usually the case with initial installation). A self-signed cert is perfectly valid, and will allow your traffic to be encrypted just as a trusted cert will, but any browser/client will warn you that it wasn't issued by a trusted certificate authority.

Somewhat. The encryption itself is no less secure, but it's probably easier for an attacker to do a man-in-the-middle attack. That would still result in a different cert (so you'd be warned again), but it wouldn't be hard for the attacker to make the cert look similar to yours.

If you don't already have a lot of data in your existing Nextcloud installation, you might want to look at redoing it in a way that (1) doesn't store any of your data on your SSD, and (2) gets you a trusted certificate out of the gate. This script should do the trick (discussion here).

Thanks Mate, I have a better Understanding now. I saw your guide and its awesome!, I will give it a go for sure since I don't have much data on Nextcloud. Thanks again.

 

[mvcad]

e. This script should do the trick (discussion here).

Hi Again. I wanted to use your script but got stuck in the first part where it says I need a #FQDN. At the moment I am accessing nextcloud by redirecting port 123456 to port 443 in the jails ip address so the address I use is https://mydomain.net:123456. Would your script work?

 

[danb35]

Would your script work?

Probably not. It obtains a cert from Let's Encrypt, and in order to do that, they need to validate that you control the domain. For that to work, one of two things needs to happen: (1) Let's Encrypt can reach your jail, by the FQDN you're using, on port 80; or (2) you can make updates to your DNS records to add a TXT record that validates control.