With certbot & NGINX: Two Domains to two website; both routes to one

Dear community,

I have a problem with certbot and nginx.
I have two domains on my server with two portals/websites.

I've installed with certbot both domains and one of the domains is working correct: It routs to the right portal (localhost: 1337), but the other one not. There is an error message and routes to website 1 instead of website 2.
default in sites-available is empty.

I don't know if it is a problem with certbot. But before I changed it to ssl with certbot, I think the routing was correct.

I hope somebody can help me.
Here are the facts:

My domain is:

I ran this command:
certbot --nginx -d example.com -d www.example.com (for both sites)

It produced this output:
www.kindersachenflohmarkt-teningen.de routs to the correct site (port 1337), the other domain routes to port 1337, too.

My web server is (include version):

The operating system my web server runs on is (include version):
ubuntu 20.04 minimal

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

here is the nginx config of one domain (the other is the same strutcure):
upstream backendA89D0468 {
server localhost:1338;

listen 80;
server_name vam-teningen.de www.vam-teningen.de;
rewrite ^ https://www.vam-teningen.de$request_uri? permanent;
rewrite_log on;

listen 443 ssl;
server_name vam-teningen.de www.vam-teningen.de;
keepalive_timeout 70s;

ssl_certificate /etc/letsencrypt/live/vam-teningen.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/vam-teningen.de/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

add_header Strict-Transport-Security max-age=15768000; # six months
add_header X-Frame-Options SAMEORIGIN;

root /opt/intrexx/org/vam/external/htmlroot;

# serve favicon and robots.txt
location ~ (/favicon.ico|/robots.txt) {
	try_files $uri =404;

# hide hidden files and directories
location ~ /\. {
	return 404;

# hide WEB-INF
location /WEB-INF/ {
	deny all;
	return 404;

# hide IIS web.config
location ~* /web.config {
	deny all;
	return 404;

# hide the bin directory
location /bin/ {
	deny all;
	return 404;

# Static files that should be served by Nginx.
location ~ ^(/css|/fonts|/images|/include|/script|/thirdparty|/temp|/userfiles|/download|/is) {
	sendfile           on;
	sendfile_max_chunk 1m;
	try_files          $uri =404;

# Delegate WebSocket requests to the Intrexx Portal Service.
location /ws/ {
	proxy_pass         http://backendA89D0468;
	proxy_http_version 1.1;
	proxy_set_header   Upgrade $http_upgrade;
	proxy_set_header   Connection "Upgrade";

# Delegate requests to the Intrexx Portal Service.
location / {
	proxy_pass http://backendA89D0468;

	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

	# Clear potentially unsafe headers. These may be enabled if the backend
	# is configured to  handle them correctly and in a safe manner.
	proxy_set_header Forwarded         "";
	proxy_set_header X-Real-IP         $remote_addr;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header X-Forwarded-Host  $host:$server_port;
	proxy_set_header X-Original-URL    "";

	# Security token to authenticate the reverse proxy with the backend. 
	proxy_set_header X-SecToken "";

	# For security reasons we do not pass X-User and X-Domain to the backend by default,
	# since these headers might be interpreted by the External Authentication Filter as
	# authenticated use information
	proxy_set_header X-User   "";
	proxy_set_header X-Domain "";

	# additional security sensitive headers
	proxy_set_header X-KrbTicket   "";
	proxy_set_header X-AccountName "";

	# Set the maximum allowed size of the client request body. The value 0 disables
	# this limit check.
	# http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
	client_max_body_size 2048m;


A great thank you for your help. Who can solve this problem is my personal hero of this month :slight_smile:

1 Like

Hi @homers

yes, you have a problem. But you don't report that problem.

See crt.sh | kindersachenflohmarkt-teningen.de

You create certificates daily. Then you hit the limit. Then you create the next.

Please create one certificate, use it 60 - 85 days, then create the next.

It's completely unrelevant, it's a routing problem, nothing else.

Compare it with your port 80 routing.

And your vHost configuration may be buggy, so the wrong port 443 vHost may answer.

Ah, checked your domain - that's not a routing problem, that's a wrong redirect, completeley different problem.


wrong. There is a redirect vam-teningen.de -> kindersachenflohmarkt-teningen.de - see https://check-your-website.server-daten.de/?q=vam-teningen.de#url-checks

Domainname Http-Status redirect Sec. G
http://vam-teningen.de/ 301 https://www.kindersachenflohmarkt-teningen.de/ Html is minified: 108,54 % 0.033 E
http://www.vam-teningen.de/ 301 https://www.kindersachenflohmarkt-teningen.de/ Html is minified: 108,54 % 0.046 E
https://vam-teningen.de/ 302 https://vam-teningen.de/path/portal /?rq_PortalGuid=00000000DEADBEEF69922282E4D9ACE4F00A0ED2 2.530 N-
Certificate error: RemoteCertificateNameMismatch
https://www.vam-teningen.de/ 302 https://www.vam-teningen.de/path/portal/?rq_PortalGuid=00000000DEADBEEF69922282E4D9ACE4F00A0ED2 2.280 N-
Certificate error: RemoteCertificateNameMismatch
https://www.kindersachenflohmarkt-teningen.de/ 302 Kindersachenflohmarkt Teningen 2.313 B-
https://vam-teningen.de/path/portal/?rq_PortalGuid=00000000DEADBEEF69922282E4D9ACE4F00A0ED2 GZip used - 7571 / 26672 - 71,61 % Inline-JavaScript (∑/total): 21/17216 Inline-CSS (∑/total): 0/0 200 Html is minified: 342,65 % 2.310 N-

Remove that redirect if you don't want that.

1 Like

Thank you @JuergenAuer for your reply.
I don't know why the crt.sh is so full and make every day traffic.
With the new server, it seems that is now quiet, the old server is deleted.

The solution was patience, a day after it works. Perhaps there was a wrong DNS entry, I don't know.
Now it works and I'm happy :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.