Certificates generated for wrong domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

Info Fields

My domain is:

smallpepperz.com

I ran this command:

certbot certonly --webroot --webroot-path=/var/www/certbot --email me@example.com --agree-tos --no-eff-email -d smallpepperz.com

It produced this output:

I ran it a second time because I didn't save the log originally, so it asks about renewal

Command output
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/smallpepperz.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for smallpepperz.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/smallpepperz.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/smallpepperz.com/privkey.pem
This certificate expires on 2021-11-01.
These files will be updated when the certificate renews.

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My web server is (include version):

nginx/1.19.4

The operating system my web server runs on is (include version):

macOS Big Sur

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

Both certbot and nginx are in docker containers, if that's relevant. It uses a docker compose file with the latest versions of certbot/certbot and nginx. Docker version 20.10.7

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1.17.0

I generated a certificate for my domain, and the setup process seems to have been successful. The issue I'm having is that my browser warns me the certificate is invalid, and WhyNoPadlock along with similar sites say my certificates are for *.mproxy.io. I have not heard of mproxy, and a google search turns up nothing. Nginx shows no errors when starting.

1 Like

Let's have a look at the entire nginx config with:
nginx -T

I suspect that although the vhost config for HTTP (TCP port 80) was sufficiently matched to obtain the cert, the vhost config for HTTPS (TCP port 443) isn't correctly configured to serve that name (and is serving the first/default configuration).

OR (even worse)

This is your first attempt at connecting to your system via HTTPS (TCP port 443) and the NAT device is either accepting the connections itself or passing them to another device (not to your Mac).

1 Like

This is a first for me:

