Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
"Invalid Certificate" blocking Internet access
« previous
next »
Print
Pages: [
1
]
Author
Topic: "Invalid Certificate" blocking Internet access (Read 849 times)
malebron
Newbie
Posts: 6
Karma: 0
"Invalid Certificate" blocking Internet access
«
on:
April 18, 2024, 01:30:56 am »
This is my first OPNsense install. I'm moving from a working Asus router and keeping everything on my home network the same (except the router) in order to get things working as a start point. So far ALMOST everything is working, except:
I have a NextCloud instance running in a container on an Unraid Server, which also hosts a SWAG reverse proxy. Nothing changed there. On OPNsense I have set up DDNS (ddclient using Cloudflare) and the port forwarding to match my previous configuration.
However, when I try to access NextCloud from the Internet I get an Invalid Certificate error. It says my site "has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site."
The certificate it sees is the one I added to replace the self-signed certificate (using ACMEClient) so I can access the OPNsense GUI
internally
without the error.
Did I do something wrong? OR
Do I need to add another outward-facing certificate? (If so can you point me to any how-to instructions?)
I didn't need this before, but perhaps OPNsense is just more secure.
Thanks for any help!
Logged
meyergru
Hero Member
Posts: 1684
Karma: 165
IT Aficionado
Re: "Invalid Certificate" blocking Internet access
«
Reply #1 on:
April 18, 2024, 09:48:14 am »
If the OpnSense is presented for the port-forward (which is the reason for the error message), then I can only imagine these cases this goes wrong:
1. You tried to use 443 as the port forward and still have OpnSense listen to the same port (and on all interfaces).
2. You do not use the correct port in your external URL, like you forget to add it in "
https://somewhere.dyndns.org
:
5555
".
3. Nextcloud does not know about its "real" external URL and rewrites some ressource URLs to absolute values lacking the port (e.g. 5555).
4. You have set up a transparent proxy and all traffic gets intercepted.
«
Last Edit: April 18, 2024, 11:25:25 am by meyergru
»
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
Saarbremer
Sr. Member
Posts: 353
Karma: 14
Re: "Invalid Certificate" blocking Internet access
«
Reply #2 on:
April 18, 2024, 10:29:26 am »
Hi,
HSTS complains about the wrong certificate. Most likely option 1 is your problem:
Make sure the OPNSense Webgui is NOT listening on Port 443 on WAN. Give it a different port number. Otherwise, your port forward will fail. You can use ports on an IP address only once.
Logged
malebron
Newbie
Posts: 6
Karma: 0
Re: "Invalid Certificate" blocking Internet access
«
Reply #3 on:
April 18, 2024, 06:37:22 pm »
Thank you. Yes, (1) makes sense and changing the port for OPNsense did stop the certificate error.
Based on this suggestion I did some research and sure enough, Asus uses port 8443 for its router GUI. Hence no issues before.
Logged
malebron
Newbie
Posts: 6
Karma: 0
Re: "Invalid Certificate" blocking Internet access
«
Reply #4 on:
April 18, 2024, 08:01:28 pm »
I should probably make this a different post but it follows on from the above:
I am posting this issue to a separate thread to avoid confusion with the subject line. The certificate issue is resolved.
Changing the Opnsense port allowed me to access to my Nextcloud instance from the WAN, however when I try to access it from the LAN side I get "the server where this page is isn't responding". (blank page)
I assume it's something related to port forwarding or DNS, but I'm not sure where to look.
Thanks
«
Last Edit: April 18, 2024, 10:30:30 pm by malebron
»
Logged
meyergru
Hero Member
Posts: 1684
Karma: 165
IT Aficionado
Re: "Invalid Certificate" blocking Internet access
«
Reply #5 on:
April 18, 2024, 10:50:47 pm »
Look into the official documentation for "NAT reflection"
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
malebron
Newbie
Posts: 6
Karma: 0
Re: "Invalid Certificate" blocking Internet access
«
Reply #6 on:
April 18, 2024, 11:45:17 pm »
"Look into the official documentation for "NAT reflection""
The official docs are a bit steep for this newbie, but that was exactly the clue I needed to start researching and I found the tips I needed. THANK YOU @meyergru! You are indeed a hero.
In particular: FIREWALL > SETTINGS > ADVANCED > Network Address Translation
The key was enabling the following settings:
ENABLED - Reflection for port forwards
ENABLED - Reflection for 1:1
ENABLED - Automatic outbound NAT for Reflection
Hope that helps someone else.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
"Invalid Certificate" blocking Internet access