Nextcloud client redirect to an URL with another host leads to SSL failure

📱 Desktop & mobile clients
1

Dear all,

I’ve got an issue with the nextcloud client Version 3.5.4 (macOS). I set up an account with a URL like https://www.example.org/nextcloud. I set up a redirect from this URL to https://nextcloud.example.org (that host has another valid Let’s Encrypt SSL certificate), but the client shows me an error that the hostname does not match the certificate name.

Firefox, Chrome, etc works fine and redirects without certificate errors. Is there any caching of certificates? Or does URL redirection not work at all when using the nextcloud client?

Thanks for any hints. I really want to make redirection work, otherwise I’ll have to change the URL on hundreds of clients.

Markus

2

I am in the same boat and can verify if the redirect is:
https://example.com → https://nextcloud.example.com

in macos, ios and ipados the nextcloud app insists on using example certificate instead of nextcloud.example

All browsers work as expected with the redirect.

Interestingly when setting up a new device with example.com it will correctly configure itself to user nextcloud.example.com and doesn’t have the same certificate issue.

nginx config for reverse proxy:

# nextcloud app
server {
  listen 80;

  server_name example.com;
  return 301 https://$host$request_uri;
}

server {
  listen 443 ssl;
  server_name example.com;

  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
  return 301 https://nextcloud.$host$request_uri;
}

server {
  listen 80;

  server_name nextcloud.example.com;
  return 301 https://$host$request_uri;
}

server {
  listen 443 ssl;
  server_name nextcloud.example.com;

  ssl_certificate /etc/letsencrypt/live/example.com-0001/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com-0001/privkey.pem;

  location /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
  }

  location /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
  }

  location / {
      proxy_pass_header   nextcloud.example.com;
      proxy_set_header    Host $host;
      proxy_set_header    X-Real-IP $remote_addr;
      proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header    X-Forwarded-Proto $scheme;
      proxy_pass          http://nextcloud.local/;
  }
3

I would set up certbot to add the redirect as an alternate name so it’s valid in both cases.

4

It is recommended to not use server.tld/cloud but cloud.server.tld (subdomain for Nextcloud). You can read this installation guide (sorry Ubuntu 20.04 LTS). Maybe you can use the ninx-part there at Step 6 - Configure Nginx Virtual Host for Nextcloud.