I ran this command: certbot certonly --nginx -d panel.rvm-mc.com -d node.rvm-mc.com
It produced this output: succesfully generated certificate
My web server is (include version): nginx v1.22.1
The operating system my web server runs on is (include version): Ubuntu server 22.04
My hosting provider, if applicable, is: Cloudflare for DNS
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot v1.21.0
Problem:
I have installed Pterodactyl and Wings according to the documentation on Pterodactyl.io.
I also have generated two certs using certbot.
One for the panel and one for the node. The panel cert is for panel.rvm-mc.com and node is for node.rvm-mc.com, which both point via A records in Cloudflare (not behind proxy) towards my pubic IP. My router then forwards the proper traffic to the server.
The panel works and is encrypted with a cert, but with wings I get this: Pterobin The command I used to generate the certs is certbot certonly --nginx -d panel.rvm-mc.com -d node.rvm-mc.com , but it keeps generating a cert for "mediarouter.home" or at least Wings keeps saying that.
Does anyone have any experience with this or has encountered this in the past?
I don't see a cert with mediarouter.home involved with your other two. So, not sure what that's about.
But, the cert you currently use for node.rvm-mc.com only has the domain name for panel in it. You got certs yesterday with both names but you must have gotten diff cert since.
What does this show?
certbot certificates
For current cert being used, try this SSL Checker site
As for the mediarouter.home name, I came to that conclusion by this error that Wings (pterodactyl proccess) gave me when trying to start up: Get "https://panel.rvm-mc.com/api/application/nodes/1/configuration": x509: certificate is valid for mediarouter.home, mediarouter1.home, mediarouter2.home, mediarouter3.home, not panel.rvm-mc.com
The site you send tells me that that common name does not match on the cert for node.rvm-mc.com. I don't know why that would be.
Because the server block in nginx that handles that domain name is using a cert which only has the panel domain name in it. At one time you issued a cert with both names in it but not anymore. You are just getting certs with individual names. That's fine but then each name needs its own nginx server block for its own cert.
At one time you even got an ECDSA / E1 wildcard cert for *.rvm-mc.com,rvm-mc.com. Probably by trying to proxy your DNS in Cloudflare.
II have generated a single new cert for panel.rvm-mc.com and node.rvm-mc.com. the SSL checker site does not report any errors anymore and my webserver is up and running again. I still seem to get the same error as mentioned in my original post (the mediarouter.home error)
Output of certbot certificates is now this:
Found the following certs:
Certificate Name: node.rvm-mc.com
Serial Number: 3fabe110e5c9d065e526f873abb756fa9bd
Key Type: RSA
Domains: node.rvm-mc.companel.rvm-mc.com
Expiry Date: 2023-07-08 17:16:14+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/node.rvm-mc.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/node.rvm-mc.com/privkey.pem
I don't see a server block for your node domain - only `panel'
From pastebin:
server {
listen 443 ssl http2;
server_name panel.rvm-mc.com;
Requests to node arrive in nginx but don't find a server block with its name so use the default server block (which right now is the panel one).
If you are going to share a cert you should also list the node domain as a server_name in your two server blocks for panel. See nginx docs for format of this.
I can't reach your "Wings" with the URL shown on either port. Should that be accessible on the public internet? Or is that private lan only?
I don't know where a cert for the domain mediarouter.home comes from. That domain is not a valid public name so it can only be a self-signed cert. You should check your router or a Wings forum.
Wings is a service written in Go that interfaces with Docker and the Panel to provide secure access for controlling servers via the Panel. This image taken from their website provides a nice layout of the different systems.
The panel works fine and is secured, but it seems that the communication from Wings to the panel does not go well due to that cert error im getting.
The FQDN for the panel is panel.rvm-mc.com and for the node is node.rvm-mc.com, but if input in a browser should both lead to the panel.
I dont know if its of any relevance, but looking a bit deeper into google, it seems that his mediarouter.home behavour is indeed something to do with my router, more specifically with Huawei routers and the way it apperantly "evedrops" on HTTPS traffic. The given fix is... replacing the router with a different brand.
It seems that i can switch the firewall level between "Low" and "High". It was already on now. The tooltip that shows implies that there also should be an "Off" option, but that is nowhere to be found. Im guessing my ISP removed that.
I also have three other options, which are all turned on. These are ICMP flood protection, SYN flood protection and ARP Attack protetion. None of these have any effect it seems.
So, I have replaced my Huawei router with a Unifi USG router from Ubiquiti and I no longer get that weird error. It seems it was indeed the router influencing the cert generation process in some way.
