SSL on Nextcloud snap

Enabling a legal https (443 port)

$ sudo nextcloud.enable-https lets-encrypt
In order for Let's Encrypt to verify that you actually own the
domain(s) for which you're requesting a certificate, there are a
number of requirements of which you need to be aware:

1. In order to register with the Let's Encrypt ACME server, you must
   agree to the currently-in-effect Subscriber Agreement located
   here:

       https://letsencrypt.org/repository/

   By continuing to use this tool you agree to these terms. Please
   cancel now if otherwise.

2. You must have the domain name(s) for which you want certificates
   pointing at the external IP address of this machine.

3. Both ports 80 and 443 on the external IP address of this machine
   must point to this machine (e.g. port forwarding might need to be
   setup on your router).

Have you met these requirements? (y/n) y
Please enter an email address (for urgent notices or key recovery): your@e-mail.address
Please enter your domain name(s) (space-separated): first.your.domain. second.your.domain
Attempting to obtain certificates... done
Restarting apache... done

Thanks to links:

https://github.com/nextcloud/nextcloud-snap/wiki/Enabling-HTTPS-(SSL,-TLS)

Finally, we can check is the SSL certificate has implemented

# curl -v https://your.domain.name
* Rebuilt URL to: https://lab.elitarno.com/
*   Trying 136.243.55.163...
* TCP_NODELAY set
* Connected to your.domain.name (136.243.55.163) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=lab.elitarno.com
*  start date: Mar 19 06:39:42 2020 GMT
*  expire date: Jun 17 06:39:42 2020 GMT
*  subjectAltName: host "lab.elitarno.com" matched cert's "lab.elitarno.com"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: lab.elitarno.com
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 302 Found
< Date: Thu, 19 Mar 2020 07:59:42 GMT
< Server: Apache
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-TEEvVjRTdVE0d1ZpTzEyUFVKL0Ira2RkUGVTdEFxWG1DUnl0OFFOMVFxMD06ZGtIZzFFVHlyV2N1RERUNkc4NjF0SFlPYTR2R0xaZXJUVWpzdFRNeElkYz0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
< Set-Cookie: ocog0kqmg2ze=9458e12173cd4c4e031c251f034ff068; path=/; secure; HttpOnly
< Set-Cookie: oc_sessionPassphrase=%2FXDRJ9TAdddTjiL0MQMxtRY6PWj6T58AHKJtP6DkpSNakHqnScajBj0Q9xa9KQ6KQhs9h87L0Ao7Sv2yFUj7eNMav8gajsbDniZ%2BtEvplPb04Wf4aQ7wlgWLoeo%2BN8y6; path=/; secure; HttpOnly
< Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
< Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
< Strict-Transport-Security: max-age=63072000; includeSubdomains
< Referrer-Policy: no-referrer
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Robots-Tag: none
< X-XSS-Protection: 1; mode=block
< Location: https://lab.elitarno.com/index.php/login
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< 
* Connection #0 to host your.domain.name left intact

There we can check Expires: Thu, 19 Nov 1981 08:52:00 GMT expires date for sure

Have You More questions? Please be free to ask us your questions in the
Dzhumaiev.Slack.com channel 🙂