Nextcloud behind Cloudflare zero trust

Submitted ⁨⁨1⁩ ⁨month⁩ ago⁩ by ⁨cctl01@feddit.nl⁩ to ⁨selfhosted@lemmy.world⁩

For some time, I’ve hidden my nextclould behind CF zero trust. When refreshing certificates via letsencrypt I would manually disable the tunnel, refresh and re-enable the tunnel. Now that letsencrypt will no longer notify me via email I need a more robust (read automated) way of refreshing certs. Do I have any options other than disabling zero trust? (the advantage would be I no longer need vpn to have the mobile app working).

source

Comments

Sort:hotnew top

hendrik@palaver.p3x.de ⁨1⁩ ⁨month⁩ ago
Maybe you can use letsencrypt's DNS-01 challenge. That works without an HTTP connection. But ultimately, I don't think you need a certificate on the server anyways, doesn't Cloudflare tunnel the traffic unencrypted?

source
- KairuByte@lemmy.dbzer0.com ⁨1⁩ ⁨month⁩ ago
  It can be unencrypted, but isn’t a requirement.
  
  source
- cctl01@feddit.nl ⁨1⁩ ⁨month⁩ ago
  Thanks for the reply, among all answers I chose this. Just because it works for me.
  
  source
Moonrise2473@feddit.it ⁨1⁩ ⁨month⁩ ago
Behind a cloudflare tunnel you can use a self signed or expired certificate, just check the “no TLS verify” checkbox

source
- cctl01@feddit.nl ⁨1⁩ ⁨month⁩ ago
  Thanks for the reply, among all answers I chose this. Just because it works for me.
  
  source
MangoPenguin@lemmy.blahaj.zone ⁨1⁩ ⁨month⁩ ago
DNS-01 challenge with letsencrypt. Or use cloudflare tunnel and don’t use https internally.

source
- cctl01@feddit.nl ⁨1⁩ ⁨month⁩ ago
  Thanks for the reply, among all answers I chose this. Just because it works for me.
  
  source
chiisana@lemmy.chiisana.net ⁨1⁩ ⁨month⁩ ago
If you can serve content locally without tunnel (ie no CGNAT or port block by ISP), you can configure your server to respond only to cloudflare IP range and your intranet IP range; slap on the Cloudflare origin cert for your domain, and trust it for local traffic; enable orange cloud; and tada. Access from anywhere without VPN; externally encrypted between user <> cloudflare and cloudflare <> your service; internally encrypted between user <> service; and only internally, or someone via cloudflare can access it. You can still put the zero trust SSO on your subdomain so Cloudflare authenticates all users before proxying the actual request.

source
- cctl01@feddit.nl ⁨1⁩ ⁨month⁩ ago
  This worked great. For those looking to apply the same solution. And running Nextcloud in snap. You need a cert.pem, key.pem and chain.pem file. The latter can be found here: https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/#cloudflare-origin-ca-root-certificate The cert and key can be generated from your Cloudflare Dashboard under Domains > SSL/TLS > Edge Certificate. Place all three files in /var/snap/nextcloud/12345/certs/live/ where 12345 can vary for you. Finally sudo nextcloud.enable-https custom cert.pem key.pem chain.pem Profit!
  
  source
Shimitar@downonthestreet.eu ⁨1⁩ ⁨month⁩ ago
Setup a cron that does it once per day, when you don’t need it, like certbot does. Easy.

source