Browser gets served incorrect certificate

All non-expired certs


not really much clearer...

The Internet connects directly to "".
[OR, at least, to a system with a valid cert for that name]

openssl s_client -connect
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN =
verify return:1
Certificate chain
 0 s:CN =
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3

In the past 10 days, each of those names has been issued [at least] five certs!!!!!
Please stop issuing certs - that isn't fixing your problem.

Let us help you stay sane:
Let's try something different!


systemctl status command output

ps grep output

That output looked normal.

Good point. The default cert from that nginx config should be for media yet the default is

There is something wrong with the routing for that IP and is not reaching that nginx system


The full breakdown of what happened was I was trying to upgrade the pterodactyl instance version and it broke so I wiped the VM. Then I attempted to issue a certificate for each domain at this point I had forgotten to change the internal IP the port is forwarded to in my router so I fixed this and reattempted to issue a certificate it worked to issue the certificate but then something else broke cause I was going off what i had in my head so i wiped the VM again and started following documentation and fixed everything and reissued a cert (hence the 5+ certs for each domain)

We can agree that you don't need a cert - you have all the ones you need [good for 89 more days].
Let's move on to your problem.
Please detail the HTTP(S) flow; As it comes from the Internet and where it hits each system/proxy.


This is how it should work afaik:

External Public Internet
...|-> NGINX (running - VM 1
......... |-> running Heimdall on port 8280 - VM2
......... |-> running Jellyfin on port 8096 - VM2

Oh good grief. I just realized what is wrong. You have

    # listen 443 ssl http2;
    # listen [::]:443 ssl http2;

Your listen lines for port 443 are commented out!


The way nginx works as a reverse proxy is that external public internet requests to any of your 3 domain names goes to nginx. Well, it seems like that is what you intend anyway.

nginx proxies requests that come in for the media name to port 8096 (jellyfin) if and only if it also has certain URI values (/web/ or /socket/). Any other URI values get (wrongly) directed to HTTP:// (and right now timeout w/502 Bad Gateway)

nginx proxies requests for to port 8280 for all URI values

These proxies are controlled by the location sections in each server block

Requests for panel go to the php handler (if *.php URI) or served directly (try_files)

That's technically how the nginx config you show us works (ignoring the listen 443 being commented out)

But, HTTPS requests for media don't reach this nginx because it is not listening on port 443 for this domain name.


OH MY GOD It even says to uncomment all that but my monkey brain said we don't need that


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.