1
General Discussion / "Invalid Security Certificate" when accessing self-hosted server from LAN
« on: May 08, 2022, 10:49:51 am »
Hello all,
I have just migrated from a Meraki MX64 security appliance to OPNsense and I am experiencing an issue I didn't have before this change.
There is a self-hosted Nextcloud server (Ubuntu 20.04 Server on which only Nextcloud (Snap) is installed. OPNsense is running on a SuperMicro Atom server with two physical interfaces. A managed switch connects everything together. Apart from the firewall, nothing else has changed.
The Nextcloud server sits in the DMZ VLAN. The TLS encryption is provided by a Let's Encrypt certificate.
I have no issues accessing the server from the internet using the "https://nextcloud.mydomain.com" URL. From inside the LAN, I can access the server using the IP address ("172.16.0.20"), but when accessing it using the FQDN I get the error below. If using a VPN, there is NO error.
I tried to delete all the related cookies, emptied the cache, delete the certificate error exceptions. Dry-running the certificate renewal shows no issues, and I have even successfully renewed the certificate. I have also followed the documentation related to intermediary certificates, but this didn't fix my issue either.
Screen captures with the firewall rules for the DMZ VLAN and the NAT port forwarding are attached.
I will be grateful for any feedback.
Regards,
Valentin
I have just migrated from a Meraki MX64 security appliance to OPNsense and I am experiencing an issue I didn't have before this change.
There is a self-hosted Nextcloud server (Ubuntu 20.04 Server on which only Nextcloud (Snap) is installed. OPNsense is running on a SuperMicro Atom server with two physical interfaces. A managed switch connects everything together. Apart from the firewall, nothing else has changed.
The Nextcloud server sits in the DMZ VLAN. The TLS encryption is provided by a Let's Encrypt certificate.
I have no issues accessing the server from the internet using the "https://nextcloud.mydomain.com" URL. From inside the LAN, I can access the server using the IP address ("172.16.0.20"), but when accessing it using the FQDN I get the error below. If using a VPN, there is NO error.
Code: [Select]
Warning: Potential Security Risk Ahead
[...]
nextcloud.mydomain.com uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
View Certificate
I tried to delete all the related cookies, emptied the cache, delete the certificate error exceptions. Dry-running the certificate renewal shows no issues, and I have even successfully renewed the certificate. I have also followed the documentation related to intermediary certificates, but this didn't fix my issue either.
Screen captures with the firewall rules for the DMZ VLAN and the NAT port forwarding are attached.
I will be grateful for any feedback.
Regards,
Valentin