25
submitted 3 months ago* (last edited 3 months ago) by Darkassassin07@lemmy.ca to c/selfhosted@lemmy.world

In the last couple of weeks, I've started getting this error ~1/5 times when I try to open one of my own locally hosted services.

I've never used ECH, and have always explicitly restricted nginx to TLS1.2 which doesn't support it. Why am I suddenly getting this, why is it randomly erroring, then working just fine again 2min later, and how can I prevent it altogether? Is anyone else experiencing this?

I'm primarily noticing it with Ombi. I'm also mainly using Chrome Android for this. But, checking just now; DuckDuckGo loads the page just fine everytime, and Firefox is flat out refusing to load it at all.

Firefox refuses to show the cert it claims is invalid, and 'accept and continue' just re-loads this error page. Chrome will show the cert; and it's the correct, valid cert from LE.

There's 20+ services going through the same nginx proxy, all using the same wildcard cert and identical ssl configurations; but Ombi is the only one suddenly giving me this issue regularly.

The vast majority of my services are accessed via lan/vpn; I don't need or want ECH, though I'd like to keep a basic https setup at least.

Solution: replace local A/AAAA records with a CNAME record pointing to a local only domain with its own local A/AAAA records. See below comments for clarification.

you are viewing a single comment's thread
view the rest of the comments
[-] bobslaede@feddit.dk 8 points 3 months ago

Any chance you are both accessing your services locally with a local DNS, and publicly with something like Cloudflare?

[-] Darkassassin07@lemmy.ca 4 points 3 months ago* (last edited 3 months ago)

I do have external acces to Ombi via cloudflare; but the device I'm seeing this problem on is permanently connected to a VPN hosted from the same server machine as ombi/nginx with 'block all connections without VPN' enabled. And this testing has been done from within the same LAN.

It should never see/reach cloudflare for this service.

/edit; I've also disabled 'use secure DNS' in chrome. I host a local DNS within that lan/vpn network.

[-] bobslaede@feddit.dk 5 points 3 months ago* (last edited 3 months ago)

Try with nslookup and see if you're resolving the domain to both your local ipv4 address, and the Cloudflare ipv6 at the same time. I am using pihole for my local DNS, and it would give me both my local address, and also the Cloudflare ipv6 address.

Edit
My pihole will ask upstream even if the domain was listed locally. It doesn't ask Upstream for cname.

[-] Darkassassin07@lemmy.ca 5 points 3 months ago

Crap, looks like that's exactly what it is.

Now how to fix that...

load more comments (3 replies)
load more comments (5 replies)
load more comments (5 replies)
this post was submitted on 28 Sep 2024
25 points (100.0% liked)

Selfhosted

40716 readers
585 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS