Home server behind SSL and Dyn not functioning

I have installed Nextcloud, via the Ubuntu install process, on a server in my office. To reach this server externally I utilize Dyndns as a dynamic dns. In the config file I added the domain I am using so it reaches it correctly. All is well on port 80.

However, when I try to enable SSL it fails to connect any longer on 443. I enable thus:

sudo nextcloud.enable-https lets-encrypt

When it asks the name of the domain, I put in that which is set in my dyndns e.g. ‘mydomain.this.org

Here are responses/log items:

Doing a wget gives me:

ERROR: certificate common name 'domain.name.org' doesn't match requested host name '127.0.0.1'.

Apache logs give me:

[Wed Nov 20 22:56:22.352350 2019] [ssl:warn] [pid 19948:tid 139796757780352] AH01909: data_server.lan:443:0 server certificate does NOT include an ID which matches the server name

Using Openssl s_client connection it returns:

OpenSSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number Unable to establish SSL connection.

I have tried different firewall configs (allowing, etc). I also have port 80 and 443 forwarded through my router (Openwrt/LEDE).

Perhaps I am missing a setting somewhere?

If you have port 80 open, what happens if you go to your url as http://

Is your router directly connected to ISP or is there another router from the provider first? All routers in the chain will need the port forwarding set.

If I go to port 80, after enabling HTTPS as shown, it automatically tries to switch to port 443 and I get the SSL failures noted.

My provider modem/router is in passthrough mode, so my router is the only one on the system connected to the incoming from ISP.

Do you have ssl enable in apache.
Try this:-
a2enmod ssl
a2ensite default-ssl

You should be able to just test apache is working by going to https://

Does this work?

apache/apache2 is not controlled in this manner. As I installed Nextcloud during the Ubuntu install process, it installed it all via snap. So, when you issue the command:

nextcloud.enable-https

With lets-encrypt after, then it sets up all the certs and other config, then restarts apache.

Nice. I’ve not use snap, so not sure if I can really help.

Yeah, its been interesting for me with the snap setup. Almost to the point of starting over and installing via the install guide instead of the ubuntu tool.

I’d be interested if you start over how it goes. I’ve never had any issues installing nextcloud via the Debian server install guide. I have it running at seven different sites. The SSL part has always been simple to setup :slight_smile:

Do you utilize a dynamic dns and domain?

I do at a few sites, never been an issue. I’ve also used let encrypt, so long as port 80 is open at the start to running it, it works great.

[quote=“rickroll, post:1, topic:64723”]
Doing a wget gives me:

ERROR: certificate common name 'domain.name.org' doesn't match requested host name '127.0.0.1'.

you do wget 127.0.0.1 or wget domain.name.org ?
btw: try curl -v domain.name.org .

Ok, so I completly rebuilt the server, using nginx and manually loaded all the nextcloud, etc.

(guide followed: https://www.linuxbabe.com/ubuntu/install-nextcloud-ubuntu-18-04-nginx-lemp)

To your question Reiner, if I do a wget 127.0.0.1 I get the proper index.html saying welcome to nginx.

When I try wget my.domain.org I get

--2019-11-22 19:07:18--  http://my.domain.org/
Resolving my.domain.org (my.domain.org)... xxx.xxx.xx.x
Connecting to my.domain.org (my.domain.org)|xxx.xxx.xx.x|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://my.domain.org/ [following]
--2019-11-22 19:07:18--  https://my.domain.org/
Connecting to my.domain.org (my.domain.org)|xxx.xxx.xx.x|:443... connected.
OpenSSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
Unable to establish SSL connection.

When I do curl -v domain.name.org:

* Rebuilt URL to: my.domain.org/
*   Trying xxx.xxx.xx.x...
* TCP_NODELAY set
* Connected to my.domain.org (xxx.xxx.xx.x) port 80 (#0)
> GET / HTTP/1.1
> Host: my.domain.org
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.14.0 (Ubuntu)
< Date: Fri, 22 Nov 2019 19:09:41 GMT
< Content-Type: text/html
< Content-Length: 194
< Connection: keep-alive
< Location: https://my.domain.org/
<
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.14.0 (Ubuntu)</center>
</body>
</html>
* Connection #0 to host my.domain.org left intact

One thing to note, in case it would make a difference, my certbot command is to create a cert for a subdomain. As I use dyndns, I am only allowed a subdomain. Certbot creates it fine with the command:

sudo certbot --nginx --agree-tos --redirect --staple-oscp --email my.email@email.email -d subdomain.maindomain.org

SOLVED!

One of those bone-head settings issues. (At least I learned a lot by manually building everything.)

In my router settings, I use LEDE, I disabled NAT loopback on port 80 and kept it enabled on port 443.

Works like a charm.

Thanks to all for the help!