Browser gets served incorrect certificate

Help
1

Browser gets served certificate for exzibyte.com when navigating to media.exzibyte.com causing the browser to refuse to serve the website. I have separate certificates for each one cause media.exzibyte.com is running jellyfin on a VM separate from the NGINX server that is acting as a reverse proxy. exzibyte.com is on the same VM but its a different web server instance running Heimdall the dashboard

My domain is:
exzibyte.com
My domain with the issue is
media.exzibyte.com

I ran this command:
certbot certonly --standalone -d media.exzibyte.com
certbot certonly --standalone -d exzibyte.com

(separate commands)

It produced this output:
the typical success output

My web server is (include version):
NGINX

The operating system my web server runs on is (include version):
Debian 11

My hosting provider, if applicable, is:
Self

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot - 1.12.0

2

There is likely a misconfiguration in your web server.
Let's review:
nginx -T

Also show:
certbot certificates

4 Likes
3

letsencrypt.txt (234.9 KB)

nginx -T Output output of NGINX -T - Pastebin.com

4

Have you restarted nginx recently? Your nginx coding mixes the HTTP and HTTPS server blocks. While that can work people often get it wrong and there are much easier and better ways to do that.

And, why are you using --standalone when you have a perfectly good nginx webserver. --standalone requires nginx to be stopped but using --nginx or --webroot uses the running nginx system so needs no downtime.

This is the 3rd very odd jellyfin config we've seen in last couple days. Is there some new blog around or something for this? What reference did you use?

That all said, can you show result of this

certbot certificates

Please just copy/paste the results here - thanks.

4 Likes
5

The Jellyfin Official Documentation says to create the jellyfin.conf in the conf.d folder I found this odd too Nginx | Jellyfin

Used standalone cause of how the documentation on pterodactyl creates the web server it won't allow you to restart nginx without the SSL certificate already available and we can't create the SSL certificate without the virtual host being available because certbot can't find the virtual host with the domain name (pterodactyl provides a virtual host file)

I have restarted nginx (in fact just restarted the VM entirely that is hosting nginx about 15 minutes ago)

6

And, this ...

4 Likes
7

That is not a fully accurate description of nginx. To start an HTTPS (port 443) server block yes you must have a valid cert but you can "bootstrap" such a system with a self-signed cert. If Pterodactyl won't let you that is a failing in it.

That sounds wrong too. Using Certbot with --nginx or --webroot needs nginx running but it only needs an HTTP (port 80) server block active. No certs or port 443 server block are needed for these methods.

You had a dedicated HTTP server block but then commented out lines so merged the port 80 and 443 server blocks into one.

This all just seems like poor instructions written by someone. Perhaps pterodactyl. Do you have a link for it?

4 Likes
8
9

I see. Pterodactyl instructions are poor. They say "get a cert" but give no clue how to setup nginx or apache to allow getting a cert with the --nginx or --apache plug-in examples they show. It then has a detailed nginx conf relying on a cert and says "use this".

It also gives a --standalone example but doesn't describe how to stop/start nginx to do that or the implications of renewing with this method.

Instructions for installing certbot are also poor. Better ones are at https://certbot.eff.org

Pretty awful really.

If you want help sorting your issue out please show result of this command. This is the last time I will ask. What I saw in your nginx should work so some piece must not be as expected. This is best place to start.

certbot certificates
4 Likes
10

I had supplied the certbot certificates command
the output is in the letsencrypt.txt file that i uploaded

I can't just paste here in raw text cause each post is limited to 64000 characters and the output is 260000

Here it is as a pastebin https://pastebin.com/GLFEu12x

11

The node1.exzibyte.com is for the wings daemon to be behind a certificates also so the pterodactyl panel can safely access it

12

Sorry, my bad. I am not used to seeing that included in the certbot log.

I will try to look at this later tonight. Something odd is amiss.

4 Likes
13

For ease of access, here is that part:

2023-05-20 15:47:47,353:DEBUG:certbot.display.util:Notifying user: Found the following certs:
  Certificate Name: exzibyte.com
    Serial Number: 36a7179501e48513b83d51daf615e67db8f
    Key Type: RSA
    Domains: exzibyte.com
    Expiry Date: 2023-08-18 04:55:44+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/exzibyte.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/exzibyte.com/privkey.pem
  Certificate Name: media.exzibyte.com
    Serial Number: 34f3ea911086ed4a6071852960af96b1dd9
    Key Type: RSA
    Domains: media.exzibyte.com
    Expiry Date: 2023-08-18 05:01:26+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/media.exzibyte.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/media.exzibyte.com/privkey.pem
  Certificate Name: node1.exzibyte.com
    Serial Number: 370b6f99a8a62bc37a38dc5989b52389ab1
    Key Type: RSA
    Domains: node1.exzibyte.com
    Expiry Date: 2023-08-18 04:41:01+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/node1.exzibyte.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/node1.exzibyte.com/privkey.pem
  Certificate Name: panel.exzibyte.com
    Serial Number: 477ab0ec395b14ef711d55b6269e9e64049
    Key Type: RSA
    Domains: panel.exzibyte.com
    Expiry Date: 2023-08-18 04:36:40+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/panel.exzibyte.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/panel.exzibyte.com/privkey.pem
2 Likes
15

Thank you for narrowing it down

1 Like
16

The pastebin link content is gone :frowning:

2 Likes
17

I don't see why you get the wrong cert.

To recap, requests to https://media.exzibyte.com return a cert with the name for exzibyte.com

The media server block is the first so is the default. So, it is difficult to have the cert for the second server block returned. None of the explanations is likely

  1. that is not the nginx system that is getting the inbound requests. This can happen if your NAT or port forwarding is going to the wrong server. And, one that is nearly the same as this one
  2. You somehow modify the "host" value on inbound requests and change it from media.exzibyte.com to exzibyte.com
  3. You have modified the files or symlinks for media cert files to point to the wrong set

Does any of this ring a bell?

As an aside, your redirects for HTTP to HTTPS don't work well. This is a result of you mixing your port 80 and 443 configs in the same server block and not doing it properly.

3 Likes
18

How is this being made possible?
[when you only have one external IP address]

3 Likes
19

Heimdall and Jellyfin each run their own web server instance (i believe using ExpressJS running on NodeJS) as applications I'm just using NGINX as a reverse proxy for both of them.

NGINX is on the same VM as panel.exzibyte.com but the exzibyte.com and media.exzibyte.com are on a different VM

20

Can you show output of these? Checking to see if there is just one nginx running

sudo systemctl status --no-pager --full  nginx

sudo ps -eF | grep nginx
3 Likes
21

Also, crt.sh is showing 502 Bad Gateway error [again]

Can someone check [elsewhere] for how many recent certs have been issued for this domain?

2 Likes