For some time, I’ve hidden my nextclould behind CF zero trust. When refreshing certificates via letsencrypt I would manually disable the tunnel, refresh and re-enable the tunnel. Now that letsencrypt will no longer notify me via email I need a more robust (read automated) way of refreshing certs. Do I have any options other than disabling zero trust? (the advantage would be I no longer need vpn to have the mobile app working).
This worked great. For those looking to apply the same solution. And running Nextcloud in snap. You need a cert.pem, key.pem and chain.pem file. The latter can be found here: https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/#cloudflare-origin-ca-root-certificate The cert and key can be generated from your Cloudflare Dashboard under Domains > SSL/TLS > Edge Certificate.
Place all three files in
/var/snap/nextcloud/12345/certs/live/where 12345 can vary for you.Finally
sudo nextcloud.enable-https custom cert.pem key.pem chain.pemProfit!