SSL work / unwork [Solved]

Hi,

I have installed nexcloud 10 in a digitalocean server use ubuntu 16.04 and LAMP, Apache.

SSL works and sometimes it does not work at all on mozilla but works on chrome, sometimes the opposite, and sometimes it is both, but after 30min, sometimes 1h it work, why ??!

I use a OVH domain.

My error in mozilla is :
SSL_ERROR_BAD_CERT_DOMAIN`

In chrome :
NET::ERR_CERT_COMMON_NAME_INVALID

I have other problem with my SSL…it’s does not work whit mydomain.com but only with www.mydomain.com

Any idea ?

NB: sorry for my bad english.

Hello @Ilann_J,

looks like the error is related to the url not matching the domain name registered inside the certificate provided.
A certificate is valid only for a list of names (aka domains).
https://mydomain.com and https://www.mydomain.com are treated by DNS and ssl as 2 distincts domains (www is a sub domain of mydomain.com. See http://www.yes-www.org/why-use-www/ )
Also each domain must be resolvable through DNS.
So it seems that your certificate is only valid for www.mydomain.com.
Assuming you manage your own ssl certificate,
If your problem solved itself “definitively”, your issue could have been a DNS cache problem and/or a DNS replication time (worldwide).
If the problem is still here, well, it could be a lot of things, like a reverse proxy/load-balancer changing the ssl cert.

Hope i helped a little :confused:

1 Like

Nice and nice written explanations there, should be read by every host :slight_smile: .

I’ve even seen a few pathological cases where, given a URL, they will type www.google.com or another search engine into the address bar, and then type the URL they actually want to go to into Google’s search field!

:joy:

Thank aalaesar !

I corriged my problem with mydomain.com and www.mydomain.com :slight_smile:

I hope having no more problem with SSL, currently is working… i wait 1h or more for confirmation.

My SSL does not work again…

My error in mozilla is:
Unable to communicate in secure mode with peer: the requested domain name does not match the server certificate.

I followed this example for my ssl https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04

Any suggestion ? … :weary:

You can test your ssl configuration with https://ssllabs.com where you should directly see what’s wrong and what domain name doesn’t match.

In ssllabs i have A+ :

My nextcloud.conf :

Alias / “/var/www/nextcloud/”

<Directory /var/www/nextcloud/>
Options +FollowSymlinks
AllowOverride All

Dav off

SetEnv HOME /var/www/nextcloud
SetEnv HTTP_HOME /var/www/nextcloud

<VirtualHost *:80>
ServerAdmin mail@mydomain.com
DocumentRoot /var/www/nextcloud
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ServerName mydomain.com
ServerAlias www.mydomain.com
Redirect permanent / https://mydomain.com

ServerName mydomain.com ServerAlias www.mydomain.com ServerAdmin mail@mydomain.com DocumentRoot /var/www/nextcloud ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on

SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
<IfModule mod_headers.c>
 Header always set Strict-Transport-Security "max-age=15768000; preload"
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

My HTACCES in nextcloud doc :

SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1 RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
# Add security and privacy related headers Header set Strict-Transport-Security "max-age=15552000" env=HTTPS Header set X-Content-Type-Options "nosniff" Header set X-XSS-Protection "1; mode=block" Header set X-Robots-Tag "none" Header set X-Frame-Options "SAMEORIGIN" Header set X-Download-Options "noopen" Header set X-Permitted-Cross-Domain-Policies "none" SetEnv modHeadersAvailable true

Add cache control for CSS and JS files

<FilesMatch “.(css|js)$”>
Header set Cache-Control "max-age=7200, public"



php_value upload_max_filesize 513M
php_value post_max_size 513M
php_value memory_limit 512M
php_value mbstring.func_overload 0
php_value always_populate_raw_post_data -1
php_value default_charset 'UTF-8’
php_value output_buffering 0

SetEnv htaccessWorking true



php_value upload_max_filesize 513M
php_value post_max_size 513M
php_value memory_limit 512M
php_value mbstring.func_overload 0
php_value default_charset 'UTF-8’
php_value output_buffering 0

SetEnv htaccessWorking true



RewriteEngine on
RewriteCond %{HTTP_HOST} ^mydomain.com[NC]
RewriteRule ^(.)$ https://www.mydomain.com/$1 [L,R=301,NC]
RewriteRule .
- [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteRule ^.well-known/host-meta /public.php?service=host-meta [QSA,L]
RewriteRule ^.well-known/host-meta.json /public.php?service=host-meta-json [QSA,L]
RewriteRule ^.well-known/carddav /remote.php/dav/ [R=301,L]
RewriteRule ^.well-known/caldav /remote.php/dav/ [R=301,L]
RewriteRule ^remote/(.) remote.php [QSA,L]
RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.
- [R=404,L]
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*
RewriteRule ^(?:.|autotest|occ|issue|indie|db_|console).* - [R=404,L]


AddType image/svg+xml svg svgz
AddEncoding gzip svgz


DirectoryIndex index.php index.html

AddDefaultCharset utf-8
Options -Indexes

ModPagespeed Off

My nextcloud config/config.php :

<?php
$CONFIG = array (
** ‘instanceid’ => ‘myinstanceid’,**
** ‘passwordsalt’ => ‘mypasswordsalt’,**
** ‘secret’ =>‘mysecret’,**
** ‘trusted_domains’ => **
** array (**
** 0 => ‘www.mydomain.com’,**
** 1 => ‘mydomain.com’,**
** 3 => ‘ip_server’,**
** ),**
** ‘datadirectory’ => ‘/var/www/nextcloud/data’,**
** ‘overwrite.cli.url’ => ‘https://www.mydomain.com/nextcloud’,**
** ‘dbtype’ => ‘mysql’,**
** ‘version’ => ‘9.1.1.5’,**
** ‘dbname’ => ‘nextcloud’,**
** ‘dbhost’ => ‘localhost’,**
** ‘dbport’ => ‘’,**
** ‘dbtableprefix’ => ‘oc_’,**
** ‘dbuser’ => ‘nextcloud’,**
** ‘dbpassword’ => ‘my_db_password’,**
** ‘logtimezone’ => ‘UTC’,**
** ‘installed’ => true,**
** ‘theme’ => ‘example’,**
** ‘loglevel’ => 0,**
);

Here you redirect without condition everything to https://mydomain.com, regardless if it already uses the right domain name or not. It would only make sense if it were in your virtualhost for http (port 80).

And here you rewrite back to the hostname with www.

On a terminal you can use curl to study all the redirects and perhaps you are caught in some kind of a loop.

1 Like

Hi

In compare to my Letsencrypt config, maybe there one missing config string:

SSLCertificateFile /etc/letsencrypt/live/cloud.nextcloud.com/cert.pem
SSLCErtificateKeyFile /etc/letsencrypt/live/cloud.nextcloud.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/cloud.nextcloud.com/fullchain.pem

Maybe that can solve your problem.

1 Like

Thank tflidd and ham for your help :slight_smile: