net::ERR_CERT_AUTHORITY_INVALID from my local network with my.domain.tld

Larwes · June 30, 2025, 7:46pm

The Basics

Nextcloud Server version (e.g., 29.x.x):
- 31.0.4.1
Operating system and version (e.g., Ubuntu 24.04):
- nextcloudpi 1.55.4
Web server and version (e.g, Apache 2.4.25):
- replace me
Reverse proxy and versionon _(e.g. nginx 1.27.2)
- No
PHP version (e.g, 8.3):
- 8.3.20
Is this the first time you’ve seen this error? (Yes / No):
- Yes
When did this problem seem to first start?
- I don’t know. Hard to say. I ignored it a some weeks.
Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
- NCP
Are you using CloudfIare, mod_security, or similar? (Yes / No)
- No

Summary of the issue you are facing:

Hello,

I have the problem that I can’t access nextcloud from my local network with the domain I have. I get net::ERR_CERT_AUTHORITY_INVALID. From outside it works fine and the cert is valid (letsencrypt).
I get NOT the letsencypt cert locally. And it does not matter which device I use ( there are at least 5 different ones). I can reach nc from the local ip and the public ip address with the correct cert (but https is crossed out).
I also don’t have that much network experience so excuse anything that might be wrong or obvious.

Gemini said it is a network issue and I should set dns-rebind on my fritzbox. I did it but it did not helped. I also set a different dns server (v4 and v6) which also did not help. Also I did add my domain to dns-rebind after I got this issue. It worked beforehand without it.

If I do nslookup I got the public IP Address (which is good gemini says).

Thank you for your help.

Steps to replicate it (hint: details matter!):

connect to wifi
got my.domain.tld
see the cert error and got the wrong cert

Log entries

Nextcloud

no logs needed because no connection to nextcloud was possible?

Web Browser

any browser

Web server / Reverse Proxy

No reverse proxy or extra installed. Only Nextcloud Pi

Configuration

Nextcloud

The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):

  'trusted_domains' => 
  array (
    2 => 'localhost',
    7 => 'nextcloudpi',
    0 => 'my.domain.tld',
    11 => 'ip v6 ip',
    1 => 'nc local ip',
    20 => 'my.domain.tld',
    22 => 'my-public-ip',
  ),

  'logfile' => '/mnt/ncraid/ncdata/data/nextcloud.log',
  'overwrite.cli.url' => 'https://my.domain.tld/',
  'overwriteprotocol' => 'https',
  'trusted_proxies' => 
  array (
    11 => '127.0.0.1',
    12 => '::1',
     0 => 'my-public-ip',
     2 => 'nc local ip',
  ),

wwe · June 30, 2025, 8:07pm

likely your proxy serves wrong cert for local access. please review

101: reverse proxy
101: Split-Brain DNS (split-horizon)
and compare the certificate you see interneally and externally - I bet you see different certificates. next review logs (especially reverseproxy ) and check why you see different certificates.

looking at browser dev tools (f12) → network helps a lot - you see hostname and ip address where it connects to.

Larwes · July 7, 2025, 11:06am

I found an entry on reddit which pointed that fritzbox has some trouble with dyndns, ipv6 and or dns rebind in that regard. So I disabled everything IPv6 related (dns server, excluding ipv6 on dyndns url and so on) on my fritz and it finally worked.

Here is the article: https://www.reddit.com/r/fritzbox/comments/1at2mfa/dns_rebind_protection_exception_not_working/

As far as I understood it it has something to do with strato (german domain provider)

system · July 15, 2025, 11:07am

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.