Internal website exposed to internet not using wildcard cert

I have installed a pfsense firewall/router( 2.6.0-RELEASE) and configured my Nextcloud instance to get its ssl cert through the haproxy and the like. Internally this works just fine.

I want to expose my Nextcloud to the internet so my kids can use it and I can get to my data/files while away from the home. I configured a NAT and this works also but the ssl cert that is exposed onto the internet is the self signed cert that Nextcloud uses.

What I want is this. I have a wildcard cert that I would like to utilize, the same one I use internally for all of my other tools, and configure the Nextcloud instance to present the wildcard and not the self signed one.

I am sure this is an easy fix but I am not sure of what I need to configure on apache2 to accomplish this.

Can I get a little assistance and point me in the right direction?


Did you install ACME ?
Follow here…

1 Like

If I was in your shoes I wouldn’t expose it to the internet, the one time you haven’t patched, you will be exposed.

Why don’t you instead setup an OpenVPN connection to your data, much safer.

1 Like

Yeah, I have installed Acme and that’s where I am getting my wildcard cert thats used in my haproxy. The problem I am seeing is when you access Nextcloud externally, pfsense just passes the traffic to Nextcloud which in turn passes the self-signed cert which does not match the wildcard Cloudflare is looking for so I get a insecure message in the browser. I want Nextcloud to pass the wildcard cert and everyone will be happy.

Tom discusses the correct way of setting up HA proxy in the video mentioned above.

Ok, I think I just fixed it. All I had to do is export the CRT and KEY from my pfsense wildcard cert then create a PEM file. I googled how to do it and followed these steps, How to create a .pem file for SSL Certificate Installations

With the new pem and key file, I just replaced the self-signed cert in Apache and restarted the service. Vola!!! All was right with the world now. It was much easier than I expected.

Now my haproxy handles the internal ssl encription and the like and Nextcloud is protected with the same ssl cert. That works for me all day.

If you fellow see that I did something incorrect, please correct me. I am learning here…