openssl s_client -connect smallpepperz.com:443
CONNECTED(00000194)
depth=1 C = US, O = Let's Encrypt, CN = R3
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/CN=*.mproxy.io
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
 2 s:/C=US/O=Let's Encrypt/CN=R3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
 3 s:/C=US/O=Let's Encrypt/CN=R3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
 4 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 5 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
 6 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 7 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
 8 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 9 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
10 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
11 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
12 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
13 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
14 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
15 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
16 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
17 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
18 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
19 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
20 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
21 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
22 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
23 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
24 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
25 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
26 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
27 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFHTCCBAWgAwIBAgISBGLN3v/ocxL7OebN6KBkmzF+MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA3MDIxNjI1NTdaFw0yMTA5MzAxNjI1NTZaMBYxFDASBgNVBAMM
CyoubXByb3h5LmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp1pk
RQU8HXCj2wLtD5PImDimwZ4QmOCxQExZilNjKo/lb8SNg/OIgTXv64GiruaymNRI
xPFMGdZZpwcUijyGwyHPiBWBrEirBBVXG2n8K/bDco3u0A4noAecAsUAVAXewQeS
0VxBMaF+19XtN2uEl2iyS9YiMZpq5RReZ3gNIbulWQDtpxdzNVEmoez7vAaNZNjW
+ihsALv/tsdbG2qV88jVWBZLjjNHLuo9dFlj+ZfV11e67J4NlKE5b7rCQzO3f0Ur
BEfikoZH0sVyuPCN4/zoRtKxvoX0B/TCG7S0R1+++z3vK3UJQiqqv2DfQWKTROBf
TFO5kQ2BD8//oeIiQQIDAQABo4ICRzCCAkMwDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW
BBTMm3YTIFjL6GyCL9feVS16TuH+WjAfBgNVHSMEGDAWgBQULrMXt1hWy65QCUDm
H6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5v
LmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3JnLzAW
BgNVHREEDzANggsqLm1wcm94eS5pbzBMBgNVHSAERTBDMAgGBmeBDAECATA3Bgsr
BgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0
Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3APZclC/RdzAiFFQYCDCUVo7j
TRMZM7/fDC8gC8xO8WTjAAABemhBcsEAAAQDAEgwRgIhAP0Tv2yR6wZ6kS++Ue8b
hBWvi2lEm3D5RcfvukCNpR+NAiEAjBxAaBVkZJ2aNWYP4uthEYg0erddDuPMh8Xn
LhOrDykAdgBElGUusO7Or8RAB9io/ijA2uaCvtjLMbU/0zOWtbaBqAAAAXpoQXLn
AAAEAwBHMEUCIGhIg04MQbeOIE37sx1wcoRgkRRQBp8pmaj5u49HAwR0AiEAkHQC
KzF8vT6PBmaQ6V4QM4VjR1zFhQetFHVKPgbJFZAwDQYJKoZIhvcNAQELBQADggEB
AGjU+VqWX9/4m6pU40BI15GEsCLq4MQyZyi7tBwk+tNP953SGnMOv/eOvJZL6421
Os6blBBC/E5f1n3NpwxC68y0AC6lEF3ZHce0PcvW80W4viz4JiNQbMUsj2x2PLMd
OHRp3/lGaMWAgPhfot2g4Bp34xvDx5a3pA2P3SaO3EU1yLvKLiQm/+lpSqOJr403
4VPlEidotTiw02tOxS0dzXKxkTSucO4gh3+RESPpKhQdqGvLJKGwX4NpBK9l/9Qp
qTQGJylfBUrhC493wSOJ5Ph+DxLS1AZO2vHdK7TQeTTTnWYAY+Xty73DShdFKcV4
he0eSuC71GY6LhcDNW8zcJk=
-----END CERTIFICATE-----
subject=/CN=*.mproxy.io
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 37709 bytes and written 302 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 20E2084E8A469804612DF4024D2F59E737152BE1F999226A8437288B6D309F2F
    Session-ID-ctx:
    Master-Key: 4D13ED64CA8C8F8732B0CD4D836636CB41C86A4C927D4D35B903C5B1D5D3B28A06C5AA7870C854F4207182F976F75CC8
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 04 8c c6 9f 21 c2 a9 bb-a4 b6 10 f0 85 07 1e 9b   ....!...........
    0010 - 0e f3 dc c1 af 2d 7e 13-a3 aa 8f c2 f7 e6 be e3   .....-~.........
    0020 - 67 ca f7 2f 6a cc 2c b9-9e c5 57 e6 b1 9c 1a 8f   g../j.,...W.....
    0030 - 47 7e 1a 17 a3 fe 6c 8e-3f ed ae e2 fa 7c 2d 90   G~....l.?....|-.
    0040 - 90 96 83 c4 00 0f bd d9-a8 c8 1c 50 8a 7d dd 0a   ...........P.}..
    0050 - 6d ef d0 ed 4f ee f2 bd-7d b2 be 27 94 63 d8 7a   m...O...}..'.c.z
    0060 - d8 a1 60 ba 2e 6c cc fb-33 be 82 b2 d3 14 c0 92   ..`..l..3.......
    0070 - 57 32 a8 e5 92 75 d3 a9-6b 95 ad fb a9 d2 20 87   W2...u..k..... .
    0080 - 0f 59 62 46 d0 d0 4b 8b-9b 8f 40 22 47 75 24 33   .YbF..K...@"Gu$3
    0090 - c2 9f fa 87 75 ea e7 cf-e0 fc fc 2b 89 60 9f aa   ....u......+.`..
    00a0 - 7c 6d 85 67 15 74 d4 38-de e4 f0 a8 8d d6 b5 ed   |m.g.t.8........
    00b0 - 11 1c b6 a3 41 e3 00 15-e2 fe 36 61 1a e4 45 fe   ....A.....6a..E.

    Start Time: 1628035350
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
---
^C
1 Like
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}
http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;


    include /etc/nginx/conf.d/smallpepperz.com.conf;

	server {
		listen      80 default_server;
		listen      [::]:80 default_server;
		server_name _;
		return      444;
	}
}
# configuration file /etc/nginx/mime.types:

types {
    text/html                                        html htm shtml;
    text/css                                         css;
    text/xml                                         xml;
    image/gif                                        gif;
    image/jpeg                                       jpeg jpg;
    application/javascript                           js;
    application/atom+xml                             atom;
    application/rss+xml                              rss;

    text/mathml                                      mml;
    text/plain                                       txt;
    text/vnd.sun.j2me.app-descriptor                 jad;
    text/vnd.wap.wml                                 wml;
    text/x-component                                 htc;

    image/png                                        png;
    image/svg+xml                                    svg svgz;
    image/tiff                                       tif tiff;
    image/vnd.wap.wbmp                               wbmp;
    image/webp                                       webp;
    image/x-icon                                     ico;
    image/x-jng                                      jng;
    image/x-ms-bmp                                   bmp;

    font/woff                                        woff;
    font/woff2                                       woff2;

    application/java-archive                         jar war ear;
    application/json                                 json;
    application/mac-binhex40                         hqx;
    application/msword                               doc;
    application/pdf                                  pdf;
    application/postscript                           ps eps ai;
    application/rtf                                  rtf;
    application/vnd.apple.mpegurl                    m3u8;
    application/vnd.google-earth.kml+xml             kml;
    application/vnd.google-earth.kmz                 kmz;
    application/vnd.ms-excel                         xls;
    application/vnd.ms-fontobject                    eot;
    application/vnd.ms-powerpoint                    ppt;
    application/vnd.oasis.opendocument.graphics      odg;
    application/vnd.oasis.opendocument.presentation  odp;
    application/vnd.oasis.opendocument.spreadsheet   ods;
    application/vnd.oasis.opendocument.text          odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                     pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                     xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                     docx;
    application/vnd.wap.wmlc                         wmlc;
    application/x-7z-compressed                      7z;
    application/x-cocoa                              cco;
    application/x-java-archive-diff                  jardiff;
    application/x-java-jnlp-file                     jnlp;
    application/x-makeself                           run;
    application/x-perl                               pl pm;
    application/x-pilot                              prc pdb;
    application/x-rar-compressed                     rar;
    application/x-redhat-package-manager             rpm;
    application/x-sea                                sea;
    application/x-shockwave-flash                    swf;
    application/x-stuffit                            sit;
    application/x-tcl                                tcl tk;
    application/x-x509-ca-cert                       der pem crt;
    application/x-xpinstall                          xpi;
    application/xhtml+xml                            xhtml;
    application/xspf+xml                             xspf;
    application/zip                                  zip;

    application/octet-stream                         bin exe dll;
    application/octet-stream                         deb;
    application/octet-stream                         dmg;
    application/octet-stream                         iso img;
    application/octet-stream                         msi msp msm;

    audio/midi                                       mid midi kar;
    audio/mpeg                                       mp3;
    audio/ogg                                        ogg;
    audio/x-m4a                                      m4a;
    audio/x-realaudio                                ra;

    video/3gpp                                       3gpp 3gp;
    video/mp2t                                       ts;
    video/mp4                                        mp4;
    video/mpeg                                       mpeg mpg;
    video/quicktime                                  mov;
    video/webm                                       webm;
    video/x-flv                                      flv;
    video/x-m4v                                      m4v;
    video/x-mng                                      mng;
    video/x-ms-asf                                   asx asf;
    video/x-ms-wmv                                   wmv;
    video/x-msvideo                                  avi;
}

# configuration file /etc/nginx/conf.d/smallpepperz.com.conf:
server {
    listen 80;
    listen [::]:80; 
    
    listen 443 ssl;
    
    root /var/www/smallpepperz.com/html;  
    index index.html; 
    
    server_name smallpepperz.com
                www.smallpepperz.com
                *.smallpepperz.com;

    location /.well-known/acme-challenge/ {
        allow all;
        root /var/www/certbot;
    }   

    ssl_certificate /etc/letsencrypt/live/smallpepperz.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/smallpepperz.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    
}

# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

TLS is difficult enough...
Combining HTTP and HTTPS in one server block is NOT for the beginner.
I consider my self much more than that and even I don't bother doing that.
[the gain, if any, isn't worth the added complexity]

server {
    listen 80;
    listen [::]:80; 
    
    listen 443 ssl;
    
    root /var/www/smallpepperz.com/html;  
    index index.html; 
    
    server_name smallpepperz.com
                www.smallpepperz.com
                *.smallpepperz.com;

    location /.well-known/acme-challenge/ {
        allow all;
        root /var/www/certbot;
    }   

    ssl_certificate /etc/letsencrypt/live/smallpepperz.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/smallpepperz.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    
}

I would split that in two.
[divide and conquer!]

