NethServer Self Service User Portal has its own certificate?

Support
, ,
1

I hate to open a new topic so quickly, but I’m not finding a good match in the forum when searching.

On my server, NethServer, Mail, and RoundCube all have valid certificates from Let’s Encrypt.

However, the Self Service User Portal that users can use to reset their passwords on their own does not and it is not working.

Whenever I click the link to the portal in my identity provider page it takes me here:

https://mail.[my domain].com/users-admin/[my domain].com/#/

and I get a 404 error. If I truncate the URL to this:

https://mail.[my domain].com/users-admin/

I get a 403 error (I think that part is as designed).

When I visit this site:

https://mail.[my server’s LAN IP address].com/users-admin/[my domain].com/#/

I’m taken to the Self Service User Portal, and am able to log in.

I examined the certificate on that site, and the URL is something similar to

host-123456.ns8.test

I looked in

/home/traefik1/.local/share/containers/storage/volumes/traefik-acme/_data/acme.json

as suggested in the forum, but the only certificate listed there is the correct one with the FQDN of the server.

So I’m curious where host-123456.ns8.test is coming from, and how to eradicate certs for host-123456.ns8.test because I’m afraid leaving it in there will cause more problems.

The self service portal isn’t a big deal, but, if/when users are not on site, it will become an issue.

For the moment, there’s currently just me and the admin user, although I plan on repeating the setup on my private server so my kids can also access groupware (isn’t that what all kids want? Collaboration and Productivity tools? hahahah). Speaking of, this problem is replicated on that server as well, so it’s two NethServer 8 installs with the same issue.

Any guidance is greatly appreciated!

2

No, the user portal uses the certificate of the NS8 host. Is the DNS configuration correct?

You could try to request a certificate for the wanted name in the NS8 settings/TLS settings, see also TLS certificates — NS8 documentation

It takes you to the NS8 node FQDN.

Did you set mail.domain.tld as node hostname? Maybe it overlaps with the mailserver FQDN?

To check the node hostname:

hostname -f

The mail server hostname is shown in the mail app status page.

3

I’m a little confused. Let me try to answer your questions and also I will try and do a better job of explaining. I feel like I did a poor job in my original post.

But before I do that, does there need to be a seperate FQDN for NethServer’s core component? something like node1.domain.tld, in addition to one for mail (i.e. mail.domain.tld) and NextCloud (i.e. cloud.domain.tld)??

I believe that I did. I believe I did that so that it matches the name of the server it’s on. When I log in to the server and do

hostname -f

the result is mail.domain.tld. I also went in to the traefik container and ran

hostname -f

and got the same result of mail.domain.tld.

the mail server hostname is displayed in the mail app status page as mail.domain.tld.

There are two certificates in the certificates section

  • cloud.domain.tld
  • mail.domain.tld

The only node I can request a certificate for is Traefik1

I don’t know how to see what the contents of these certificates is other than the server name.

DNS is working for this server. I’m able to reach it off-site using the FQDN mail.domain.tld and also cloud.domain.tld. This gives me access to the NethServer interface as well as Roundcube, and NextCloud, and it’s also the mx record so that’s how i’m receiving emails.

mail.domain.tld has a valid certificate and cloud.domain.tld has a valid certificate. Whenever i’m in the Nethserver interface managing things like updates or users, i’m at the mail.domain.tld address and the certificate in use is the one for mail.domain.tld which works without any certificate errors.

I don’t get security certificate errors on nethserver, roundcube, or nextcloud.

The only place I’m getting an error is when I go to mail.LANip/users/users-admin/domain.tld/#/ and I only tried that because of the aforementioned 404 error.

To recap:

  • https://mail.domain.tld/cluster-admin/#/domains/domain.tld/configuration#providers works perfectly with no certificate errors, and the certificate matches the FQDN of this server.

  • https://mail.domain.tld/users-admin/networksentinelsolutions.com/ results in a 404 and also has no certificate errors, and the certificate matches the FQDN of this server.

  • https://LANip/users-admin/domain.tld/#/user/account works, but, it has a certificate error (server name mismatch) and is only reachable via LAN IP address.

4

Yes. Basically the host needs an own name like node1.domain.tld and the apps are using names like app.domain.tld.

You could try to change the mail server hostname in the NS8 mail settings and check if the user portal is accessible then and if the certificate is working.

5

Ah! That makes sense that each app wants its own FQDN.

Is there a danger in changing the FQDN for Node1 (my only node) instead of the FQDN of one of the apps?

I would make sure that internal and external DNS is set first.

6

No, there’s no danger, the node FQDN can easily be changed via the UI, see also Cluster management — NS8 documentation

7

That worked! Thanks!

That was the problem all along, the node did not have its own unique FQDN.

1 Like