Letsencrypt certificate on internal network

Hi,

I have my Nextcloud Ubuntu Appliance all working on my RPi3 Nextcloud Box, which I use to access my data both within my local network and outside.

I have a LetsEncrypt certificate (sudo nextcloud.enable-https lets-encrypt) which works fine when accessing from outside my home network

However, when trying to access from within my home network on nextcloud.local (or internal IP), my browser flags up that the certificate is for the wrong domain

This is presumably because I made the certificate for ‘MyDomain’ and not nextcloud.local (or internal IP)?

This is fine when the browser gives me the option to carry on anyway (e.g. Firefox on linux), but not in other cases (e.g. Linux on Win 10, with Bitdefender - I tried whitelisting nextcloud.local with no success - , or in some Android apps I use)

So, what can I do about this please?
Can I, or should I install another cert/extend the existing one to include nextcloud.local ?
Or is there some other trick?

Thanks

Leigh

Hi Leigh,

I haven’t used the appliance yet but I’d rather get a new certificate with the proper domain names, for example using acme.sh.

Thanks @codekraft

Before I invested in finding more about acme.sh, I simply tried via sudo nextcloud.enable-https lets-encrypt to include nextcloud.local but got the following error:

An unexpected error occurred:
Error creating new order :: Cannot issue for “nextcloud.local”: Domain name does not end with a valid public suffix (TLD)

In order to ensure that the browser no longer issues warnings and that you can easily access the Nextcloud with all the apps, you must also use your external domain name in the internal network. There are several ways you can do this, some of which depend on the capabilities of your router.

The easiest way is if your router supports Hairpin NAT / NAT loopback. If this function is active, it works automatically from all devices that are connected to the router. Certain router models also support so-called host overrides, i.e. you can define new DNS records that local clients receive instead of the responses from upstream / eternal DNS servers, which of course refer to your external IP address instead of the internal IP, such as it would be needed here.

Further possibilities would be a separate local DNS server, or manually added entries in the hosts file of the computer that wants to access the Nextcloud.

An unexpected error occurred:
Error creating new order :: Cannot issue for “nextcloud.local”: Domain name does not end with a valid public suffix (TLD)

Let’s Encrypt does only work with official public TLDs like .com, .net etc

.local is not a valid public suffix as the error message correctly states and cannot be used with Let’s Encrypt or any other Certificate Authority.

Thanks @bb77

I already have modified my /etc/hosts file to include a line:
Internal-IP external-domain
which I thought enabled my exterior nextcloud bookmarks to work whilst on internal wifi network

Could you explain in layman’s terms what these two terms in this line of the file do? does it translate any entry of external-domain to ‘internal IP’, for example?

Also, what would I have to put in here to get rid of the browser warning?

Also, how do I do this in windows?

Also, how do I do this in Android? Do I have to be rooted?

Thanks for your patience

Leigh

maybe this will help:

But I must say doing it like this would be the least preferable way to achieve your goal. Because obviously you have to do it for each device individually and with Android devices this can indeed be a problem. Not only do you have to be root, at least as far as i know. You also would have to change it each time when you are outside your home with the device.

Have you checked whether your router supports HairpinNAT / NAT loopback? In some models this has to be activated separately. If your router does not support this and host overrides are not possible directly in the router configuration, something like Pi-Hole https://pi-hole.net/ might be an option for you. This has the pleasant side effect that you would also have a central ad blocker in your network. Pi-hole is not exclusive to the RaspberryPi and can be installed on any device or vm that runs debian. It offers a nice web GUI in which you can configure the host overrides for your Nextcloud in addition to the functions for ad blocking, which also can be disabled for individual devices or completely.

Thanks again!
Yes that helps for my Windows dual boot that I use for work
I am in Portugal, so am doubly confounded by my lack of technical and linguistic talents, but I think that my Router has HairpinNAT / NAT loopback (they call it ‘reflection’ not ‘loopback’?)

Specifically the following comment, makes me think that the Dynamic DNS settings on my Router use this?
(Port Forwarding no Router Fiber Gateway da MEO)

If they do use this HairpinNAT / NAT loopback, then I already have Dynamic DNS activated using my Zapto address since my provider changes my external IP address every now and again

There is only the option to use one Dynamic DNS address pair

I am completely mystified by DNS, but bumble through taking advice from more intelligent people :smile:

(they call it ‘reflection’ not ‘loopback’?)

Yep. NAT Reflection is just another term for the same thing.

If you can reach your Nextcloud from outside your network with your dynDNS name. Port Forwarding is already working as it should. NAT reflection would then ensure that the external DynDNS name also works within your local network

Specifically the following comment, makes me think that the Dynamic DNS settings on my Router use this?

Yes and no. The user says that NAT-Rflection ist working for him. At least this is what Google translate is telling me :wink: Does your router have the latest software updates installed?

I also think you must configure it to use with the external name from internal and external network (than Lets Encrypt certificate is fine). You can not get a correct Lets Encrypt certificate for intern name or domain.
Search Nat Loopback and Hairpinning.

Yes I can reach from outside with my domain name (Safe SSL) and my zapto address (not safe SSL)

I re-read it carefully (my Portuguese is OK its just confusing on technical stuff) and it seems they are saying that with that software update (from a few years back) the port forwarding worked inside home network as well?

Anyway, I have the up to date software - what do I have to do now? Please :slight_smile:

Your router must support Nat Loopback and/or Hairpinning.
Then the router recognizes that the word-wide-lets-encrypt url is not in the internet but in the same intranet. You must only use the world-wide-lets-encrypt url.

Two questions:

  1. What happens if you use the same domain name inside your home network?

  2. Are you using a subdomain like “cloud.domain.tld” or just the domain name like “domain.tld”.?

EDIT:
Reply was for @leigh

@bb77
1 . On Manjaro if I use the my.domain on my home network then it all works perfectly (no SSL exception needed). I think this is because of the entry Nextcloud.Box.IP my.domain entry I put in /etc/hosts . I think without this entry I couldnt connect via this route.

  1. subdomain

I also made a CNAME DNS entry on my domain provider’s management site to link my zapto.domain and my.domain

I think without this entry I couldnt connect via this route.

most likely

I also made a CNAME DNS entry on my domain provider’s management site to link my zapto.domain and my.domain

sounds ok to me. for some reason your router is not doing nat loopback/reflection properly. Hard to say where the problem is. Either your specific model doesn’t do it at all or maybe there is some checkbox to activate it.

Is zapto the DynDNS service?

Yup, it is

It is possible the Router isnt working properly - I am pretty sure there is no checkbox - that forum says you dont have to do anything except update software and my router has been factory reset not long ago.
I am thinking that maybe I am just being picky and should just use the external addresses even when on internal network
I am way out of my depth already :smile:

I am thinking that maybe I am just being picky and should just use the external addresses even when on internal network

that wouldn’t work

If there is no possibility to either activate NAT reflection or doing host overrides in the router configurations there is no other way than setup a sperate DNS server inside you local network. Or doing the host overrides on each device separately, wich leads to the problems already discussed. Of course you can always use the internal ip adresses/domain names. but than you can only use self signed certificates or plain HTTP.

Is this it?

Nope. DMZ in this case means that your device is fully exposed to the internet. This means that no port-forwarding is needed but it doesn’t solve the problem with NAT.

Wait. What do you mean by external adresses? Do you mean the actual IP address like 222.222.222.222 or do you mean the external domain name? If the secondary is the case and you can reach your Nextcloud with this domain name from inside and outside your network then you should definitely use it like that. Because everything is working as indended then.