Replace Nextcloud Docker certificate to make it work with iOS

Hello forum,

I’m new with docker and I’m happy that my nextcloud runs on my server.
My server has no connection to the internet, I synchronize my contacts and calendar only in the LAN.

With my iPhone it didn’t work, I get following error message:



I read that I have to change the certificate of my server. So far I haven’t had any luck.
Where do I have to take action to make Nextcloud Docker image accept its own SSL certificate?

I also read that Apple has certain requirements for the certificate and that the public part of the CA certificate must be stored on the Apple devices (because the certificate is self-signed).

Who has experience with syncing between Nextcloud and iPhone and can support me?

Thank you in advance

The best solution for this is to put nextcloud behind a reverse proxy that will handle all the SSL stuff.
Here’s the solution we provide for that:

Hi @j0nnymoe,

thank you for the replay.

The solution with the swag sever sounds good but is not what I am looking for. I do not want to open my nexcloud server to the internet. It should only be accessible from the internal LAN.

So far I have connected all clients to the nextcloud server via “https:\<my_internal_ip>/remote.php/…”.
I need verified certificates that only consider the internal address.

Can the swag server do this?
How do I have to configure it then?

You can set up swag with a domain name (duckdns is free if you don’t have one) and keep it lan only as long as you use dns or duckdns validation. Then you use the domain name and the validated cert and your iphone will be ok with it.

You can’t use validated ssl certs with an ip.

Hi @aptalca,

Thanks for this hint!

I have now run the swag server and I can access it from the internet.

Now I have the next problem. I linked nextcloud to the lsio network and I can access it now from the internet but firefox told me the nextcloud usee’s a certificate from and not the cert from the swag server.

At it is explained how to use certs in other containers. Currently, I do not understand what exactly is meant here:

(More secure) Mount the letsencrypt folder etc/letsencrypt that resides under /config in other containers (ie. -v /path-to-le-config/etc/letsencrypt:/le-ssl) and in the other containers, use the cert location /le-ssl/live/<your.domain.url>/

In my nextcloud docer container I add the folder /swag/etc/letsencrypt to le-ssl with -v /path-to-le-config/etc/letsencrypt:/le-ssl.

I don’t know in which configuration I have to change that nextcloud use the certificat in /le-ssl!
Can everybody help me?

Thanks in advance.

just reverse proxy nextcloud through swag; that docker-swag guide says how to do this step by step… rename nextcloud.subdomain.conf.sample to nextcloud.subdomain.conf and restart swag…

i suggest re-reading the swag guide you linked

I worked through the docker-swag guide and set up the reverse proxi and set up the nextcloud.subdomain.conf accordingly.

But nextcloud still has the wrong certificates and I am now stuck at the point (see previous post) to teach this nextcloud.

Looks like your port forwarding is wrong and port 443 is going directly to nextcloud instead of swag

That could be the reason, here are my settings:

That could be the reason, here are my settings:

on your router, forward outside port 443 to your server’s port 444, which is what swag is listening on


Now, when I do "https://<my_address>:443 I get following output.


Swag did’t forward me to Nextcloud-docker.

You need to re-read the guide. Why would swag forward you to nextcloud at your main domain? With the default proxy confs we include, it serves (reverse proxies) nextcloud at

So far I have carried out the following points:

  • In the file swag/nginx/site-confs/default is following entry include /config/nginx/proxy-confs/*.subdomain.conf;

  • The file swag/nginx/proxy-confs/nextcloud.subdomain.conf.sample is renamed to nextcloud.subdomain.confand stored in the folder swag/nginx/proxy-confs/

  • The setup in nextcloud.subdomain.conf is done, see below

      server {
      listen 443 ssl;
      listen [::]:443 ssl;
      server_name nextcloud.*;
      add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
      include /config/nginx/ssl.conf;
      client_max_body_size 0;
      location / {
          include /config/nginx/proxy.conf;
          resolver valid=30s;
          set $upstream_app nextcloud;
          set $upstream_port 443;
          set $upstream_proto https;
          proxy_pass $upstream_proto://$upstream_app:$upstream_port;
          proxy_max_temp_file_size 2048m;
  • Following is included in the nextclod-docker nextcloud/www/nextcloud/config/config.php file:

    'trusted_proxies' => ['swag'],
    'overwrite.cli.url' => 'https://nextcloud.<my_domain>',
    'overwritehost' => 'nextcloud.<my_domain>',
    'overwriteprotocol' => 'https',
  • the trusted domain array in nextcloud/www/nextcloud/config/config.php is updated:

    array (
        0 => 'xxxxxxx',
        1 => 'xxxxxxxxx',
        2 => 'nextcloud.<my_domain>',
  • swag-docker and nexcloud docker run on the same network

What am I doing wrong or have I forgotten to configure?

aptalca just told you what you did wrong…
https://<my_address>:443 takes to you to the default nginx of nextcloud; you mapped 444 as your https port for swag
you should be going to which should go to your router, hairpin in on 443, port forward to your host on 444 and show you the site…

1 Like

Hello @driz ,
Hello @aptalca ,

now I got it too! :see_no_evil:
I forgot to specify the subdomain all the time when I called the server.

Many thanks for your patience.

I still have a question about the following reply:

If I deactivate DynDNS and port forwarding on the router, how do I call the nextcloud server within my private LAN?
https://nextcloud.<IP-address>:444 does not work

Use port 443 for swag, not nextcloud. In fact, you don’t even have to map a port for nextcloud if swag is accessing it directly via docker network (according to your previous port, it is). Don’t forget to change the port forwarding on your router afterwards so outside 443 goes to 443 on your server.

Then you can set up a hairpin nat or a split dns on your router so your domain name resolves to the lan IP of your server.

1 Like

Thank you very much for your feedback.

I have changed the port pins.

The topic hairpin nat or split dns doesn’t tell me anything at the moment and I have to find out more about it. How I set it up on my Fritzbox, I haven’t found yet.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.