greengaroo wrote:
(update regarding my previous reply)
I upgraded my local Mac OS X to 10.10.5 and my local OS X Server app to 4.1.5. When connecting to my Mac Mini server using OS X Server from my iMac, I still see the message in red: "This certificate was signed by an unknown authority". If I connect on the server with Remote Desktop and use the OS X Server from the server itself, I see the message in green: "This certificate is valid".
I conclude this is either a glitch in the OS X Server or a limitation that cannot be resolved, and when it comes to managing certificates, you better do this directly on the server itself to avoid some potential issues.
For your case, you're going to have to look at the certificate chains involved and the intermediate certificates, and you'll want to see if the DNS translations are the same for both paths. The behavior you're describing could be that the certificates do not match the reverse DNS (IP address to name) domain names being used, as the domain names differ based on the access path. If the paths have different names, then you'll need a multiple-domain or wildcard certificate, or you'll need to sort out the DNS to have the same name used via the various paths.
To see the reverse translation, launch Terminal.app from Applications > Utilities and issue the following command, adjusting the IP address for your local IP address and your public IP address as well as your DNS host name — and yes, I'm assuming NAT is in use here. $ is the command prompt, and what follows is the command you'll enter. The next line is the response.
$ dig +short yourservername.example.com
192.0.2.10
$ dig +short -x 192.0.2.10
yourservername.example.com
$
You'll want to issue those commands in the various network contexts where you're testing access from, too — from your private NAT'd network and (presumably) from somewhere on the public internet.
If the reverse does not match the domain or host name on the certificate, that'll cause certificate validation errors of the sort you're reporting.
In general, please consider starting a new thread, and not resurrecting an older thread. Mixing discussions and problems just gets me confused, as we're now discussing what may be different errors or behaviors or causes, different versions, different solutions. It can get other readers, confused, too. Your case involves different IP routing paths which AFAICT the base thread does not, for instance. If you're sure that the problem in the new thread is the same as the old one, then certainly reference the older thread for background.