|45 Drives Knowledge Base
||KB450008 - Setting up HTTPS on Nextcloud 10
If Nextcloud is not installed, navigate to the Plugins page on the FreeNAS dashboard. Find Nextcloud in the Available list and install it. Move to the Installed tab and turn on the new Nextcloud instance.
It is easiest to change the IP address immediately after creating the Nextcloud jail. To change the IP address, move to the Jails page. Change the IP address and restart the Nextcloud jail. You may have to turn the Plugin back on.
Note: This guide uses IP addresses throughout the setup. To use hostnames, see the Apache 2.4 documentation.
After finishing all tasks in the FreeNAS GUI, ssh into the main server and then access the jail with the following commands:
jexec # (where # is listed by jls)
FreeNAS comes with a poor text editor so download nano:
portsnap fetch extract; pkg install -y nano
Once Nano is installed, you can begin to easily edit the apache modules:
Use ctrl+w to search the file.
Change “example.com” in the ServerName field to your IP address.
Add the following lines within the VirtualHost tags:
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
SSLProtocol -all +TLSv1 *** This should be updated
Save the file:w and then edit httpd.conf:
Add the following:
Redirect permanent / https://yourip/
Like above, find the ServerName field already there, uncomment it and change its value to your IP address.
Note: If necessary, you can fine tune the Listen directives to only bind to certain IP address
Save the file and create a new directory for the key and certificate:
Next, use the OpenSSL tool to generate a private key in the new folder:
openssl genrsa –out aname.key 2048
Once the private key is generated, you need to create a Certificate Signing Request (CSR). You can either send the CSR to a Certificate Authority for signing or perform self-signing.
To create a CSR:
openssl req -new -key aname.key –out aname.csr
Fill in the appropriate information. The most important field is the CN. For this case, use the jail IP address as CN.
To check is the CSR is correct:
openssl req -text -in aname.csr –noout
Alternatively, to self-sign:
openssl req -new -x509 -days 365 -key aname.key -out aname.crt
Add path of certificate and key to the following fields in httpd-ssl.conf
Enabling New Configuration
Be safe, use service apache24 stop then service apache24 start instead of service apache24 restart when changing port names
You now have to implement the certificate on client (Firefox is the easiest browser to use in this case).