-
Notifications
You must be signed in to change notification settings - Fork 0
HTTPS TLS Certificate
🇫🇷 Cette page est également disponible en français : fr-HTTPS-TLS-Certificate
This page explains how to obtain and configure a free TLS certificate using Certbot (Let's Encrypt) so that your Nextcloud instance is accessible over HTTPS with a valid certificate.
- All four services (Nginx, PHP-FPM, MariaDB, Redis) are running — see Post-Deployment-Verification.
- You have a Fully Qualified Domain Name (FQDN) (e.g.
cloud.example.com). - Your VM has a Static public IP address (set during deployment).
- Your domain's DNS A record points to the VM's static public IP address.
- Ports 80 and 443 are open in the VM's Network Security Group.
Why a static IP? If the VM restarts and the IP changes, your domain will no longer resolve correctly. Always use a static IP for production deployments.
- In the Azure portal, go to Virtual machines > [your VM] > Networking.
- Click the public IP address link.
- Under Configuration, set Assignment to Static.
- Click Save.
In your DNS provider's control panel, create an A record:
| Field | Value |
|---|---|
| Name |
cloud (or @ for apex domain) |
| Type | A |
| Value | VM static public IP address |
| TTL | 3600 (or your provider's default) |
Wait for DNS propagation (typically 5–30 minutes). Verify with:
dig cloud.example.com +short
# Should return the VM's public IP addressSSH into the VM and run Certbot:
sudo certbot --nginx -d cloud.example.comReplace cloud.example.com with your actual FQDN.
Certbot will:
- Verify domain ownership via HTTP challenge (port 80 must be open).
- Obtain a certificate from Let's Encrypt.
- Automatically configure Nginx to use HTTPS.
- Set up automatic renewal via a systemd timer.
When prompted, enter your email address for expiry notifications and agree to the Terms of Service.
Nextcloud only accepts requests from trusted domain names. Add your FQDN:
sudo -u www-data php /var/www/nextcloud/occ config:system:set trusted_domains 1 --value=cloud.example.comVerify the trusted domains list:
sudo -u www-data php /var/www/nextcloud/occ config:system:get trusted_domainsExpected output:
localhost
cloud.example.com
Ensure all HTTP traffic is redirected to HTTPS. Check your Nginx configuration:
sudo nginx -t && sudo systemctl reload nginxVerify that browsing to http://cloud.example.com redirects to https://cloud.example.com.
- Open
https://cloud.example.comin your browser. - Confirm the browser shows a padlock icon (valid certificate).
- Check certificate details — issuer should be Let's Encrypt.
Certbot automatically renews certificates before they expire. Test the renewal process:
sudo certbot renew --dry-runCertificates are renewed automatically via the certbot.timer systemd unit. No manual action is needed.
Certbot error: "Could not bind to IPv4 or IPv6... port 80 in use"
Nginx is using port 80. Use the --nginx plugin (as shown above) which handles this automatically,
or temporarily stop Nginx: sudo systemctl stop nginx, run Certbot standalone, then restart.
Certbot error: "DNS problem: NXDOMAIN looking up A for..."
DNS has not propagated yet. Wait and retry, or verify the A record with dig.
Browser shows "Your connection is not private"
Nextcloud may not have the correct FQDN in trusted_domains. Re-run Step 4.
Also verify the certificate matches the domain: sudo certbot certificates.
After certificate renewal, Nginx shows old certificate
Run: sudo systemctl reload nginx
| Next | Page |
|---|---|
| Complete Nextcloud initial setup | Configuring-Nextcloud |
Getting Started
Configuration
Administration
Using Nextcloud
Help
Démarrage
Configuration
Administration
Utiliser Nextcloud
Aide