Cannot login due to issue with certificate

Woody · December 12, 2021, 6:58pm

Hi,

Yesterday I moved my box from one line (vdsl) to another (Fiber). At first I ran into a lot of problems because I managed to miss that, when you change IP address, you FIRST change the glue records and THEN move the box, and not the other way around

Well, I corrected that and everything was working fine today. Until, suddenly, out of the blue my phone (DAVx) started to complain about ’ http server errors’ when trying to syncronize. Retrieving mail with K9 hung, and I can no longer login with the web interface due to this error:

Firefox detected a potential security threat and did not continue to box.postkamer.eu because this website requires a secure connection.
box.postkamer.eu has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site.

I still am able to log in using ssh.

How do I correct this?

alento · December 12, 2021, 7:05pm

You need to enable (or is it disable?) this in your browser. Google is your friend.

Check that your SSL certificate is valid and that the hostname of the box wasn’t changed when you did the move.

alento · December 12, 2021, 7:07pm

Wait! Your admin page loads just fine for me … clear your browser cache. @Woody

Woody · December 12, 2021, 7:18pm

This was noticed a moment ago by a mate of mine, so I tried a completely new browser, (Chrome) with the same effect.Then I switched off WiFi on my phone and retried mail and DAVx. Both worked fine. Obviously this has something to do with me being on de inside of my router.

Will investigate and report back.

Thanks for thinking along!

Woody · December 14, 2021, 9:43am

Turns out that this problem was caused by a rather complex perfect storm of router / switch configuration.

What I think happened:

The reason my connections died suddenly was that, due to a switch misconfiguration. In getting my network to handle IPTV muticasting I inadvertently disabled unknown multicasts, which are apparently used by IPv6 to get IP addressed to a device. When my PC tried to renew its IPv6 address it got nothing.

Normally that would not be a problem as my PC then could use its IPv4 address to reach MIAB. Alas, I was in the middle of reconfiguring my pfSense router I still had a problem where a device on the LAN, when connecting by name to the MIAB box on the DMZ, was routed with its internal LAN IP address and not with the external address as the ‘from’ address. This somehow did not sit well with the certificate on MIAB.

Configuring the router to make this hairpin happen solved the problem. The pfSense router has a special option for this, NAT+proxy. Setting this also solved the errors I kept getting on the MIAB Status Check, where it reported all my mail ports not being reachable from the outside, while MIAB functioned perfectly when tested with real mail from the outside.

As said, I am not completely clear on the how and why of the certificate problem. But although it cost me the better part of a weekend, I managed to solve this problem

Paul