@joseph Understood, I think I'll indeed have to contact app developers I have issue with.
This may be a niche usage but I don't think this is so uncommon to have a Cloudron instance installed on a strictly local network with a non-routable TLD. Was a little tedious to set it up the way I want, and now I have to deal with this issue.
Anyway, thanks again for your answers.
@joseph Thanks, yes I know but unfortunately my company used a non-conventional registrar that is not compatible with DNS cert validation. Is there really no way around this? From your answer, I understand that this is an app issue only so I guess not but I prefer to ask confirmation.
I use Cloudron exclusively on a local environment, so I've installed my local domain with a "No-op" provider and then fed it with my local issued certificate. I have access to all my apps from within my internal network and the https cert is verified across all my computers thanks to my Windows domain CA.
My only problem is that OpenID auth does not work from OpenID compatible apps. For example, from the app "2Fauth" if I try OpenID login:
(an error occured: SSO authentication refused)
In the logs of the app:
Apr 07 10:35:13 172.18.0.1 - - [07/Apr/2025:08:35:13 +0000] "GET / HTTP/1.1" 200 1593 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0"
Apr 07 10:35:13 172.18.0.1 - - [07/Apr/2025:08:35:13 +0000] "GET /api/v1/user HTTP/1.1" 401 41 "https://2fa.mydomain.intra/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0"
Apr 07 10:35:17 #0 /app/code/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(205): GuzzleHttp\Handler\CurlFactory::createRejection()
Apr 07 10:35:17 #1 /app/code/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(157): GuzzleHttp\Handler\CurlFactory::finishError()
Apr 07 10:35:17 #2 /app/code/vendor/guzzlehttp/guzzle/src/Handler/CurlHandler.php(47): GuzzleHttp\Handler\CurlFactory::finish()
Apr 07 10:35:17 #3 /app/code/vendor/guzzlehttp/guzzle/src/Handler/Proxy.php(28): GuzzleHttp\Handler\CurlHandler->__invoke()
Apr 07 10:35:17 #4 /app/code/vendor/guzzlehttp/guzzle/src/Handler/Proxy.php(48): GuzzleHttp\Handler\Proxy::GuzzleHttp\Handler\{closure}()
Apr 07 10:35:17 #5 /app/code/vendor/guzzlehttp/guzzle/src/PrepareBodyMiddleware.php(64): GuzzleHt" while reading response header from upstream, client: 172.18.0.1, server: _, request: "GET /socialite/callback/openid?code=<removed>&state=<removed>&iss=https%3A%2F%2Fmy.mydomain.intra%2Fopenid HTTP/1.1", upstream: "fastcgi://unix:/run/php/php8.3-fpm.sock:", host: "2fa.mydomain.intra", referrer: "https://my.mydomain.intra/"
Apr 07 10:35:17 172.18.0.1 - - [07/Apr/2025:08:35:17 +0000] "GET /error?err=sso_failed HTTP/1.1" 200 1594 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0"
Apr 07 10:35:17 172.18.0.1 - - [07/Apr/2025:08:35:17 +0000] "GET /socialite/callback/openid?code=<removed>&state=<removed>&iss=https%3A%2F%2Fmy.mydomain.intra%2Fopenid HTTP/1.1" 302 426 "https://my.mydomain.intra/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0"
Apr 07 10:35:17 172.18.0.1 - - [07/Apr/2025:08:35:17 +0000] "GET /socialite/redirect/openid HTTP/1.1" 302 1302 "https://2fa.mydomain.intra/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0"
Apr 07 10:35:17 2025/04/07 08:35:17 [error] 58#58: *163175 FastCGI sent in stderr: "PHP message: [2025-04-07 08:35:17] production.ERROR: GuzzleHttp\Exception\RequestException: cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://my.mydomain.intra/openid/token in /app/code/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php:276
I had the same issue with the app "Cloudron" but I was able to work around it by adding this to its env.sh file:
export NODE_TLS_REJECT_UNAUTHORIZED=0
I could not find any similaire way of letting other apps (like 2Fauth) bypassing the unknown certificate. Any help would be appreciated.