Iām using a regular server release of NC-19 (mariaDB, nginx) together with SSL certificates for my-own-dyndns-domain.org from Letās Encrypt. Everything works great, including the Thunderbird calendar via CALDAV. On my fritzbox I set up nat loopback (at least I think that the adding the domain name my-own-dyndns-domain.org in the section āDNS-Rebind-Protectionā does that). Once, Iām in my local network, the domain address my-own-dyndns-domain.org is forwarded to the local (http) IP of the server ā great. However, thunderbird complains about the letās encrypt certificate. I do understand this, because the local IP is different from the one to which the dyndns address is bound.
Could anyone point me into the direction of how I can still use the caldav calendar when Iām in the same network as my server is? Do I need a second certificate?
I think you misunderstood how a certificate verification works. By default it has absolutely nothing to do with the resolved ip address, because certificates are referring to the domain name for which it has been created.
So if you get a certificate error message in Thunderbird you first have to tell us the EXACT error which is being displayed. Have you tried to access Nextcloud using a normal web browser like Firefox? If yes, does it also show an error message? Is the correct certificate shown if you click on the padlock symbol in the address line?
So if you get a certificate error message in Thunderbird you first have to tell us the EXACT error which is being displayed.
Sorry - youāre right. Here are the details:
Iām in the same (local) network as the server
in my router (a fritz box) I added my DnyDNS address, say, my-own-dyndns-domain.dot.org as a the DNS-Rebind entry. As far as I understand this should ensure that the browser with my-own-dyndns-domain.org is not forwarded to the router.
Have you tried to access Nextcloud using a normal web browser like Firefox? If yes, does it also show an error message?
When I open āmy-own-dyndnsā¦ā in FF I get āSecure Connection Failed: An error occurred during a connection to https://my-own-dyndns-domainā¦ Certificate key usage inadequate for attempted operation. Error code: SEC_ERROR_INADEQUATE_KEY_USAGE [ā¦]ā
When I open the local server address in FF I see the NC page (after confirming a security exception though)
Is the correct certificate shown if you click on the padlock symbol in the address line?
From outside the serverās network, everything looks good, the padlock symbol also shows the letās encrypt certificate.
When Iām in the local network and Iām browsing to the local IP address, I had to add an exception (āFirefox detected a potential security threat and did not continue to 192.168.xxx.yy ā¦ā) because the certificate belongs to https://my-own-dyndns-ā¦, but at least I then get to the NC start page
hi @ncwarrior
I was fighting the same problem few day ago. I forwarded my NC dns record cloud.mydomain.xyz to myfritz external DNS name. This resulted in DNS names resolved to the public IP of Fritzbox, so āsomehowā Firefox and especially Nextcould apps on Android phones where failing to login as they hit Fritzbox login pageā¦(=cert issue) I added Rebind protection for my cloud DNS and Myfritz address to the FB config without success.
The problem was not easy to solve - there are 3 parts of the solution:
setup/use local DNS server like Pihole to create āsplit-brainā DNS for your Nextcloud installation
define a local IP address for your Nextcloud instance DNS record
BLOCK your myfritz DNS record (this is because clients, especially Android request both A=IPv4 and AAAA=IPv6 DNS records) - which results in public DNS request, so you get both you local IPv4 AND public IPv6 address, which heads to Firtbo login page
best regards, feel free to reach out if you have any questions
thank you so much ā Iāll try to follow these steps during the next days.
By the way, do you (or someone else) know if this is a problem that is related to the FritzBox, or is it always necessary to set up a separate DNS server? Iām just wondering because in all online step-by-step instructions for setting up NC Iāve never seen that this was mentioned.
in my case the problem is related to the myfritz service. Most guides are using some public dyndns providers. The difference is most likely that public dyndns providers donāt resolve ipv6 (AAAA) DNS records. In my situation I have to use AVM service as in Switzerland even residential DSL lines get semi-static IP (in opposite to Germany the provider is no obliged to assign new IP every 24h) - which violates DynDNS requirements.
From my experience there was no problem for Desktop Firefox (and Edge) but always hit two Android phones - both clients and browser. It looks like Android prefers IPv6 if available and āmay beā fritzbox handles IPv6 different in terms of port forwarding.
In my case the ONLY stable solution was to block the public DNS record of myfritz to avoid IPv6 DNS resolution and provide internal IP. My try to setup internal resolution using pihole failed as I didnāt manage to setup the container with IPv6 internally. But clients keep asking for both A and AAAA records - this is why it resolves partly to the LAN IPv4 of the container and public IPv6. Maybe you donāt need this extra step if you Nextcloud domain has IPv4-only DNS.
After trying to learn about how to set up a DNS server (and beeing a bit hesitant about thatā¦) I tried something else: I disabled the entry for the IPv6 address for the DynDNS address. This has done the trick for me and I can now access NC and all services with my FritzBox without having to do anything else. Thanks for helping me to get on the right track!