Getting "self signed certificate" error when I am not using a self-signed cert

titan_flight · April 7, 2019, 6:01pm

I have two subdomain which I use for different webUIs. I created separate Let’s Encrypt certificates for both. I can access the first subdomain/webUI without issues. However, when I access the second subdomain/webUI I get an error about self-signed certificates (MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT).

I used the following certbot command to create the certificates for the second subdomain:
sudo certbot certonly --nginx --agree-tos --no-eff-email -m admin@example.com -d sync.mukherjee.io

My domain is:
https://sync.mukherjee.io:8384/

But if I use https://sync.mukherjee.io/ I get a “Welcome to Nginx!” message.

I ran this command:
Open website

It produced this output:
I get a security warning about a self signed certificate (both Chrome and Firefox)

My web server is (include version):
Nginx

The operating system my web server runs on is (include version):
Ubuntu 18.04

My hosting provider, if applicable, is:
Google Cloud

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.1

Below is my Nginx conf file for the sync subdomain:

# Redirect HTTP to HTTPS
server {
    listen      80;
    server_name subdomain.domain.com;
    return      301 https://$server_name$request_uri;
}

server {

    # Setup HTTPS certificates
    listen       443 ssl;
    server_name  subdomain.domain.com;
    ssl_certificate      /etc/letsencrypt/live/subdomain.domain.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/subdomain.domain.com/privkey.pem;

    # Ensure adequate TLS cipher suites are used - taken from Mozilla recommended configurations, see here: [Redacted]

    # Proxy to the Airsonic server
    location /syncthing/ {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass              http://[IP ADDRESS]:[PORT];
        proxy_read_timeout      600s;
        proxy_send_timeout      600s;
    }
}

I have zero experience with nginx or let’s encrypt. It is likely I setup something incorrectly. For what its worth the first subdomain works exactly as it’s supposed to. The issue is with the sync subdomain.

Osiris · April 7, 2019, 6:46pm

That "site" with that port number is not in your nginx configuration. According to the return headers it actually is nginx, but you haven't posted the configuration for it.

For some reason, https://sync.mukherjee.io/syncthing/ is sending a redirect to exactly the same URL. Therefore, it will never work.

JuergenAuer · April 7, 2019, 6:48pm

Hi @titan_flight

I see, there is a check result (~ 19:30) - https://check-your-website.server-daten.de/?q=sync.mukherjee.io

Your standard port works and has the correct certificate.

So you have to configure your non-standard port manual.

Use the same folder- and filenames you can find in your port 443 - vHost.

titan_flight · April 7, 2019, 8:41pm

Thanks for the input!

With the exception of substituting subdomain.domain.com and [IP ADDRESS]:[PORT], I believe it is that config. Because the other config references the service that is working.

Could you elaborate? How do I resolve this?

How would I do this? How do I modify the syncthing config to support non-standard port?

JuergenAuer · April 7, 2019, 8:47pm

Checked your port ( https://check-your-website.server-daten.de/?q=sync.mukherjee.io%3A8384 ):

There is no Server header:

Content-Type: text/plain; charset=utf-8
Www-Authenticate: Basic realm="Authorization Required"
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Sun, 07 Apr 2019 20:44:18 GMT
Content-Length: 15
Connection: close

Which instance / server software handles that request?

titan_flight · April 7, 2019, 9:10pm

Everything is running from the same Google Cloud instance. As far as I know, there are no other applications involoved other than Syncthing for Linux and Nginx.

I got the syncthing nginx config from here:
https://docs.syncthing.net/users/reverseproxy.html

Their documentation does not mention anything about server headers, although it's possible that it's just assumed this issue is addressed... I honestly don't know.

JuergenAuer · April 7, 2019, 9:12pm

I have no idea what that is.

So check the documentation of this software to see, how to configure it with https.

system · May 7, 2019, 9:12pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.