Nginx serving the wrong certificate

Informal
1

also posted in cloudflare forum and nginx forum (both posts are hidden.)

I’m running nginx in a docker container with /etc/letsencrypt on the host mounted to /etc/letsencrypt on the container. I have two virtual hosts, 7.tiffany.eu.org and tranzhex.net. i issued an LE certificate on 7.tiffany.eu.org, it works fine. but i have cloudflare origin ca on tranzhex.net, it just won’t work. checking with openssl s_client command, nginx keeps sending 7.tiffany.eu.org’s certificate instead of tranzhex.net’s cloudflare certificate. the configuration i have, seen on nginx -T

# configuration file /etc/nginx/conf.d/critter.conf:
server {
server_name 7.tiffany.eu.org;
server_name 2a12-5e40-1-6dff-c13f-fe36-19c3-e562.sslip.io;
server_name 91-239-208-63.sslip.io;
server_name 91-239-208-63.nip.io;
server_name 5befd03f.nip.io;
server_name 91.239.208.63.16clouds.com;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
ssl_certificate /etc/letsencrypt/live/7.tiffany.eu.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/7.tiffany.eu.org/privkey.pem;
root /var/www/html;
index index.htm;
add_header X-Robots-Tag noindex;
}
server {
server_name 7.tiffany.eu.org;
server_name 2a12-5e40-1-6dff-c13f-fe36-19c3-e562.sslip.io;
server_name 91-239-208-63.sslip.io;
server_name 91-239-208-63.nip.io;
server_name 5befd03f.nip.io;
server_name 91.239.208.63.16clouds.com;
listen 80;
listen [::]:80;
return 301 https://$host$request_uri;
}

# configuration file /etc/nginx/conf.d/default.conf:
server {
listen 443 ssl default_server;
server_name _;
ssl_certificate /etc/letsencrypt/cert.pem;
ssl_certificate_key /etc/letsencrypt/key.pem;
return 444;
}

# configuration file /etc/nginx/conf.d/tranz.conf:
server {
server_name tranzhex.net;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
ssl_certificate /etc/letsencrypt/tranz.crt;
ssl_certificate_key /etc/letsencrypt/tranz.key;
location / {
proxy_pass http://feixiao;
}
location /guinaifen/ {
proxy_pass https://sushang:9443/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /live {
proxy_pass http://64.31.10.126:7024;
}
}

I just hope this forum’s automated spam filter doesn’t trip this one too..

2 Likes
2

Try decreasing the amount of starrail used in your configuration (jk) :rofl:

The certificate and key supplied to tranzhex.net looks suspicious to me, it feels like a symlink as it’s not the regular certbot path, are you sure these are symlinked to the correct place?

3 Likes
3

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.