To give some background, why this even comes up: I have a Nextcloud instance running at home on an old laptop (on Ubuntu 18.04 LTS, installed through snap), accessible just from the local network. As such, I didn’t even want to use https and started with http. Some applications however, like Calendar in iOS 13, won’t sync with a server on http. So you need https, and for that you need to use SSL certificates. If your server is open to the internet, you can use a service like Let’s encrypt, there are plenty of tutorials on how to do that. On a closed network, Nextcloud offers self signed certificates, which you can easily activate with a one liner, but most application will flag them as untrusted. Sometimes this can be ignored, especially in browsers or Joplin desktop, but on mobile devices this option doesn’t exist. To work around that, you need to:
- Make your own Certification Authority (CA)
- Generate certificate and a key
- Make your Nextcloud server use given CA and certificate
- Make the CA trusted on your devices and use the certificate.
As a disclaimer, I only vaguely know what I’m doing, so if someone sees here an unnecessary or a wrong step, please let me know. I’m trying to write it also for people who are maybe not so experienced with the Linux terminal.
Detailed steps
-
ssh/putty on your Ubuntu server with you Nextcloud instance
-
Install mkcert (link)
-
Generate a certificate for your host
- e.g.
mkcert 192.168.0.2or whatever domain you are using - this will generate two files
- 192.168.0.2.pem and 192.168.0.2-key.pem
- e.g.
-
Find your root certificate
- mkcert -CAROOT
-
Remember the location of these 3 files or copy them somewhere convenient
- For simplicity let’s say you copied them to you home directory
-
Find where your Nextcloud instance is storing certificates
- you can try
ls /var/snap/nextcloud/
there should be folders likecommon,currentand another one let’s call itnumbers- it will be a string of numbers or something else- you have to be a superuser to access this folder, so use
sudoorsudo su
- you have to be a superuser to access this folder, so use
- then check
ls /var/snap/nextcloud/numbers/certs/live
there should be 3 files:cert.pem,privkey.pemand chain.pem - delete these 3 files (
rm cert.pemetc.) - copy your certificate, key and rootCA into the folder
cp 192.168.0.2.pem /var/snap/nextcloud/numbers/certs/liveetc. - rename these files to the previous names, with rootCA.pem acting as chain.pem
mv 192.168.0.2.pem cert.pem mv 192.168.0.2-key.pem privkey.pem mv rootCA.pem chain.pem- double check that it worked with
ls
- you can try
-
Enable and use the custom certificates (source)
sudo nextcloud.enable-https custom -s cert.pem privkey.pem chain.pem
or if insumode
/snap/bin/nextcloud.enable-https custom -s cert.pem privkey.pem chain.pem -
The apache server should now restart and it should be using your certificates
-
Now somehow get a of copy the certificate and rootCA on your device of choice
- Before you try it, copying the files directly into the directories of nextcloud on the server (
/var/snap/nextcloud/common/files/user/whatever/) doesn’t work, or at least for me they didn’t show up afterward in the the web app. - mounting a USB stick on the Ubuntu server link
- From the USB stick you can copy the files on a desktop PC and sync it via nextcloud to your iPhone
- Install the certificates in iOS 13 by downloading them and clicking on them
- Then go to Settings - General - Profiles and install them
- there should be one profile with the ubuntu server name and one starting with mkcert
- Make the mkcert CA trusted by going to Settings - General - About - Certificate Trust Settings and enabling full trust
- Before you try it, copying the files directly into the directories of nextcloud on the server (
For me this worked, even though the order was much more chaotic and there was a lot of lurking on the web. Hopefully it will save someone some time.