SSL Untrusted Certificate errors, setup advice needed

Hi,
I sometimes get SSL Untrusted Certificate errors (like these Nextcloud 14 SSL Untrusted Certificate) and would need advise if my setup/installation/habit is kind of a dangerous.

My setup:

  • I have a domain and use dyndns to point to my home ip
  • I have a small server with nginx-reverse proxy and lets encrypt certificate and nextcloud docker
    So far everythings works fine.

Probably bad habit:
I have configured my server to turn of after a specific time and I can wake it up remotely using wake-on-lan.

SSL untrusted certifacte error occurrence:
I get this error on my laptop & pc (ubuntu 18.04 client 2.5.x) typically in the morning when the server is still offline but the ip has changed overnight. However, my ddns has been updated to the correct new one by my router, but since the server is offline the https handshake is not possible.

This is probably the reason why the nextcloud client does not accept the new ip and instead tries to access my old ip which however now points to other customers of my isp.

So my questions are:

  • Why is nextcloud trying to access the old ip with the resulting cert warning and not the new one with an unreachable warning?
  • is there a setting that i can by default deny connections which are not with my certificate?
  • Until now I have only seen self signed certificates from other isp clients but is it possible that the nextcloud client connects to other servers and start syncing everything to an unknown server (which has been maliciously modified to accept every connection) if they can provide an signed cert?
    So, is everything safe (i will not accept the cert :slight_smile:) and i just sometimes will get this warning?

Thanks!

1 Like

Hi @user_thorsten,

Have you found a solution of this issue? I also get these messages quite often/weekly :confused:

Basically from the story above it is not related to Nextcloud, but to your DNS resolver instead.
Issue is that your IP was changed and somebody who get your old IP has also some SSL server on it. It seems that your DynDNS Provider or whatever you are using is ether not quick enough to update DNS with a new IP, or may be that you are not sending updates of your changed IP address quick enough. That’s why you see this warning.

My question is: how did you implement update of your IP to your DNS provider?

Basically nothing is bad in this message, client will not be able to connect and sync files to whatever server.

What you can do to increase security is additionally enable Certificate pinning as described here:

But, to be hones, if you client do not accept those exceptions, nothing bad will happens.

2 Likes

I have this issue also and have more or less the same setup. except I have a fixed ip. So there might be another cause.

May be this troubleshooting can help you: Trouble making nextcloud available on the Internet - #4 by gas85

OK, found the issue. In the nginx config file i needed to change the link to cert.pem to fullchain.pem
Now the intermediate X3 certificate is also in the chain.
Found the reason here:

The transition from the [Let’s Encrypt Authority X3 intermediate certificate] to the [R3 intermediate certificate ] is probably the cause.