STFN

Access local Nextcloud with HTTPS anywhere by using Tailscale TLS certificates

homelab
self-hosting
linux
degoogling
5 minutes

This blog post is of course not sponsored by Tailscale, I just really like them

This blog post continues the topic of running Nextcloud in an LXD container, but the matters discussed here are universal and can also be applied to any service running locally in your LAN.

In the previous blog post I mentioned that when using Nextcloud, I am getting a warning that the connection is not secure. That is because Nextcloud by default is using a self-signed TLS certificate, and modern web browsers find it suspicious. This was not a big problem for me until I wanted to use Gpoddersync to synchronize my podcasts between my phone’s AntennaPod and my Nextcloud’s RePod application (Something that I will write about in more detail in another blog post). Creating the connection would not work, as the sync tool expects a properly working HTTPS on the Nextcloud’s side.

Turns out there is a rather simple solution to fix this issue: use Tailscale to generate a proper TLS certificate to provide a secure HTTPS connection when accessing Nextcloud via VPN.

Setting the stage

The initial situation is that I am running a NextcloudPi instance in an LXC container in my homelab server. I have Tailscale installed inside that container. I can access NCP via Tailscale using its MagicDNS url, but the browser is complaining that the TLS certificate is suspicious.

TLS certificates in Tailscale

Tailscale has excellent docs on how to enable HTTPS and generate certificates, so just to recap it shortly: In the Tailscale admin settings, make sure MagicDNS is enabled, and at the bottom select “Enable HTTPS”. Tailscale warns you that the fully qualified domain (basically the hostname + MagicDNS tailnet name) will become publicly known to enable validating the certificates, but the access to the machines will still be private.

Configuring certificates in NextcloudPi

In the NextcloudPi console (I use the LXD Web UI to access the container’s console) run

tailscale cert <your MagicDNS url for that machine>

This command will generate two files, a *.crt and a *.key one. You can leave them when they were generated, or move them to a location of your choice.

The next step is to edit the Apache config file to point it to the new certificates. Use your editor of choice, I use vi:

vi /etc/apache2/sites-enabled/001-nextcloud.conf

At the top of the file there is a warning that the file should not be edited as any changes will be overwritten, but to be honest, I do not know when that happens, I restarted Apache and the whole instance a few times and the changes I made persisted. Would an Apache expert chime in?*

Anyway, the beginning of the file should like like this:

<IfModule mod_ssl.c>
  <VirtualHost _default_:443>
    DocumentRoot /var/www/nextcloud
    CustomLog /var/log/apache2/nc-access.log combined
    ErrorLog  /var/log/apache2/nc-error.log
    SSLEngine on
    SSLProxyEngine on
    SSLCertificateFile   /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

    # For notify_push app in NC21
    ProxyPass /push/ws ws://127.0.0.1:7867/ws
    ProxyPass /push/ http://127.0.0.1:7867/
    ProxyPassReverse /push/ http://127.0.0.1:7867/
  </VirtualHost>

What interests us are the lines beginning with SSLCertificateFile and SSLCertificateKeyFile. Replace their values so that those lines point to the crt and key file respectively. For me those would be:

    SSLCertificateFile   /root/nextcloudpi.[redacted].ts.net.crt
    SSLCertificateKeyFile /root/nextcloudpi.[redacted].ts.net.key

Now what is left is to reload Apache

apachectl -k graceful

And le voila! You should now be able to access your Nextcloud via Tailscale without any TLS error messages, with the browser bar showing a nice padlock.

Nextcloud with a secure connection

That’s it, short and simple. I’m becoming more and more impressed with Nextcloud and the possibilities it provides. Also a friend told me that Hetzner is now providing a managed Nextcloud service. I haven’t tried it personally, but he says it’s working great.

What is more, I have used the example of Nextcloud, but the mechanism I presented is universal and can be used to generated TLS certificates for any internal service that you are providing, like Immich or Jellyfin. The only requirement is a HTTP server that can handle TLS. I will be testing it with other services soon.

Thanks for reading!

* I now have Panic At The Disco playing in my head.

If you enjoyed this post, please consider helping me make new projects by supporting me on the following crowdfunding sites: