Error code : SSL_ERROR_BAD_CERT_DOMAIN

Hello,

I recently had the “document could not be saved” issue on onlyoffice, so i got advices to swap http to https here at “server address for internal requests from the Document Editing Service.” :

It solved but now since i started up the server again, i cant access to nextcloud with internal ip and external…

I get this error from internal :
192.168.1.19 (that is my local adress of nextcloud) uses an invalid security certificate.

This certificate is only valid for mydomain.com

Error code : SSL_ERROR_BAD_CERT_DOMAIN
https://192.168.1.19

External : HTTP ERROR 500

I cant even swap back the changes since i cant log in to nextcloud.

The guide i followed to install nextcloud is this one :

Thank you very much

Hi,

If you are using HTTPS you need to access your server via your domain name. That is because your SSL certificate (for HTTPS) is created for your domain name, consequently contains that domain name and is only accepted when the address you’re accessing contains that name.

Can you check the outcome when you use your domain name for accessing the server?

If you want to avoid a connection to your server through the internet, you can add your server’s domain to your hosts file. On Windows it is:
C:\Windows\System32\drivers\etc\hosts

You could enter the following (please replace your.domain.tld with your actual full qualified domain name):
192.168.1.19 your.domain.tld

Your computer will then resolve the domain name to the local IP and directly connect to your server.

If that doesn’t help so far, please post your nginx config.

Thank you for your help!

Are you sure that i can access to my nextcloud by my domain in local network? i thought it just loop.

I tried and i get “This webpage is not available”

Here is my nginx.conf i just removed my domain there.

user www-data;
worker_processes 1;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
worker_connections 1024;
}

http {

upstream backend {
  server app-server:9000;
}


include       /etc/nginx/mime.types;
default_type  application/octet-stream;

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

access_log  /var/log/nginx/access.log  main;

sendfile        on;
#tcp_nopush     on;

keepalive_timeout  65;

map $http_host $this_host {
    "" $host;
    default $http_host;
}

map $http_x_forwarded_proto $the_scheme {
    default $http_x_forwarded_proto;
    "" $scheme;
}

map $http_x_forwarded_host $the_host {
   default $http_x_forwarded_host;
   "" $this_host;
}

server {
listen 80;
server_name mydomain.com;

    # Add headers to serve security related headers
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;

    root /var/www/html;
    client_max_body_size 10G; # 0=unlimited - set max upload size
    fastcgi_buffers 64 4K;

    gzip off;

    index index.php;
    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;

    rewrite ^/.well-known/carddav /remote.php/dav/ permanent;
    rewrite ^/.well-known/caldav /remote.php/dav/ permanent;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
}

  listen 443 ssl http2;

if ($scheme != “https”) {
return 301 https://$host$request_uri;
}

ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

ssl_ciphers “ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS”;

    location ~ /.well-known/acme-challenge {
    root /var/www/html/;
    allow all;
    }

    location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }

    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }

    location / {
        rewrite ^/remote/(.*) /remote.php last;
        rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
        try_files $uri $uri/ =404;
    }

location ~* ^/ds-vpath/ {
	rewrite /ds-vpath/(.*) /$1  break;
            proxy_pass http://onlyoffice-document-server;
            proxy_redirect     off;

            client_max_body_size 100m;

            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";

            proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Host $the_host/ds-vpath;
            proxy_set_header X-Forwarded-Proto $the_scheme;
    }

    location ~ \.php(?:$|/) {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS off;
        fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
        fastcgi_pass backend;
        fastcgi_intercept_errors on;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the location ~ \.php(?:$|/) { block
    location ~* \.(?:css|js)$ {
        add_header Cache-Control "public, max-age=7200";
        # Add headers to serve security related headers
        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
    }

    # Optional: Don't log access to other assets
    location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
        access_log off;
    }

}

}

Yes, I’m sure You avoid the “loop” (actually rather an unnecessary detour through the internet) by editing your hosts file as suggested above.

Your server is not reachable from the Internet?
Does Nextcloud work on its own with HTTPS enabled? Does Onlyoffice work with HTTPS on its own?

This is from your HTTPS part of your config and it forwards the traffic to onlyoffice. I believe it should read:
proxy_pass https://onlyoffice-document-server;

Well since i changed the http://nginx-server/ to https://nginx-server/ It worked perfectly i had https working on both nextcloud and onlyoffice in local and from public IP then i decided to reboot.

And now nextcloud is not reachable by local network and public IP address

Is it possible to force http;//192.168.1.19 instead of https://192.168.1.19 ?

Thank you again for your help

Where the docker images started with parameter --restart always?
Or asking the other way round, are the docker images running, after the reboot?
Could you please check with:
docker ps

It is very strange that everything works fine and only by a reboot something is broken. It’s more likely that the reason for this can be found in system updates.

If you use your server in LAN only you could undo all changes that enabled HTTPS. Apart from that it is not suggested to run with HTTP only. One time set up correctly HTTPS is pretty simple.

33d61b3aaaa0139ca3cbb6c14ba8008b1398×65 4.77 KB

Yes all dockers images running after reboot even if im pretty sure i had 4 images… maybe certbot?