Server certificate errors

Hi - New user of nextcloudpi here, and apologize if this is the wrong place to post this issue. I’ve had a working raspi 3 nextcloud for about a week, synchronizing calendar through DAVdroid and Thunderbird successfully. Yesterday started receiving DAVdroid sync errors, and Thunderbird asks for security exceptions.

I suspect a cert issue, since Thunderbird says:

"Wrong Site
The certificate belongs to a different site, which means that someone is trying to impersonate this site.
Unknown Identity
The certificate is not trusted… "

I ran nc-report and there are several of these warnings:
[Sun Jan 07 06:25:02.687654 2018] [ssl:warn] [pid 720:tid 1992560640] AH01909: localhost:4443:0 server certificate does NOT include an ID which matches the server name

I ran letsencrypt from nextcloudpi-config but it took no action: “certificates not yet due for renewal”

Can I remove and start over with a new certificate?

you can run letsencrypt from ncp-web or nextcloudpi-config as many times as you want, and you can run it with a different domain if you want.

is the certificate reported in ncp-report/nc-info correct? is it the same as your DDNS domain?

nc-info reports:

=====================================
Gathering information…
NextCloudPi version v0.44.11
NextCloudPi image NextCloudPi_12-04-17
distribution Raspbian GNU/Linux 9 \n \l
automount yes
USB devices sda
datadir /media/myCloudDrive/ncdata
data in SD no
data filesystem btrfs
data disk usage 276M/7.5G
rootfs usage 1.9G/7.3G
Nextcloud check ok
Nextcloud version 12.0.4.3
HTTPD service up
PHP service up
MariaDB service up
Redis service up
Postfix service up
internet check ok
port check 80 open
port check 443 open
IP 192.168.1.189
gateway 192.168.1.1
interface eth0
certificates
certs due 80 days
NAT loopback no
uptime 2days

You should enable dnsmasq to use your domain inside home

The domain name next to “certificates” above is my domain name. Is there a mis-match possible though - i.e. how can I check the certificate value/key/whatever (sorry for certificate ignorance) that NC expects against what my domain is offering/showing/whatever? I am wondering if my domain certificate has been changed (maliciously?) since I first set up NC.

your domain doesn’t offer you a certificate, the only certificate here is the one you have on your pi.

you can open NC in your browser, and check the certificate clicking on the padlock icon next to the address bar

Well… I now see that I can’t even securely browse to the pi when on
my local LAN. I’ve been getting in via HTTP, not HTTPS.

Firefox reports that “This website does not supply ownership information.”

How can I check the web settings on the pi? Something is wrong in the
Apache setup?

And looking at other posts regarding the config.php file, here’s mine:

I thought the ‘overwrite.cli.url’ parameter might be wrong - but it looks right.

Thinking of rebuilding the whole NC, but still hope this is a simple config error.

Ideas?

you are using the IP instead of a URL that matches your certificate. Try to always access through your domain name, after setting up dnsmasq if needed (look in the wiki/ownyourbits for details).

also, please edit and delete your config.php because it contains sensitive information. The way to extract that info securely is through

sudo ncp-report

Using the URL I get an invalid cert:

NET::ERR_CERT_AUTHORITY_INVALID

Not the cert I set up with letsencrypt.
Was I hijacked?
If I can’t rebuild/correct the web server on my pi I’ll scrap the
entire implementation and rebuild a new one.

Any last advice?

GreenWave systems? it should be issued by LetsEncrypt.

Are you sure you didn’t install other software or make changes?

If that’s not the case… that smells bad. You can manage the certificates with the letsencrypt-auto command in the /etc/letsencrypt folder, or start afresh

OK thanks np. I started over and am up again with no (obvious) problems. This time carefully using all security suggested measures.

Just a follow-up - I discovered the real problem. My local IP address lease (yes it was not static) was up, and my FiOS router dished out the same IP, but cancelled the port forwarding. The lack of access and the strange cert I was receiving was from the router. Static now and running fine. A common newbie problem most likely.

great, good job :wink: