Https connection problem on local network

I am quite new to networking and has recently established a Ubuntu 18.04 home server running on apache2. I got a domain from no-IP and obtained SSL for this domain with Let’s Encrypt. Everything works fine when accessing the server from outside of my local network but when I try to open the website from the local network it shows privacy error (that ssl certificate is invalid). It also works fine if I add my domain and local IP address of server to headers file in Windows (but obviously then it does not connect outside of the network). Is there any way to get my connection on local network on SSL?

1 Like

Hi @kwojcikowski

you have to use the external domain name to connect.

If your certificate has the domain name, you must use that domain name:

Nothing else. Not your ip address, not an internal name.

I don't understand that. What's your domain name, what is a "headers file in Windows"?


connecting with a domain name does work either: image . I meant Windows host file ( the file when u can set up dns manually). I read some about NAT loopback, which might be this case but I dont know how to do that and not sure if my router is capable.

1 Like

You have to connect via the name (not the IP).
If the name resolves to the external IP, you can override that resolution locally in your hosts file or within your local DNS server.

1 Like

You will need to show the URL or the cert provided by that error message.

1 Like

So I connect with my server using public domain which is bound to my IP address. If I am on the same local network as my server I get information about invalid certificate. How to avoid this?

What is the certificate provided?
What is the IP resolved by the public name?

1 Like

The certificate itself work well on the outside of the local network (you can check but within the local I get the following :

The public name is bound to my local network’s public IP.

You need to override the IP resolved to that name within your hosts file
So that you go directly to the internal IP address not the external IP.

1 Like

But then I will not be able to access my server outside my local network, right? If the address is 192.168.1.X and I add this address followed by the domain I will not connect from the outside of LAN.

The server isn't moving anywhere.
It has an internal IP.
The router NATs external connections to it.
You are NOT external, you should NOT try to reach it via an external IP.
The change you need to make is in your local PC.
If your local PC is portable/laptop, then it may have problems when outside your LAN.
And you will have to undo the hosts file changes while outside.
Or use an internal DNS system to provide the correct IP to you while you are on the internal network.
[which all goes back to my first post]

1 Like

Your certificate is a man in the middle, that hacks your SSL connection.

Your domain looks ok - there is a nextcloud.

It’s your “anti virus software” or something else that replaces your valid certificate with an own, invalid certificate.

May be a “deep inspection” option or something else.

Now the check is ready -

There is a valid Letsencrypt certificate:
expires in 88 days - 1 entry

It’s only a local problem.

1 Like

That only works when you are on the public side of the router.

1 Like

That is what Im talking about, whenever I move ouside of my network I need to redo changes. Is there any better solution?

See my first post.
Use an internal DNS server.

When you are on your LAN, what DNS server(s) does your DHCP server give you?

DHCP gives me the name of host so in this case ‘anton’. On DNS I am not able to enter public domain as it is ‘wrong domain’.

We must be having a language problem.
I asked “what DNS server(s) does your DHCP server give you?”
And you repeat the fact that you can’t reach the server by the public domain name.
This we already know.
And it is what we are trying to address by using another DNS server - one that you might control.
Do you have access to an internal DNS server?

The only DHCP and DNS I use is from my ISP provider router.

It’s not a DNS problem. It’s your AVG software that creates an own certificate.

Remove that or deactivate that option.

Or accept that “man in the middle”.

1 Like

Doesn’t Most sensible home router support hairpin nat that don’t need to config internal ip for domian separately?

Oh, ISP provided router, thoses aren’t sane.

1 Like