All non-expired certs
not really much clearer...
The Internet connects directly to "
[OR, at least, to a system with a valid cert for that name]
openssl s_client -connect 184.108.40.206:443 CONNECTED(00000005) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = exzibyte.com verify return:1 --- Certificate chain 0 s:CN = exzibyte.com i:C = US, O = Let's Encrypt, CN = R3 1 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1 i:O = Digital Signature Trust Co., CN = DST Root CA X3 ---
In the past 10 days, each of those names has been issued [at least] five certs!!!!!
Please stop issuing certs - that isn't fixing your problem.
Let us help you stay sane:
Let's try something different!
That output looked normal.
Good point. The default cert from that nginx config should be for
media yet the default is
There is something wrong with the routing for that IP and is not reaching that nginx system
The full breakdown of what happened was I was trying to upgrade the pterodactyl instance version and it broke so I wiped the VM. Then I attempted to issue a certificate for each domain at this point I had forgotten to change the internal IP the port is forwarded to in my router so I fixed this and reattempted to issue a certificate it worked to issue the certificate but then something else broke cause I was going off what i had in my head so i wiped the VM again and started following documentation and fixed everything and reissued a cert (hence the 5+ certs for each domain)
We can agree that you don't need a cert - you have all the ones you need [good for 89 more days].
Let's move on to your problem.
Please detail the HTTP(S) flow; As it comes from the Internet and where it hits each system/proxy.
This is how it should work afaik:
External Public Internet
...|-> NGINX (running panel.exzibyte.com) - VM 1
......... |-> exzibyte.com running Heimdall on port 8280 - VM2
......... |-> media.exzibyte.com running Jellyfin on port 8096 - VM2
Oh good grief. I just realized what is wrong. You have
# listen 443 ssl http2; # listen [::]:443 ssl http2; server_name media.exzibyte.com;
listen lines for port 443 are commented out!
The way nginx works as a reverse proxy is that external public internet requests to any of your 3 domain names goes to nginx. Well, it seems like that is what you intend anyway.
nginx proxies requests that come in for the
media name to port 8096 (jellyfin) if and only if it also has certain URI values (/web/ or /socket/). Any other URI values get (wrongly) directed to HTTP://media.exzibyte.com/web/ (and right now timeout w/502 Bad Gateway)
nginx proxies requests for
exzibyte.com to port 8280 for all URI values
These proxies are controlled by the location sections in each server block
panel go to the php handler (if *.php URI) or served directly (try_files)
That's technically how the nginx config you show us works (ignoring the listen 443 being commented out)
But, HTTPS requests for
media don't reach this nginx because it is not listening on port 443 for this domain name.
OH MY GOD It even says to uncomment all that but my monkey brain said we don't need that
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.