HTST error on webserver local connection

Hello, I have run into an issue when attempting to access my website from the same network on which it is hosted – my home network.
Originally, I had no such issue. Certbot certificate issuance was smooth. I forced TLS 1.2+ and enabled HSTS to improve my SSLlabs grade. The problem arose after upgrading my internet to fiber optic and switching my router. Previously I used a Motorola modem/router combo, and now use an Edgerouter X.
The website works fine over www, but attempting a connection with any device on my local network fails with “MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT” on Firefox, and “NET::ERR_CERT_AUTHORITY_INVALID” on chrome. I am unable to add an exception due to the use of HSTS on my site. Attempting to connect with the server’s local IP redirects my browser to the url. The certificate causing these errors is not my site’s cert from certbot, rather it is my router’s self-signed certificate.
It seems that by disabling HSTS, I could add an exception in my browsers and proceed to use the site from my home network, however I would prefer to keep HSTS, and even in this case the error/warning would persist.
Thank you for reading, any help is appreciated!

Edit: To put this into question form: how can I connect to my site locally when my router’s certificate causes errors?

~
My domain is: georgegersh.win
My web server is: Apache 2.4.25
The operating system my web server runs on is: Debian 9.13
I can login to a root shell on my machine: y
I’m using a control panel to manage my site: n
The version of my client is: Certbot 0.28.0

Hi @BangoBungo

checking your domain there is a problem visible - https://check-your-website.server-daten.de/?q=georgegersh.win#certificates

Your certificate has only the non-www version, so connecting the www version the certificate is invalid:

CN=georgegersh.win
	14.08.2020
	12.11.2020
expires in 78 days	georgegersh.win - 1 entry

Create one certificate with both domain names, use that, then recheck your domain.

Your error: May be you have some wrong definitions

<vHost ipaddress:80>

so another ip address is used, so the wrong vHost answers. Use

<vHost *:80>

and check

apachectl -S

to see, which vHosts are really used.

3 Likes