Firefox on archlinux does not trust my certificate

If I want to visit my nextcloud server on my arch Linux laptop with Firefox it gives me an error because it doesn't trust the certificate because it is self signed. This only happens on my laptop and not on my phone, tablet or computer(windows)

Do you use the same URL on your laptop as on your other devices. Are they all operating on the same network (a private one or the public internet).

We'll need more info to give advice. Please answer as much as you can from the form you should have been shown

=========================================

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2 Likes

I use the same URL on all devices and they are all on the same network, as well as the server
My server run raspberry pi os
I use version 2.1.0 of certbot
I have nginx 1.22.1
I can login as root via ssh
I use nextcloud aio version 10.1.1
Sorry I thought I made a mistake deleted the message corrected it and then noticed I didn't make a mistake

Are these all working on a private nework?

Can your domain be reached on the public internet? What is your domain name?

1 Like

They are all on my private network and my domain can be reached on public internet my domain is [mydomain].mooo.com

mooo.com has two IP addresses in the public DNS. They point to afraid.org which says that domain is not yet setup.

# HTTP (port 80) says this
curl -i http://mooo.com
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Mon, 06 Jan 2025 15:14:53 GMT
X-Abuse: URL redirection provided by freedns.afraid.org - please report any misuse of this service

# HTTPS (port 443) says
curl -i https://mooo.com
curl: (7) Failed to connect to mooo.com port 443 after 48 ms: 
Connection refused

Can you run something like openssl on the failing machine? Or, show the exact cert or more detail from Firefox on why it fails?

Given your system works from all but 1 device it is some kind of config problem on that device or your network routing that affects just that one. Helping with a local network routing / config problem isn't our normal scope. Someone may help anyway but you'll have to be far more forthcoming with details.

1 Like

I didn't want to insert my full domain because everyone who is reading this post could find out where I live. I can send you the domain via discord or signal

Like most other helpers here I am a volunteer offering my time and expertise for free. I don't offer help outside of this forum.

Perhaps some other volunteer will help. Or, if you provide the info I requested maybe I'll offer suggestions.

2 Likes

Ok my domain is loehn.mooo.com with config I will try around

Hi @Shadowbee,

Here Permanent link to this check report you can see that that domain name has 2 IP Addresses one IPv4 and one IPv6; yet Let's Debug reports this https://letsdebug.net/loehn.mooo.com/2328123

ReservedAddress
Fatal
A private, inaccessible, IANA/IETF-reserved IP address was found for loehn.mooo.com. Let's Encrypt will always fail HTTP validation for any domain that is pointing to an address that is not routable on the internet. You should either remove this address and replace it with a public one or use the DNS validation method instead.
2002:1f12:b79e:8000:464e:6dff:fe94:569b

Meaning that the IPv6 Address is not available to the Public Internet.
I suggest changing to a more appropriate IPv6 Address that connects to the server,
or remove the DNS AAAA record for IPv6 address.

1 Like

I am not sure if it is possible because loehn.mooo.com links to a my firtz DNS address which is given by my router

You only need to deal with the domain name loehn.mooo.com DNS not with the firtz DNS.

https://unboundtest.com/m/AAAA/loehn.mooo.com/WCH3WQYQ

Query results for AAAA loehn.mooo.com

Response:
;; opcode: QUERY, status: NOERROR, id: 17788
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 1232

;; QUESTION SECTION:
;loehn.mooo.com.	IN	 AAAA

;; ANSWER SECTION:
loehn.mooo.com.	0	IN	CNAME	iq3sa1qpf7uvqn88.myfritz.net.
iq3sa1qpf7uvqn88.myfritz.net.	0	IN	AAAA	2002:1f12:b79e:8000:464e:6dff:fe94:569b

----- Unbound logs -----

Can you add a new subdomain to .myfritz.net. that has only a DNS A record and then point loehn.mooo.com to that new subdomain?

Edit

And here SSL Server Test: loehn.mooo.com (Powered by Qualys SSL Labs) shows
for IPv6 "Unable to connect to the server"

I can't add another myfritz address, and I installed chromium and it says that the server couldn't prove that it is loehn.mooo.com and arch Linux doesn't trust my certificate

Is it reasonable then to remove the DNS AAAA (IPv6 Address) Record?

1 Like

If the record is bound to the my Fritz address I can't remove it if it is bound to loehn.mooo.com then I will have to look if I can do that as I got my domain form https://freedns.afraid.org/

Would it then be possible to not use a CNAME?

I wouldn't get too caught up on the tangent, while a 6to4 2002:: IPv6 address might prevent users from connecting (and Let's Encrypt validation), in this case it seems that Let's Encrypt can successfully validate and issue a certificate (though it's likely due to them retrying on IPv4) and the main problem is either with the server not being configured right, or with the client not being configured right (or connecting to some other system than intended).

2 Likes

Freedns.afraid.org says that it is a cname


And the Fritz I can't change

I think the it would be a client issue as chromium said that my operating system doesn't trust the certificate and on the the server side the only thing that I find weird is that the certificate doesn't auto renew and if I have to renew my certificate I have to stop nginx

Issuance wasn't the problem indeed, because there's a good LE certificate configured currently, including a good chain:

Certificate chain
 0 s:CN=loehn.mooo.com
   i:C=US, O=Let's Encrypt, CN=E5
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Dec 29 16:01:03 2024 GMT; NotAfter: Mar 29 16:01:02 2025 GMT
 1 s:C=US, O=Let's Encrypt, CN=E5
   i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT

@Shadowbee Please show the exact error Firefox is giving you. Usually, Firefox ships with its own root certificate store, so as long as your Firefox isn't like, ancient, it should recognise the ISRG Root X1 certificate (Firefox version 50 and onwards).

3 Likes