NextCloud Let's Encrypt (nginx)

NasKar

Guru
Joined
Jan 8, 2016
Messages
739
Ideally, edit the renewal config file to use it.
Not sure how to do that. I presume you mean edit the file
Code:
nano /mnt/v1/iocage/jails/nextcloud/root/usr/local/etc/letsencrypt/renewal/mydomain.ddns.net.conf

What do I add to the file? Here is my current version
Code:
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /usr/local/etc/letsencrypt/archive/mydomain.ddns.net
cert = /usr/local/etc/letsencrypt/live/mydomain.ddns.net/cert.pem
privkey = /usr/local/etc/letsencrypt/live/mydomain.ddns.net/privkey.pem
chain = /usr/local/etc/letsencrypt/live/mydomain.ddns.net/chain.pem
fullchain = /usr/local/etc/letsencrypt/live/mydomain.ddns.net/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
account = ***********************************************
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
mydomain.ddns.net = /usr/local/www

EDIT: apparently it is not recommended to edit the config file per the certbot user guide.
could I issue this command from the jail to let certbot edit the config?

Code:
certbot renew --deploy-hook "service nginx reload"
 
Last edited:

NasKar

Guru
Joined
Jan 8, 2016
Messages
739
I tried another option to run from a script

Code:
iocage exec nextcloud certbot renew --quiet --renew-hook "service nginx reload"

It seems to work as the output without the quiet option is
Code:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /usr/local/etc/letsencrypt/renewal/mydomain.ddns.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /usr/local/etc/letsencrypt/live/mydomain.ddns.net/fullchain.pem expires on 2019-10-01 (skipped)
No renewals were attempted.
No hooks were run.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Not sure if I could add this code to a crontab -e and get the same results
Code:
7 5 * * * certbot renew --quiet --renew-hook "service nginx reload"

Will have to wait a few month to see if it renews automatically.
 

Jailer

Not strong, but bad
Joined
Sep 12, 2014
Messages
4,975
I just use a renew script with a cron job in the UI set to trigger it daily. The post-hook command will restart/reload nginx if the certificate renews and after it completes the renewal. If it doesn't renew it does nothing.

Code:
#!/bin/sh
/usr/local/bin/certbot renew --post-hook "service nginx restart" --quiet


You can replace the restart command with reload if you choose, it will work either way. Reload just keeps the server running vs a restart.
 

NasKar

Guru
Joined
Jan 8, 2016
Messages
739
I just use a renew script with a cron job in the UI set to trigger it daily. The post-hook command will restart/reload nginx if the certificate renews and after it completes the renewal. If it doesn't renew it does nothing.

Code:
#!/bin/sh
/usr/local/bin/certbot renew --post-hook "service nginx restart" --quiet


You can replace the restart command with reload if you choose, it will work either way. Reload just keeps the server running vs a restart.
How does your script know to run it in your nextcloud jail?
Is there any advantage or disadvantage to runing it in the jail crontab vs the UI?
 

Jailer

Not strong, but bad
Joined
Sep 12, 2014
Messages
4,975
How does your script know to run it in your nextcloud jail?
You tell it to. I have a reverse proxy jail set up so that's where mine runs. renew.sh is the name of the script.
Code:
iocage exec proxy csh /renew.sh

Is there any advantage or disadvantage to runing it in the jail crontab vs the UI?
Whataver way you are comfortable running it. This was just the way I set it up when I built the jail.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,462
I might as well point out that I'm not a fan of clients that are a tangled mess of Python dependencies, favoring simpler and more lightweight clients like acme.sh when possible (which it usually is).
 

NasKar

Guru
Joined
Jan 8, 2016
Messages
739
I use no-ip as my dynamic dns provider. I don't think I can use acme.sh with that.
 

NasKar

Guru
Joined
Jan 8, 2016
Messages
739
Are you using DNS validation? Because if not, your DNS provider is irrelevant.
I'm not using DNS validation (DNS_CERT=0) in my config file. Will have to read more about acme.sh and study your script/README.md file. I was under the misconception that because no-ip wasn't on the list of supported provider I couldn't use it.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,462
The only reason your DNS provider matters at all is if you're using DNS validation, as that's the only time the ACME client has any reason to interact with your DNS provider. Otherwise, you just have your A/AAAA/CNAME records pointing to the right place and you're set.

I used acme.sh with my script when I was using Apache as the web server. I'm now using Caddy as the web server, which handles all the ACME stuff internally (so if you want to see what I was doing, you'll need to look at older versions of the script--before I merged nextcloud-16-caddy). I don't use Certbot if I can help it, as it's just (IMO) way too bloated. However, it has a very good hook script available for acme-dns (it's much more full-featured than acme.sh's support for acme-dns), so I still use certbot on my main web server.
 

NasKar

Guru
Joined
Jan 8, 2016
Messages
739
I appreciate the clarification on your script changing from Apache to Caddy (that confused me). My fork of your script was made to use nginx which I was more familiar with than Apache. I'll have to consider changing over to your script with a new fork and adding my backup and restore.
 

KenNashua

Explorer
Joined
Feb 24, 2012
Messages
62
Could anyone provide a copy of their /usr/local/etc/nginx/conf.d/nextcloud.conf ? Certbot seems to have munged mine and not being familiar with what should be there or nginx, I'm a bit lost.

Nevermind. I installed a new server and copied the default from there.
 
Last edited:
Top