I can’t figure this out for the life of me after searching multiple forums and watching different YouTube videos as well as reading the TrueNAS documentation on NextCloud. I am forwarding port 9001 of my router to :9001 which allows me to connect to NextCloud through https://xxx.duckdns.org:9001, but because the certs are self-signed it gives me the browser warning every time. I have a Docker letsencrypt container for a duckdns.org domain running on a different server and re-generate my pem files every 3 months. With my HomeAssistant container on that same computer I can just map the letsencrypt folder with the pem files to the right location in that HomeAssistant container and everything works with no browser warning. I would think i could do the same with NextCloud, but I can’t figure out how to manually add these keys to the TrueNAS Nextcloud app container. In my letsencrypt folder there is a cert.pem, chain.pem, fullchain.pem, priv-fullchain-bundle.pem, privkey.pem, and privkey.pfk file. Does anyone know the steps to manually add these to the TrueNAS NextCloud implementation? I only have these two services running with external https access. I thought about looking into a reverse proxy but my TrueNAS server is in my office with a Gigabit connection so I don’t want to route all my traffic through the server which would then have to route the data back through that connection to my HomeAssistant server. I just want to copy the updated keys to my NextCloud folder or even inside the container itself every 3 months.
Ideally I can copy them to somewhere in the NextCloud config folder which consists of a config, customer_apps, data, html, root, themes, tmp, and upload folder and restart the container and have it work, but I can’t figure out where or how to do this. I would even copy them directly into one of the 4 NextCloud containers that are run if I had to but can’t figure out how to do this.
Thanks for the suggestion. I will look into a reverse proxy. It has been on my todo list but hasn’t really been needed for awhile. I need it to run on a server that is always on and properly reboots. My TrueNAS server is in my office whereas my external internet comes into my bedroom. I think this means that if I ran the reverse proxy there that all the traffic to my HomeAssistant would have to come from outside → Bedroom → Office → Back to Bedroom where HA is. It isn’t a lot of traffic so not a huge deal. The bigger issue is that my TrueNAS drives have an extra layer of encryption. Every time it is rebooted I have to manually enter a password to decrypt the filesystem. Then I have to manually start the apps. That isn’t a big deal, but it would prevent HA from working externally if my reverse proxy was on that system. My HA system has unencrypted drives and can boot right up into Ubuntu and start the HA container. If someone stole that system from my house I wouldn’t worry about any data they got. Of course someone could always hack my network in which case I am only protected by the username/password of each system.
That HA installation is on a relatively low powered NUC with a single Gigabit connection. The Internet traffic would go Outside → Bedroom Router → HA NUC (its in my bedroom) → Bedroom Router → Office (TrueNAS) At least that is how I think the traffic would flow unless I can just tell the reverse proxy to redirect traffic from Outside → Bedroom → Office (TrueNAS). I am a noob when it comes to reverse proxies. I am not using NextCloud that much, but I see its value and would like to use it more. Even with lots of downloading to TrueNAS I rarely run into network congestion issues on my Nvidia shields. That is without any kind of network control. I am probably worrying about something unlikely to happen or happen very often.
It seems to me that the obvious solution is to run the reverse proxy on the same system that runs HA. You have lots of options there depending on the specifics of your environment, but my go-to choice for a reverse proxy is Caddy. It doesn’t have a GUI like Nginx Proxy Manager, but it’s very simple to configure using its Caddyfile, and it handles all the TLS stuff for you.
I currently use certbot and a bash script to move the certs around. My external reverse proxy is nginx and I create certs internally and scp them to my RP in DMZ.
I started to look at caddy, but not took a deep dive yet, but it looks like a good solution as a proxy, that might simplify things. However, I’m not sure it resolves certs on the backend.
One tip would be to purchase your own domain, use cloudflare or equivilant service that you can create letsencrypt certs using DNS-01 challenge.
Edit: For HA (Home Assistant) I just use the LetsEncrypt addon for the backend. Frontend is RPed as mentioned above.