kdwarn

Codeberg Mastodon Feeds

It's usually nginx

May 19, 2026

nginx, deployment | permalink

Nevermind "it's always DNS". When I have a problem with getting a website to work and I'm sure that it absolutely should despite my own eyes, it's usually nginx. Yesterday I finally resolved an issue that was persisting for weeks.

The problem was this: when I accessed a domain when connected to my VPN, everything was fine. The site came up and there was no issue with the TLS certificate. When I turned off my VPN, a TLS certificate issue (ERR_CERT_COMMON_NAME_INVALID specifically) occurred and I had to do the "yes, I know what I'm doing" thing to get past my browser warning and access the site. However, rather than the root domain, I was getting redirected (silently - it wasn't in the URL) to a subdomain of the site, which was a problem because the certificate there was for the subdomain, not the root domain. I tried this from my phone, from other locations on the VPN, from Firefox, from Chromium, from Safari, from Lynx, from private browsing sessions, after clearing caches, and from one day to the next.

I asked others to try to access it, and they could, and so my best guess (though I repeatedly tried to adjust/stare at my nginx configuration) was that it had to do with 301 redirects (I had previously tried to serve the subdomain at the root) or that I was somehow getting a cached TLS cert. It was perplexing, and no matter what combination of words I tried to search for online, I could not find someone experiencing a similar issue.

Finally, without much hope, I turned to the nginx access logs to see if there was some sort of difference between hitting the site on my VPN and off it. At first, nothing jumped out at me. A 200 status code line would result in both cases. Looking closer, I saw that an ipv4 address was being logged when on the VPN, and an ipv6 address was being logged when off the VPN. I toggled back and forth and did it from multiple browsers. That seemed to be the only difference. So, back to a fresh look at the nginx configuration for the site. The listen directives only had the TCP port (80 and 443) and nothing particular to ipv4 and ipv6. Here was the port 443 version:

server {
    listen 443 ssl;
    server_name [redacted];
    [more config]
}

Was that all this was? Me not getting the nginx configuration quite right, again? Yes indeed. Here is what fixed everything, again 443 version (but needed to be added everywhere):

server {
    listen 443 ssl; # ipv4
    listen [::]:443 ssl; # ipv6
    server_name [redacted];
    [more config]
}