CALDAV calendar: certificate issue in local network

Hi

Iā€™m using a regular server release of NC-19 (mariaDB, nginx) together with SSL certificates for my-own-dyndns-domain.org from Letā€™s Encrypt. Everything works great, including the Thunderbird calendar via CALDAV. On my fritzbox I set up nat loopback (at least I think that the adding the domain name my-own-dyndns-domain.org in the section ā€œDNS-Rebind-Protectionā€ does that). Once, Iā€™m in my local network, the domain address my-own-dyndns-domain.org is forwarded to the local (http) IP of the server ā€“ great. However, thunderbird complains about the letā€™s encrypt certificate. I do understand this, because the local IP is different from the one to which the dyndns address is bound.

Could anyone point me into the direction of how I can still use the caldav calendar when Iā€™m in the same network as my server is? Do I need a second certificate?

Thanks!!

I think you misunderstood how a certificate verification works. By default it has absolutely nothing to do with the resolved ip address, because certificates are referring to the domain name for which it has been created.

So if you get a certificate error message in Thunderbird you first have to tell us the EXACT error which is being displayed. Have you tried to access Nextcloud using a normal web browser like Firefox? If yes, does it also show an error message? Is the correct certificate shown if you click on the padlock symbol in the address line?

So if you get a certificate error message in Thunderbird you first have to tell us the EXACT error which is being displayed.

Sorry - youā€™re right. Here are the details:

  • Iā€™m in the same (local) network as the server
  • in my router (a fritz box) I added my DnyDNS address, say, my-own-dyndns-domain.dot.org as a the DNS-Rebind entry. As far as I understand this should ensure that the browser with my-own-dyndns-domain.org is not forwarded to the router.

Have you tried to access Nextcloud using a normal web browser like Firefox? If yes, does it also show an error message?

  • When I open ā€˜my-own-dyndnsā€¦ā€™ in FF I get ā€œSecure Connection Failed: An error occurred during a connection to https://my-own-dyndns-domainā€¦ Certificate key usage inadequate for attempted operation. Error code: SEC_ERROR_INADEQUATE_KEY_USAGE [ā€¦]ā€
  • When I open the local server address in FF I see the NC page (after confirming a security exception though)

Is the correct certificate shown if you click on the padlock symbol in the address line?

  • From outside the serverā€™s network, everything looks good, the padlock symbol also shows the letā€™s encrypt certificate.
  • When Iā€™m in the local network and Iā€™m browsing to the local IP address, I had to add an exception (ā€œFirefox detected a potential security threat and did not continue to 192.168.xxx.yy ā€¦ā€) because the certificate belongs to https://my-own-dyndns-ā€¦, but at least I then get to the NC start page
  • When Iā€™m in the local network and brwose to https://my-own-dyndns-domain.org Iā€™m forwarded to the routerā€™s login page

I read that I might need a ā€œloopback NATā€ but I donā€™t know how to solve this (I thought that the DNS-Rebind entry is sufficient?)

Please let me know if more information are needed. Thanks for your help!!

hi @ncwarrior
I was fighting the same problem few day ago. I forwarded my NC dns record cloud.mydomain.xyz to myfritz external DNS name. This resulted in DNS names resolved to the public IP of Fritzbox, so ā€œsomehowā€ Firefox and especially Nextcould apps on Android phones where failing to login as they hit Fritzbox login pageā€¦(=cert issue) I added Rebind protection for my cloud DNS and Myfritz address to the FB config without success.

The problem was not easy to solve - there are 3 parts of the solution:

  • setup/use local DNS server like Pihole to create ā€œsplit-brainā€ DNS for your Nextcloud installation
  • define a local IP address for your Nextcloud instance DNS record
  • BLOCK your myfritz DNS record (this is because clients, especially Android request both A=IPv4 and AAAA=IPv6 DNS records) - which results in public DNS request, so you get both you local IPv4 AND public IPv6 address, which heads to Firtbo login page

best regards, feel free to reach out if you have any questions

1 Like

Hi @wwe

thank you so much ā€“ Iā€™ll try to follow these steps during the next days.

By the way, do you (or someone else) know if this is a problem that is related to the FritzBox, or is it always necessary to set up a separate DNS server? Iā€™m just wondering because in all online step-by-step instructions for setting up NC Iā€™ve never seen that this was mentioned.

hi @ncwarrior

in my case the problem is related to the myfritz service. Most guides are using some public dyndns providers. The difference is most likely that public dyndns providers donā€™t resolve ipv6 (AAAA) DNS records. In my situation I have to use AVM service as in Switzerland even residential DSL lines get semi-static IP (in opposite to Germany the provider is no obliged to assign new IP every 24h) - which violates DynDNS requirements.

From my experience there was no problem for Desktop Firefox (and Edge) but always hit two Android phones - both clients and browser. It looks like Android prefers IPv6 if available and ā€œmay beā€ Fritzbox handles IPv6 different in terms of port forwarding

In my case the ONLY stable solution was to block the public DNS record of myfritz to avoid IPv6 DNS resolution and provide internal IP. My try to setup internal resolution using pihole failed as I didnā€™t manage to setup the container with IPv6 internally. But clients keep asking for both A and AAAA records - this is why it resolves partly to the LAN IPv4 of the container and public IPv6. Maybe you donā€™t need this extra step if you Nextcloud domain has IPv4-only DNS.

Update 2023: now I learned this is right and there is no ā€œIPv6 port forwardingā€ - you rather open the router firewall and send requests to the IPv6 of the Nextcloud server. and yes it IS possible to setup docker containers with IPv6 and make them available from outside! see NC not reachable over Domain - #2 by wwe for details.

After trying to learn about how to set up a DNS server (and beeing a bit hesitant about thatā€¦) I tried something else: I disabled the entry for the IPv6 address for the DynDNS address. This has done the trick for me and I can now access NC and all services with my FritzBox without having to do anything else. Thanks for helping me to get on the right track!

2 Likes