All non-expired certs
3 Likes
not really much clearer...
The Internet connects directly to "exzibyte.com".
[OR, at least, to a system with a valid cert for that name]
openssl s_client -connect 108.175.253.57:443
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = exzibyte.com
verify return:1
---
Certificate chain
0 s:CN = exzibyte.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
3 Likes
In the past 10 days, each of those names has been issued [at least] five certs!!!!!
Please stop issuing certs - that isn't fixing your problem.
Let us help you stay sane:
Let's try something different!
2 Likes
That output looked normal.
Good point. The default cert from that nginx config should be for media yet the default is exzibyte.com.
There is something wrong with the routing for that IP and is not reaching that nginx system
3 Likes
The full breakdown of what happened was I was trying to upgrade the pterodactyl instance version and it broke so I wiped the VM. Then I attempted to issue a certificate for each domain at this point I had forgotten to change the internal IP the port is forwarded to in my router so I fixed this and reattempted to issue a certificate it worked to issue the certificate but then something else broke cause I was going off what i had in my head so i wiped the VM again and started following documentation and fixed everything and reissued a cert (hence the 5+ certs for each domain)
We can agree that you don't need a cert - you have all the ones you need [good for 89 more days].
Let's move on to your problem.
Please detail the HTTP(S) flow; As it comes from the Internet and where it hits each system/proxy.
3 Likes
This is how it should work afaik:
External Public Internet
...|-> NGINX (running panel.exzibyte.com) - VM 1
......... |-> exzibyte.com running Heimdall on port 8280 - VM2
......... |-> media.exzibyte.com running Jellyfin on port 8096 - VM2
Oh good grief. I just realized what is wrong. You have
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
server_name media.exzibyte.com;
Your listen lines for port 443 are commented out!
=============================
The way nginx works as a reverse proxy is that external public internet requests to any of your 3 domain names goes to nginx. Well, it seems like that is what you intend anyway.
nginx proxies requests that come in for the media name to port 8096 (jellyfin) if and only if it also has certain URI values (/web/ or /socket/). Any other URI values get (wrongly) directed to HTTP://media.exzibyte.com/web/ (and right now timeout w/502 Bad Gateway)
nginx proxies requests for exzibyte.com to port 8280 for all URI values
These proxies are controlled by the location sections in each server block
Requests for panel go to the php handler (if *.php URI) or served directly (try_files)
That's technically how the nginx config you show us works (ignoring the listen 443 being commented out)
But, HTTPS requests for media don't reach this nginx because it is not listening on port 443 for this domain name.
4 Likes
OH MY GOD It even says to uncomment all that but my monkey brain said we don't need that
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.