Common Name Mismatch, running two servers

I have a Synology NAS and recently setup an Ubuntu server. If I leave the Synology NAS port 443 open, I cannot access the site hosted on the ubuntu server. I get the following browser error message:

Here is what I get when I click "View Certificate":

The Synology NAS is using Synology's DDNS service (hence the synology.me address).

If I disable port forwarding to the Synology NAS I am able to visit the site hosted on the ubuntu server without a problem.

I ran an ssl checker with the nas port enabled and disabled:

Enabled:

Disabled:

My domains are:
txtechnician.synology.me & mixpost.internal.txtechnician.com

I ran this command:

It produced this output:

My web server is (include version):
nginx version: nginx/1.23.1 (Synology)
and
nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):
Synology DSM 7.2
&
Ubuntu 22.04

My hosting provider, if applicable, is:
Self-Hosted.

I can login to a root shell on my machine (yes or no, or I don't know):
Yes to both.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
On the Synology NAS I am. The only thing I have open is the login portal to the nas itself.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Synology doesn't seem to use certbot as the commands were not found.
Ubuntu: certbot 2.9.0

Why is this happening and what can I do to resolve it?

Whatever system terminates TLS (HTTPS) needs to have a cert with a name matching the domain in the URL. HTTPS by default works on port 443.

Looks like port 80 (HTTP) is handled by your nginx 1.18 but port 443 by Synology.

General system config isn't really our focus here. You might find others at Synology forum with similar situation.

But, one option would be to have your Ubuntu nginx get all port 443 (HTTPS) requests and have a cert for each of your domain names (synology.me and .com). Then make a server block for port 443 for synology.me requests and proxy those to your Synology on your local network using HTTP (no cert required for http).

Another option is to use a non-standard port for HTTPS for one of those names. Like:
https://txtechnician.synology.me:8443
This would free port 443 to be used for the other name. Not sure if your Synology could listen on this alternate port though.

4 Likes

I figured it out. I was trying to run two servers behind the same public IP on the same port.

The NAS had the first in line firewall rule. Which is why it was not working.

I disabled the Ubuntu Server and then used the Synology NAS to get a cert for the appropriate domain. And then used NGINX in the NAS to direct traffic to the Ubuntu server...

IT is a never ending learning experience.

1 Like

That's what I recommended except the other way around.

But, it doesn't look to be working to me.

HTTP requests to either domain now timeout.

And, HTTPS to your .com domain still uses the same wrong cert.

2 Likes

I ditched that cert. Synology.me uses DNS-01 and suppport wildcard. So I just used that instead. This is an internal tool anyway.

1 Like