Installing Nextcloud Plugin on TrueNAS CORE With Letsencrypt Support in 2024

Nowadays it feels that the TrueNAS CORE community is shrinking every month. I have been a user of this solution for more than 8 years now, but some aspects of the system like plugins have never matured to a degree where they are really usable. I have been using the Nextcloud plugin for years now (after having upgraded from ownCloud), but updating the plugin from either the designated plugin architecture of from the Nextcloud management screens is quite often painful and tends to break the jail if there are major upgrades on key components like PHP.

At this moment, even the TrueNAS CORE developers themselves are admitting that plugins are deprecated and should not be used:

TrueNAS SCALE, which is the successor to CORE is aparrantly able to solve much of the underlying problems, but is currently not running on my hardware and I am also not planning to go through the ordeal of upgrading to it yet.

Recently my Nextcloud plugin was stuck on an older version and the upgrade process broke the solution, so I figured to just install the latest version from the Plugins-screen. However, to get this fully operational with full support for certificates signed by Letsencrypt you will need to go through some manual actions. As none of the guides I was able to find online covered absolutely all steps to make this work, I have documented the steps I took here.

  1. I am assuming you have already set up a hostname at a dynamic DNS provider. If not, I recommend for this purpose. TrueNAS Core offers a Dynamic DNS client at the Services-screen. Create a hostname at your favorite provider and set up the client service accordingly.
  2. Navigate to the Plugins screen in the TrueNAS CORE GUI and just install Nextcloud there. I am assuming jail name nextcloud in this post.
  3. After installation has finished (may take a few minutes), navigate to the newly installed Nextcloud plugin in the Plugins-screen and click on Post install notes. This will display the username and password of the Nextcloud admin user. Make sure to write this down.
  4. The Plugins screen will show the assigned IP address of the jail, make a note of this
  5. SSH into your TrueNAS CORE instance or use the Shell menu option in the GUI. Get a console into your new jail by using iocage console nextcloud
  6. When upgrading from a previous version of Nextcloud, you may want to mount your file storage into the new jail. First rename the existing data folder: mv /usr/local/www/nextcloud/data /usr/local/www/nextcloud/data.bk
  7. Now create a new mount point: mkdir /usr/local/www/nextcloud/data
  8. Stop the Nextcloud jail from the Jails-screen in the TrueNAS GUI
  9. Expand options on your Nextcloud jail and select Mount Points
  10. Mount your file share into your Nextcloud jail (I am assuming a dataset called nextcloud_files stored at pool volume1): use source /mnt/volume1/nextcloud_files and target /mnt/volume1/iocage/jails/nextcloud/root/usr/local/www/nextcloud/data
  11. Start the Nextcloud jail from the TrueNAS GUI
  12. Get back into the jail’s console using iocage console nextcloud
  13. Edit file /usr/local/www/nextcloud/config/config.php and navigate to the trusted_domains section. This will list localhost and your TrueNAS CORE IP by default. If your Nextcloud jail has received another IP, make sure to add this as well (increase the numbering). Also add an entry with the FQDN of your Dynamic DNS entry (e.g.
  14. Now enter the IP address of the Nextcloud jail into your web browser, you should now see the login screen where you login as ncadmin with the recorded password.
  15. Change the password of the ncadmin user by clicking on the user icon at the top right and navigating to Personal settings -> Security.
  16. Create personalized users for anyone accessing Nextcloud by using the top-right menu and clicking Users. Make sure to write down passwords for those users.
  17. Go into your internet router settings and configure two port forwarding rules for both port 80 and port 443. Make sure to forward these ports to the IP address of your new Nextcloud jail instance.
  18. Access your Nextcloud instance using your FQDN dynamic DNS entry (e.g. This should now give a warning about the self-signed certificate which is provided with the Nextcloud plugin by default. Some browsers will not allow you to get past this point.
  19. We will now install a correct version of certbot with nginx support for installing a custom certificate. Go back to your Nextcloud SSH console session and type portsnap fetch
  20. After a few minutes type portsnap extract
  21. Navigate to the py-certbot directory: cd /usr/ports/security/py-certbot
  22. Install the latest version: make deinstall install clean
  23. If the installer asks about any settings, just accept the defaults
  24. Navigate to the nginx certbot plugin: cd /usr/ports/security/py-certbot-nginx
  25. Install: make install clean
  26. Set up certbot: certbot –nginx -d
  27. Enter your email address and accept the terms of service
  28. Now we need to change the nginx config to use the newly created letsencrypt certificates, as this is set to the plugin default. Navigate to the section with header # SSL which should contain the following:
    Change truenas into your FQDN on the three uncommented lines.
  29. As a last change (and this is missing from many of the manuals) you need to fix the redirect errors you may be getting when accessing your Nextcloud instance. Edit file /usr/local/etc/nginx/conf.d/nextcloud.conf and look for a server-section here (in my case it was the second section) which is configured as follows:
server {
    listen 443 ssl http2;
    server_name _;
  1. In the above section change the _ into the FQDN of your Dynamic DNS provider (e.g.
  2. Exit the Nextcloud SSH console by pressing CTRL-D. Now you are in the shell of your TrueNAS server itself, restart the Nextcloud jail by using iocage restart nextcloud
  3. After restarting is complete, you should be able to access your Nextcloud instance using the FQDN without certificate errors and without redirect problems as well.

Hopefully this helps (at least it does for me with documenting the process the next time my plugin fails again). If there are any steps missing or if there are still unclarities, please search out to me at