This article expects:

  • you already installed Cozy and created your instance manually (without cozy-coclyclo) on a subdomain
  • you are able to edit your DNS zone

Generate your wildcard certificate

YunoHost uses acme-tiny (a python script) to generate its certificates, but it's quite difficult to use manually, so we'll use certbot-auto.

Download certbot

The version 0.22 at least is required to obtain a wildcard certificate, which means you cannot (currently) install it through apt install certbot. We'll download it from the EFF's website.

cd /usr/local/bin
wget https://dl.eff.org/certbot-auto
chmod +x ./certbot-auto

If you want to check the integrity of the file in addition to HTTPS, there are instructions on this page: https://certbot.eff.org/docs/install.html.

Create the certificates & the challenge

certbot-auto certonly \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual-public-ip-logging-ok \
--preferred-challenges dns \
-d *.cozy.domain.tld,cozy.domain.tld

It will ask you to deploy two DNS TXT records under the name _acme-challenge.cozy.domain.tld, please proceed (see with your hoster how to do so).

The DNS method is the only way allowed to obtain a wildcard certificate.

Note the path of your certificates that are provided.

Add a cron to automatically renew your certs

Since YunoHost uses acme-tiny we can actually use certbot-auto renew to renew our certificates. It will renew them only if needed so we can call it as much as we want. Let's create a cron calling it twice a day:

echo "0 0 12 /usr/local/bin/certbot-auto renew" > /etc/cron.d/renew-le-cert

Create the VirtualHost

Create manually a virtual host in /etc/nginx/sites-available named cozy.domain.tld with the content below. Replace /path/to/cert and /path/to/key by the paths returned by certbot earlier.

server {
    listen 80;
    server_name .cozy.domain.tld cozy.domain.tld;
    
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name .cozy.domain.tld cozy.domain.tld;

    ssl_certificate /path/to/cert;
    ssl_certificate_key /path/to/key;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_http_version 1.1;
        proxy_redirect http:// https://;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

    access_log /var/log/nginx/cozy.domain.tld.log;
    error_log /var/log/nginx/cozy.domain.tld.error.log;
}

Reload nginx: service nginx reload.