1 Like

And as there is no mention of any other cert, I can only suspect the path has been deviated.
Whereas HTTP (TCP port 80) does reach your system.
HTTPS (TCP port 443) does not.
HTTPS is being intercepted by something/somehow along the way.
A device that can somehow synchronize its' active wildcard certificate (*.mproxy.io) with the Internet.

1 Like

I've split the server into two vhosts, which doesn't seem to have changed anything. According to the google wifi app (I have a google mesh network), both 443 TCP and 80 TCP are being forwarded to the correct local IP. Is there a way to check how far the https request is getting/where it's being stopped?

1 Like

I don't know of anything that can explicitly follow one particular TCP port to the detail necessary to answer your implied request.
traceroute can show route hops along the way using ICMP packets or UDP packets typically in the port range 334xx-336xx. I've never tried using TCP port 443 for that. I guess that is worth trying.
I get:

traceroute -Tp 443 smallpepperz.com
traceroute to smallpepperz.com (97.115.71.97), 30 hops max, 60 byte packets
 1  [redacted]  1.751 ms  2.037 ms  2.397 ms
 2  [redacted]  2.591 ms  3.143 ms  2.601 ms
 3  * * *
 4  99.167.38.110 (99.167.38.110)  12.985 ms  6.719 ms  13.329 ms
 5  12.242.116.11 (12.242.116.11)  12.878 ms  20.684 ms  14.723 ms
 6  * * *
 7  ae-1-37.bar3.Portland1.Level3.net (4.69.218.234)  87.812 ms  108.035 ms  108.389 ms
 8  4.68.38.154 (4.68.38.154)  90.331 ms  87.980 ms  82.873 ms
 9  207.225.86.162 (207.225.86.162)  86.021 ms  86.053 ms  84.985 ms
10  97-115-71-97.ptld.qwest.net (97.115.71.97)  81.925 ms  81.642 ms  81.660 ms
11  97-115-71-97.ptld.qwest.net (97.115.71.97)  83.125 ms  82.338 ms  84.727 ms
12  97-115-71-97.ptld.qwest.net (97.115.71.97)  86.020 ms  85.266 ms  82.912 ms

Does that device respond to port 443?
If so, can that port be changed to another?
[I suspect the WiFi mesh device is the one that is using port 443 (with `*.mproxy.io` cert)]

Another clue:

curl -Iki smallpepperz.com
HTTP/1.1 200 OK
Server: nginx/1.19.4
Date: Wed, 04 Aug 2021 03:14:26 GMT
Content-Type: text/html
Content-Length: 5080
Last-Modified: Wed, 04 Aug 2021 02:38:30 GMT
Connection: keep-alive
ETag: "6109fda6-13d8"
Accept-Ranges: bytes

curl -Iki https://smallpepperz.com
HTTP/1.1 400 BAD REQUEST
Date: 2021-08-04T03:14:36.427Z
Server: Monocle-Gateway
Content-Length: 0
Content-Type: text/html
Connection: Closed

What is Monocle-Gateway?

2 Likes

Remember that your external internet traffic will come in via your router, then go to google wifi via ethernet, so it's still possible your router is not forwarding port 443 to the correct place. I've got google mesh as well and so have to forward ports from the router to the mesh network, then on the mesh network forward to a service specific host. [Edit: so your router is probably forwarding port 443 to your monocle home automation stuff]

2 Likes

Or the router isn't forwarding port 443 at all and is the one responding (with "Monocle-Gateway").
[If only we knew what a Gateway wearing a Monocle is/does!]

2 Likes

Looks like Monocle (a smart home thing) is using port 433 for its own internal SSL stuff. I just had my Docker container expose it as port 444 locally and forwarded that to 443 externally, and it seems to be working (I think)

2 Likes

So the port 443 requests made it as far as the Docker system.
You're almost there!

Correction:

curl -Iki https://smallpepperz.com/
HTTP/1.1 403 Forbidden
Server: nginx/1.19.4
Date: Wed, 04 Aug 2021 03:31:38 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

You are there!
[now nginx responds]

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.