Nextcloud NET::ERR_CERT_COMMON_NAME_INVALID

Skittluier · August 25, 2022, 9:18pm

Hey all,

So when I'm trying to access my Nextcloud server at nextcloud.maartenbraaksma.nl, I'm receiving this error: "NET::ERR_CERT_COMMON_NAME_INVALID".

Does anyone know what's going on? Here are the details from the generated text.

My domain is: nextcloud.maartenbraaksma.nl

I ran this command: Browse to nextcloud.maartenbraaksma.nl

It produced this output: NET::ERR_CERT_COMMON_NAME_INVALID

My web server is (include version): nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04.4 LTS

My hosting provider, if applicable, is: OVH, however I have a VPS.

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

Thanks in advance!

mcpherrinm · August 25, 2022, 9:46pm

If I visit https://nextcloud.maartenbraaksma.nl I don't get any error; it seems to be serving a valid certificate.

Bruce5051 · August 25, 2022, 9:59pm

Ditto! Yet SSL Server Test: nextcloud.maartenbraaksma.nl (Powered by Qualys SSL Labs) seems to be having possible problems when using IPv6, IPv4 looks good.

MikeMcQ · August 25, 2022, 10:07pm

Good catch @Bruce5051. I think the nextcloud server is not listening or configured for IPv6 and instead that gets sent to your webserver. The cert returned when using IPv6 has these names in it:

SANs:
ball.maartenbraaksma.nl
maartenbraaksma.nl
www.maartenbraaksma.nl

Skittluier · August 25, 2022, 10:25pm

Very interesting. Thanks for the fast comments everyone.

I'm not 100% sure how to set-up an IPv6 certficate specifically but I'll check the internet how to. (Unless you can tell me how I can do that, haha.)

Bruce5051 · August 25, 2022, 10:29pm

As a side note: also it seems with TLS v1.2 you support (as tested with GitHub - drwetter/testssl.sh: Testing TLS/SSL encryption anywhere on any port )
xc013 ECDHE-RSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

SHA1 and CBC are not recommended also see Email feedback: TLS 1.0/1.1 deprecation and SHA-1 deprecation for more on SHA1 related issues.

MikeMcQ · August 25, 2022, 10:47pm

You don't create a special cert just for IPv6

Your DNS has an AAAA (IPv6) record for nextcloud domain name and when used gets the wrong cert. If you can't set up nextcloud for IP V6 maybe remove the AAAA record.

See the SSL Labs link Bruce showed

Skittluier · August 26, 2022, 6:31am

Disabling IPv6 was the solution for people who could not access the Nextcloud page.
Thank you, @MikeMcQ !

system · September 25, 2022, 6:31am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.