SSL Error when i try to connect to NC

Pampa_Party · October 26, 2023, 11:15am

Nextcloud version (eg, 20.0.5): 27.1.2
Operating system and version (eg, Ubuntu 20.04): Ubunut 22.04
Apache or nginx version (eg, Apache 2.4.25): not sure, on System is apache 2.4.52 installed but i use also an Nginx Proxy Manager and have no idea how the communication here works
PHP version (eg, 7.4): 8.2.11

Since a few days i have the problem that i can´t connect to my Nextcloud via domain or IP-Adress in my Home Network. If i try to reach Nextcloud from outside of my home network, for example with my mobile Internet connection, everything works as it should, at least as long my server had a connection to the internet. For now i took it off the internet because i don´t know whats going on here. The errors i get are ERR_SSL_PROTOCOL_ERROR, when i try to connect to nextcloud with a vpn and NET::ERR_CERT_AUTHORITY_INVALID without a vpn. These errors still exist after i put the server down. A little research points out that there maybe is a man in the middle attack, thats why i put the server down. The SSL Certificate i get shown with these errors in the web browser are not installed by myself. I can see this cause i use lets encrypt Certificates for Nextcloud and they have a time limit of 90 days, but the shown SSL Certificate is valid till 2038. Also when i try to connect to nextcloud via intern IP-Adress i get ERR_SSL_PROTOCOL_ERROR. I tried all i can find on the internet to solve ssl errors like delete Certificates, timeset etc. But the shown certificate, which comes with the error, i couldn´t find anywhere till now to delete it.
Also my Router gives me “The DNS rebind protection of your Router rejected your request for security reasons.” when i try to reach my domain/subdomain name.

So i need help to get rid of this errors and connection to my nexcloud again.

Is this the first time you’ve seen this error? (Y/N): Y

The output of your Nextcloud log in Admin > Logging:

is empty

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

?php
$CONFIG = array (
  'instanceid' => 'xxx',
  'passwordsalt' => 'xxxx',
  'secret' => 'xxxx',
  'trusted_domains' => 
  array (
    0 => 'intern IP',
    1 => 'domain',
  ),
  'datadirectory' => 'path/to/data,
  'dbtype' => 'mysql',
  'version' => '27.1.2.1',
  'overwrite.cli.url' => 'https://domain',
  'dbname' => 'name',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'name',
  'dbpassword' => 'password',
  'installed' => true,
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
  'overwriteprotocol' => 'https',
  'twofactor_enforced' => 'false',
  'twofactor_enforced_groups' => 
  array (
    0 => 'admin',
  ),
  'twofactor_enforced_excluded_groups' => 
  array (
    0 => 'app1',
    1 => 'app2',
  ),
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 2,
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => 'nextcloud',
  'mail_domain' => 'domain',
  'mail_smtpport' => '465',
  'mail_smtphost' => 'xxx,
  'mail_smtpauth' => 1,
  'mail_smtpname' => 'name.domain,
  'mail_smtppassword' => 'xxx'
  'mail_smtpsecure' => 'ssl',
  'default_phone_region' => 'DE',
  'filelocking.enabled' => true,
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => 'localhost',
  ),
  'remember_login_cookie_lifetime' => 1296000,
  'session_lifetime' => 1800,
  'session_keepalive' => false,
  'auto_logout' => true,
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'htaccess.RewriteBase' => '/',
);

The output of your Apache/nginx/system log in /var/log/____:

Apache is empty

wwe · October 29, 2023, 8:54pm

Until you are “high valued target” like journalist, manager or politician chances are low there is a real man-in-the-middle attack. Often the subject/description of the bad certificate already tells you where it comes from… validity to 2038 sounds like Root CA or maybe self-signed cert - not serious attacker would do this as certificate validity must be less than two years today…

As you say the problem only manifest for local access - all/most troubleshooting must happen on your client - the server is likely fine.

you should check where the client connects to checking internal DNS records and client logs (search for browser developer tools aka F12 tools)
if the target differs from your server address you should troubleshoot why this happens. Good candidates are local DNS config (pihole, adguard, hosts file), anti-malware programs which try inspect traffic.

“DNS rebind protection” prevents from accessing public DNS domains though local IP address - often this happens when you start using local DNS server like Pihole or Adguard. Take a look at IPv6 config as well - here completely different mechanism is used - no more port forwarding just direct access is allowed for the IP address of the device (not the router).

Pampa_Party · October 30, 2023, 3:34pm

Hi, thx for the reply.

The exhibitor of the false certificate is “CN = my domain”. I guess im not a high valued target but i could not say i have no enemys. Maybe there was just a bad Hacker. I also had changings for example in Proxmox, which i haven´t set, or i cloudnt login in other services with my admin pw. I tried to reset them all and hope for the best for now. But i don´t know much about hacking, so i appreciate your help.

The Problem was just in my Network, but for all Clients in it. Today i can reach my NC via my Mobilphone in my Network again, but still not from my tower PC via Browser. I don´t know why. When i try to reach the url from my tower, the connection attemp is also not listed in my pi-hole, but the connection attemps from my mobile phone are listed there. For tower still just get the mentioned errors in Browser. But to make it more curious the nextcloud app client on my tower seems to work again. This is so confusing for me and doesnt feel normal at all.

Also i set two sudomains for my domain to reach services from the internet. Both i can reach from my mobile phone again today. On my tower i get the SSL/ Cert error for NC and for the other Service i get DNS rebind protection.

Do you have some more tips how i can find out whats going on here?

Thx for your help

wwe · October 30, 2023, 4:54pm

I wrote above how I would start the troubleshooting, because every http connection follows the same mechanics: finding IP address through DNS record, connecting there, checking certificate, further interaction with websites… cert checking happens pretty early so not much to check…

Certificate with domain name as CN is more or less right - you should look on the issuer… rebind protection definitely kicks in when public DNS record happens to point to local address (which you are normally want to do - but then you should whitelist domains you host locally). Pihole logs are not real “connection track” - Pihole is only logs DNS queries - which are cached by every client for reasonable time - once the cache exists no more requests are send to Pihole (both Linux and WIndows have commands to list DNS cache)…

Pampa_Party · November 2, 2023, 11:17am

I tried to find out what you mentioned, cause this is new for me and i don´t know if i get this right.
When i do an nslookup for my domain i get a diffrent location for my ipv4 and ipv6 adress. The ipv4 is correct to my location (my router/my internet connection), the place where my server is with NC, but the ipv6 points to another location (not my place of residence). Is this a sign for a Cyber Attack? From my point of view yes. Cause i set my domain to point at my location (my Router).
Thx for your patience and help so far.

Edit: I turned off IPv6 adresses in my router and i can connect to my services again