I have a domain and use dyndns to point to my home ip
I have a small server with nginx-reverse proxy and lets encrypt certificate and nextcloud docker
So far everythings works fine.
Probably bad habit:
I have configured my server to turn of after a specific time and I can wake it up remotely using wake-on-lan.
SSL untrusted certifacte error occurrence:
I get this error on my laptop & pc (ubuntu 18.04 client 2.5.x) typically in the morning when the server is still offline but the ip has changed overnight. However, my ddns has been updated to the correct new one by my router, but since the server is offline the https handshake is not possible.
This is probably the reason why the nextcloud client does not accept the new ip and instead tries to access my old ip which however now points to other customers of my isp.
So my questions are:
Why is nextcloud trying to access the old ip with the resulting cert warning and not the new one with an unreachable warning?
is there a setting that i can by default deny connections which are not with my certificate?
Until now I have only seen self signed certificates from other isp clients but is it possible that the nextcloud client connects to other servers and start syncing everything to an unknown server (which has been maliciously modified to accept every connection) if they can provide an signed cert?
So, is everything safe (i will not accept the cert ) and i just sometimes will get this warning?
Basically from the story above it is not related to Nextcloud, but to your DNS resolver instead.
Issue is that your IP was changed and somebody who get your old IP has also some SSL server on it. It seems that your DynDNS Provider or whatever you are using is ether not quick enough to update DNS with a new IP, or may be that you are not sending updates of your changed IP address quick enough. That’s why you see this warning.
My question is: how did you implement update of your IP to your DNS provider?
Basically nothing is bad in this message, client will not be able to connect and sync files to whatever server.
What you can do to increase security is additionally enable Certificate pinning as described here:
But, to be hones, if you client do not accept those exceptions, nothing bad will happens.