"Invalid Security Certificate" when accessing self-hosted server from LAN

Started by felippe, May 08, 2022, 10:49:51 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 08, 2022, 10:49:51 AM
Hello all,

I have just migrated from a Meraki MX64 security appliance to OPNsense and I am experiencing an issue I didn't have before this change.

There is a self-hosted Nextcloud server (Ubuntu 20.04 Server on which only Nextcloud (Snap) is installed. OPNsense is running on a SuperMicro Atom server with two physical interfaces. A managed switch connects everything together. Apart from the firewall, nothing else has changed.

The Nextcloud server sits in the DMZ VLAN. The TLS encryption is provided by a Let's Encrypt certificate.

I have no issues accessing the server from the internet using the "https://nextcloud.mydomain.com" URL. From inside the LAN, I can access the server using the IP address ("172.16.0.20"), but when accessing it using the FQDN I get the error below. If using a VPN, there is NO error.

Code Select

Warning: Potential Security Risk Ahead
[...]
nextcloud.mydomain.com uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
View Certificate


I tried to delete all the related cookies, emptied the cache, delete the certificate error exceptions. Dry-running the certificate renewal shows no issues, and I have even successfully renewed the certificate. I have also followed the documentation related to intermediary certificates, but this didn't fix my issue either.

Screen captures with the firewall rules for the DMZ VLAN and the NAT port forwarding are attached.

I will be grateful for any feedback.

Regards,

Valentin
May 14, 2022, 07:45:36 PM #1
I've fixed this issue, and there is no wonder why my post didn't get any replies - the problem I described, well, let's say it was misleading.

There is nothing to do with the security certificate - Firefox was returning the error because the security certificate was for the OPNsense web UI, and not for Nextcloud. As soon as I chose a different port for the OPNsense web UI (I changed from 443 to 8443), the error changed to "The page cannot be displayed" (404). This error actually triggered the solution - all I had to do was to enable "Reflection port forwards" in Firewall: Settings: Advanced.

I hope this may help another newbie like me...
Print
Go Up Pages1
User actions