Nginx Proxied Server running Certbot: Wrong Certificate

My domain in question is houseofavi.com.

My web servers are (include version):
Server1 - nginx/1.10.3
Server2 - nginx/1.14.2

The operating systems my web servers run on are (include version):
Server1 - Raspbain - Stretch (Debian 9)
Server2 - Raspberry Pi OS - Buster (Debian 10)

I can login to a root shell on my machines.

The version of my clients are (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Server1 - certbot 0.28.0
Server2 - certbot 0.31.0

Here is my situation:
I have two servers (Server1 and Server2) behind one IP address. Server1 has been serving several sites for a couple years using Certbot to keep all its certificates updated for all of its sites. Recently, I've started setting up Server2 which is being proxied from Server1 for some new sites. In other words, Server1 is now also a proxy server for Server2. This reverse proxy setup works without SSL.

Here is my minimal working nginx http:// (plain text) reverse proxy setup:

#Proxy server (Server1)
 	server {
     		server_name houseofavi.com;
     		location / {
       			 proxy_pass http://192.168.3.5:80;
   		 }
    }

#Proxied Server (Server2)
server {
		listen 80;
		root /var/www/houseofavi.com;
	location / {
		}
}

I installed Certbot on Server2. (I want to have Server2 manage it's own certificates in hopes of eventually replacing Server1.)

I ran Certbot and got the certificate installed on Server2.
sudo certbot --nginx -d houseofavi.com

Results:
Congratulations! You have successfully enabled https://houseofavi.com

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/houseofavi.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/houseofavi.com/privkey.pem
Your cert will expire on 2020-11-30. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew all of
your certificates, run "certbot renew"

Problem: I'm having trouble getting this proxy setup to work with SSL. I'm getting the wrong certificate; it's coming from one of the domains on Server1 not Server2 where the correct certificate is located.
It seems my set up has Server1 sending plain text to Server2, but it's replying with the wrong certificate. Some browsers can see the site with the wrong certificate. I'm not getting any 404's with this setup.

Here is my nginx not working SSL reverse proxy setup:

#Proxy server (Server1)
           server {
           listen 443;
           server_name houseofavi.com;
            location / {
                proxy_pass http://192.168.3.5:80;
                }
}

#Proxied Server (Server2)
           server {
           listen 80;
           root /var/www/houseofavi.com;
           location / {
            }
           listen 443 ssl; # managed by Certbot
           ssl_certificate /etc/letsencrypt/live/houseofavi.com/fullchain.pem; # managed by Certbot
           ssl_certificate_key /etc/letsencrypt/live/houseofavi.com/privkey.pem; # managed by Certbot
           include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
           ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
          server {
          if ($host = houseofavi.com) {
                  return 301 https://$host$request_uri;
           } # managed by Certbot
         listen 80;
         server_name houseofavi.com;
         return 404; # managed by Certbot
         root /var/www/houseofavi.com;
}

Here is a clue: When I set Server1 to listen on port 80 I get the wrong site... the on that matches the certificate from another domain on Server1. As I mentioned earlier, Server1 is serving several other sites from a different configuration file.

Any help would be greatly appreciated. Thanks.

Server1 has to handle SSL for both servers. You can’t proxy encrypted traffic¹.

So on Server1, you have to do:

certbot --nginx -d houseofavi.com

as well.

^{1. Not exactly accurate. You can do something called “SNI prereading” with ngx_stream (https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html), but that’s fairly complicated to setup.}

Thanks...

Do you mean both? Is it really as simple as running it again on Server1 to fix my problem?
What happens to the certificate on Server2? Does it have any function or should I delete it?

As I mentioned, I want to have Server2 manage it’s own certificates in hopes of eventually replacing Server1. Can I simply run it again later on Server2 when it replaces Server1. Is switching that easy without moving certificate files?

Wow, thanks for accurate details... maybe that's why I heard somewhere that I could keep certificates on Server2.

It sounds interesting and even tempting... but the simpler route look better for now.

Now it's solved. Thanks!
Well to partially answer my own questions... It seems that all the code added by Certbot on Server2 was needed. I'm not sure why.

The important change I needed to make after running Certbot on Server1 was changing the proxy_pass from http to https and changing :80 to :443.

Here is my edited working server block for Server1 handling the reverse proxy.
Certbot added the certificate locations below.

#Proxy server (Server1)
server {
        listen 443;
        server_name houseofavi.com;
        location / {
                proxy_pass https://192.168.3.5:443;
        }

    ssl_certificate /etc/letsencrypt/live/houseofavi.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/houseofavi.com/privkey.pem; # managed by Certbot
}

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.