With certbot & NGINX: Two Domains to two website; both routes to one

Dear community,

I have a problem with certbot and nginx.
I have two domains on my server with two portals/websites.

I've installed with certbot both domains and one of the domains is working correct: It routs to the right portal (localhost: 1337), but the other one not. There is an error message and routes to website 1 instead of website 2.
default in sites-available is empty.

I don't know if it is a problem with certbot. But before I changed it to ssl with certbot, I think the routing was correct.

I hope somebody can help me.
Here are the facts:

My domain is:

I ran this command:
certbot --nginx -d example.com -d www.example.com (for both sites)

It produced this output:
www.kindersachenflohmarkt-teningen.de routs to the correct site (port 1337), the other domain routes to port 1337, too.

My web server is (include version):

The operating system my web server runs on is (include version):
ubuntu 20.04 minimal

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

here is the nginx config of one domain (the other is the same strutcure):
upstream backendA89D0468 {
server localhost:1338;

listen 80;
server_name vam-teningen.de www.vam-teningen.de;
rewrite ^ https://www.vam-teningen.de$request_uri? permanent;
rewrite_log on;

listen 443 ssl;
server_name vam-teningen.de www.vam-teningen.de;
keepalive_timeout 70s;

ssl_certificate /etc/letsencrypt/live/vam-teningen.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/vam-teningen.de/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

add_header Strict-Transport-Security max-age=15768000; # six months
add_header X-Frame-Options SAMEORIGIN;

root /opt/intrexx/org/vam/external/htmlroot;

# serve favicon and robots.txt
location ~ (/favicon.ico|/robots.txt) {
	try_files $uri =404;

# hide hidden files and directories
location ~ /\. {
	return 404;

# hide WEB-INF
location /WEB-INF/ {
	deny all;
	return 404;

# hide IIS web.config
location ~* /web.config {
	deny all;
	return 404;

# hide the bin directory
location /bin/ {
	deny all;
	return 404;

# Static files that should be served by Nginx.
location ~ ^(/css|/fonts|/images|/include|/script|/thirdparty|/temp|/userfiles|/download|/is) {
	sendfile           on;
	sendfile_max_chunk 1m;
	try_files          $uri =404;

# Delegate WebSocket requests to the Intrexx Portal Service.
location /ws/ {
	proxy_pass         http://backendA89D0468;
	proxy_http_version 1.1;
	proxy_set_header   Upgrade $http_upgrade;
	proxy_set_header   Connection "Upgrade";

# Delegate requests to the Intrexx Portal Service.
location / {
	proxy_pass http://backendA89D0468;

	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

	# Clear potentially unsafe headers. These may be enabled if the backend
	# is configured to  handle them correctly and in a safe manner.
	proxy_set_header Forwarded         "";
	proxy_set_header X-Real-IP         $remote_addr;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header X-Forwarded-Host  $host:$server_port;
	proxy_set_header X-Original-URL    "";

	# Security token to authenticate the reverse proxy with the backend. 
	proxy_set_header X-SecToken "";

	# For security reasons we do not pass X-User and X-Domain to the backend by default,
	# since these headers might be interpreted by the External Authentication Filter as
	# authenticated use information
	proxy_set_header X-User   "";
	proxy_set_header X-Domain "";

	# additional security sensitive headers
	proxy_set_header X-KrbTicket   "";
	proxy_set_header X-AccountName "";

	# Set the maximum allowed size of the client request body. The value 0 disables
	# this limit check.
	# http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
	client_max_body_size 2048m;


A great thank you for your help. Who can solve this problem is my personal hero of this month :slight_smile:

1 Like

Hi @homers

yes, you have a problem. But you don't report that problem.

See crt.sh | kindersachenflohmarkt-teningen.de

You create certificates daily. Then you hit the limit. Then you create the next.

Please create one certificate, use it 60 - 85 days, then create the next.

It's completely unrelevant, it's a routing problem, nothing else.

Compare it with your port 80 routing.

And your vHost configuration may be buggy, so the wrong port 443 vHost may answer.

Ah, checked your domain - that's not a routing problem, that's a wrong redirect, completeley different problem.


wrong. There is a redirect vam-teningen.de -> kindersachenflohmarkt-teningen.de - see https://check-your-website.server-daten.de/?q=vam-teningen.de#url-checks

Domainname Http-Status redirect Sec. G
http://vam-teningen.de/ 301 https://www.kindersachenflohmarkt-teningen.de/ Html is minified: 108,54 % 0.033 E
http://www.vam-teningen.de/ 301 https://www.kindersachenflohmarkt-teningen.de/ Html is minified: 108,54 % 0.046 E
https://vam-teningen.de/ 302 https://vam-teningen.de/path/portal /?rq_PortalGuid=00000000DEADBEEF69922282E4D9ACE4F00A0ED2 2.530 N-
Certificate error: RemoteCertificateNameMismatch
https://www.vam-teningen.de/ 302 https://www.vam-teningen.de/path/portal/?rq_PortalGuid=00000000DEADBEEF69922282E4D9ACE4F00A0ED2 2.280 N-
Certificate error: RemoteCertificateNameMismatch
https://www.kindersachenflohmarkt-teningen.de/ 302 Kindersachenflohmarkt Teningen 2.313 B-
https://vam-teningen.de/path/portal/?rq_PortalGuid=00000000DEADBEEF69922282E4D9ACE4F00A0ED2 GZip used - 7571 / 26672 - 71,61 % Inline-JavaScript (∑/total): 21/17216 Inline-CSS (∑/total): 0/0 200 Html is minified: 342,65 % 2.310 N-

Remove that redirect if you don't want that.