PSA: calling remotes with self-signed certs may invoke SSL warnings

I’ve been dabbling with ONLYOFFICE (as I’m not dealing with Docker for Collabora, sorry) and noticed an issue with invoking the editor when the remote doesn’t have valid certs.

Presumably the same will happen with Collabora and other services in future though I haven’t checked.

This won’t happen if you set up a dedicated hostname and SSL it properly, however if everything runs behind proxies like my home network, creating a hostname for every service isn’t normally required.

It’s a minor thing, but if anyone else notices their perfectly valid Cloud suddenly flagging as insecure, this may be why.


I do not understand… what’s your point? What do you mean with different hostname? Another subdomain? Do your NC and OO run on same domain but different paths?

What isn’t clear?

Anything that isn’t the URL of your NC server, doesn’t matter if it’s a subdomain or another domain entirely in this case.

No. Different servers all together

The screenshot you’ve provided shows 2 FQDNs which look like they have valid SSL certs. If you swap the OO SSLs for self-signed, let me know if it still shows as secure.

Ah you have NC on a valid domain and cert and OO on another domain but with a self-signed cert right? Then the warnings make sense. Mixed content. But I still do understand why this is an issue. I am using valid certs for the outside world in my reverse proxy and private ones for the internal hosts. As you know was a bumpy road yesterday :wink:

That’s right! So Nextcloud is accessible via the proxy where LetsEncrypt SSL terminates.

But, because OO is in the same vLAN as NC, there’s no need for NC to go out to the proxy and back into the network to access it; it connects directly, but as NC is accessed over HTTPS, OO needs to be HTTPS too, though as it’s not public the certs don’t need to be trusted.

I figured this would be enough, but I didn’t take into consideration the use of iFrames and Chrome inspecting the validity of the iFrame cert, so has led to this problem.

I imagine I’m not the first, nor last to run into this scenario, hence the PSA :slight_smile: