Tweet
Hello NxFilter team and community,
I'm trying to configure a valid SSL certificate (Let's Encrypt) for my NxCloud instance (version v4.7.3.8, running via the deepwoods/nxcloud:latest Docker image on an Ubuntu Server 24.04), but I'm encountering persistent difficulties. My goal is to replace the default self-signed certificate for the domain nxcloud.mydomain.com.
I followed these steps:
The Problem:
After restarting the NxCloud container, accessing via HTTPS (https://nxcloud.mydomain.com/admin) results in ERR_CONNECTION_REFUSED.
The Docker logs (docker logs nxcloud) consistently show the following error:
SEVERE: Failed to initialize component [Connector["https-jsse-nio-443"]]
...
Caused by: java.security.UnrecoverableKeyException: Password verification failed
(or Keystore was tampered with, or password was incorrect)
Checks Performed:
If I comment out the keystore_file, keystore_pass, key_pass lines in cfg.properties, NxCloud starts, and HTTPS access works (using the default self-signed certificate, with the browser security warning).
It seems there's a persistent issue with reading the JKS file or verifying the password, despite following standard procedures and forum tips.
Has anyone encountered a similar issue with custom JKS certificates in NxCloud via Docker? Is there any Java Keystore particularity or another configuration I might be missing?
Thanks in advance for any help or suggestions!
I'm trying to configure a valid SSL certificate (Let's Encrypt) for my NxCloud instance (version v4.7.3.8, running via the deepwoods/nxcloud:latest Docker image on an Ubuntu Server 24.04), but I'm encountering persistent difficulties. My goal is to replace the default self-signed certificate for the domain nxcloud.mydomain.com.
I followed these steps:
- Certificate Acquisition: Used certbot certonly --standalone and successfully obtained the fullchain.pem and privkey.pem files in /etc/letsencrypt/live/nxcloud.mydomain.com/.
- PKCS12 Creation: Combined the files using openssl pkcs12 -export -out nxcloud_cert.p12 -inkey privkey.pem -in fullchain.pem -name nxcloud (without setting an export password).
- JKS Creation: Converted the P12 to JKS using keytool -importkeystore -srckeystore nxcloud_cert.p12 -srcstoretype PKCS12 -destkeystore nxcloud.jks -deststoretype JKS -srcstorepass '' -deststorepass [PASSWORD] -alias nxcloud. I tried several passwords here (e.g., password, testing123), ensuring they were at least 6 characters long.
- Copying and Permissions: Copied the resulting nxcloud.jks to the Docker configuration volume (/var/lib/docker/volumes/nxcloud-docker_nxc_conf/_data/) and adjusted permissions with sudo chmod 644.
- cfg.properties Configuration: Edited the /var/lib/docker/volumes/nxcloud-docker_nxc_conf/_data/cfg.properties file to include:
Properties
https_port = 443
keystore_file = conf/nxcloud.jks # Path relative to the conf folder
keystore_pass = [PASSWORD] # The same password used in step 3
key_pass = [PASSWORD] # The same password used in step 3
use_cloud_gui_auth = 1
The Problem:
After restarting the NxCloud container, accessing via HTTPS (https://nxcloud.mydomain.com/admin) results in ERR_CONNECTION_REFUSED.
The Docker logs (docker logs nxcloud) consistently show the following error:
SEVERE: Failed to initialize component [Connector["https-jsse-nio-443"]]
...
Caused by: java.security.UnrecoverableKeyException: Password verification failed
(or Keystore was tampered with, or password was incorrect)
Checks Performed:
- Confirmed that the nxcloud.jks file exists at the correct path within the volume (/var/lib/.../_data/nxcloud.jks).
- Confirmed that the path conf/nxcloud.jks in cfg.properties is correct for NxCloud to find the file (as the FileNotFoundException error disappeared).
- Recreated the JKS file multiple times, using different, simple passwords (like password) and ensuring the password in cfg.properties matched exactly.
- Checked the nxcloud.jks file permissions (chmod 644).
- Confirmed that the HTTP connector (port 80) starts normally.
- Confirmed via docker exec nxcloud ss -tulnp | grep 443 that nothing is listening on port 443 inside the container when this error occurs.
If I comment out the keystore_file, keystore_pass, key_pass lines in cfg.properties, NxCloud starts, and HTTPS access works (using the default self-signed certificate, with the browser security warning).
It seems there's a persistent issue with reading the JKS file or verifying the password, despite following standard procedures and forum tips.
Has anyone encountered a similar issue with custom JKS certificates in NxCloud via Docker? Is there any Java Keystore particularity or another configuration I might be missing?
Thanks in advance for any help or suggestions!
Comment