How to add *specific* self-signed SSL certificate to snap Nextcloud?

Question

Context

After creating a code that:

• Automatically generates self-signed SSL certificates for onion domains
• Attempts to add that SSL certificate to various self-hosted services, e.g. GitLab and Nextcloud

I've encountered some difficulties adding those self-signed certificates to Nextcloud. It is not a problem to add self-signed ssl certificates for an onion domain to Nextcloud, that can be done with (simplified):

sudo cp "cert-key.pem" /var/snap/nextcloud/current/cert-key.pem
sudo cp "cert.pem" /var/snap/nextcloud/current/cert.pem
sudo cp "fullchain.pem" /var/snap/nextcloud/current/fullchain.pem

sudo /snap/bin/nextcloud.enable-https custom "/var/snap/nextcloud/current/cert.pem" "/var/snap/nextcloud/current/cert-key.pem" "/var/snap/nextcloud/current/fullchain.pem"

sudo /snap/bin/nextcloud.enable-https self-signed
sudo ufw allow 80,443/tcp

Issue

The issue is adding those externally (and automatically) generated SSL certificates, for an onion domain, to Nextcloud.

Why

I use a single (self-signed/created) root ca certificate to create all the onion SSL certificates, because that requires me to distribute only 1 certificate to all the clients/devices. If I were to use the self-signed SSL certificates that Nextcloud generates (automatically), I would have to add another root ca to every client. This is undesirable.

Assumption

I assume Nextcloud uses its own (generated) root ca to sign the self-signed SSL certificates (instead of the certificates I provide). I base this assumption on the following observations:

0. The output of running: sudo /snap/bin/nextcloud.enable-https self-signed is: Generating key and self-signed certificate... done followed by: Restarting apache... done, even after explicitly passing it the custom/externally created SSL certificate, certificate key and fullchain.pem (as described in the above bash snipped).

1. This assumption is tested, by first visiting the onion domain, which yields "self-signed certificate not trusted", e.g.:

2. And then adding the original root ca (that generated those externally created SSL certificates) to Brave. Then verifying that root ca is added to Brave. This verification is done by inspecting the Brave Certificate Manager at: brave://settings/certificates?search=certi and seeing the custom self-signed root-ca in there. Next, the same error is still observed upon closing- and re-opening Firefox and going to the onion domain. (Meaning the externally created root ca was not the one that spawned the SSL certificate that is handed out by Nextcloud).

Question

How to add a self-signed certificate for an onion domain, that was generated externally, to snap Nextcloud (such that Nextcloud uses it)?

Note

1. The onion domain is taken down, and its private key deleted.
2. This is not about: "where to put the certificates (with regard to strict confinement of snap)". The certificates are stored in /var/snap/nextcloud/current/ which is a permitted location.

Answer 1

The answer was to omit the sudo /snap/bin/nextcloud.enable-https self-signed command.

So the (simplified) solution was:

sudo cp "cert-key.pem" /var/snap/nextcloud/current/cert-key.pem
sudo cp "cert.pem" /var/snap/nextcloud/current/cert.pem
sudo cp "fullchain.pem" /var/snap/nextcloud/current/fullchain.pem

sudo /snap/bin/nextcloud.enable-https custom "/var/snap/nextcloud/current/cert.pem" "/var/snap/nextcloud/current/cert-key.pem" "/var/snap/nextcloud/current/fullchain.pem"

sudo ufw allow 80,443/tcp

This solution was verified by adding the original root ca that created those custom certificates, to Brave, visiting the accompanying onion url and verifying that it was trusted.

In essence, the self-signed command overwrote the certificates added by the custom command.