Failing in my attempts at reverse proxy

[thebroughfamily]

Okay. It seems like you missed out that you actualy need to use the type "A" for your jellyfin and transmission subdomains and use your static ip adress in the data field.

So do I put www.jellyfin or just jellyfin in the first box?

 

[one-eyed-king]

Just "jellyfin".

Once the dns record is replicated to your isp's dns server (or whichever one you configured), you should be able to access it using https://jellyfin.thebroughfamily.com. As far as I have seen jellyfin.thebroughfamily.com was configured as hostname in your reverse proxy rule. I assume you already created a Letsencrypt certificate and assigned it to that "hostname" (actually it is a full qualified domain name, aka. fqdn)

 

[akahan]

At least part of your problem is that you have given your certificate the same common name (thebroughfamily.com) and alternative name (thebroughfamily.com). Give it the common name thebroughfamily.com and, as alternative names, jellyfin.thebroughfamily.com , transmission.thebroughfamily.com , etc. Eventually you can shoot for a wildcard domain, which will cover anyhostname.thebroughfamily.com , but for now let's try to get it working with alternative names for your various hostnames. Also, your DSM is responding to https on port 5252, not 5001, so you'll need to port forward to 5252.

 

[thebroughfamily]

I don't seem to be able to do that, it says name conflict?

 

[akahan]

I don't seem to be able to do that, it says name conflict?

Please try to make clear which post you're responding to. Not clear what you are unable to do when you say "i'm unable to do THAT." Do what? If you're responding to my post about your certificate, then you've misunderstood it. I am suggesting that you re-create your Letsencrypt certificate using thebroughfamily.com as the "main" domain, and jellyfish.thebroughfamily.com etc. as Alternative names.

 

[one-eyed-king]

I don't seem to be able to do that, it says name conflict?

if an update of the record is not possible, delete the wrong one (the one with type cname) and then create the new one.

 

[thebroughfamily]

At least part of your problem is that you have given your certificate the same common name (thebroughfamily.com) and alternative name (thebroughfamily.com). Give it the common name thebroughfamily.com and, as alternative names, jellyfin.thebroughfamily.com , transmission.thebroughfamily.com , etc. Eventually you can shoot for a wildcard domain, which will cover anyhostname.thebroughfamily.com , but for now let's try to get it working with alternative names for your various hostnames. Also, your DSM is responding to https on port 5252, not 5001, so you'll need to port forward to 5252.

I'm fairly sure on the certificate I put the common name as thebroughfamily.com, and in the alternative I put, jellyfin.thebroughfamily.com;transmission.thebroughfamily.com

I can see them both on my certificate if I click on the arrow next to the certificate.

I moved to 5252 for DSM, as another topic said it was wise to do so for security reasons. It is port forwarded already, and works I think.

 

[one-eyed-king]

@akahan: your post anticapted the next issue in the chain.

 

[akahan]

The screenshot is not depicting what you ought to be doing.
The A record should be thebroughfamily.com .
Jellyfish should then be a CNAME record, which you already have.
So enter thebroughfamily.com (NOT thebroughfamily) where you currently have jellyfish as the A record.

 

[one-eyed-king]

Both is actualy working. Having a single A record and pointing all CNAME records to it, is the prefered way.

 

[akahan]

When I click on your certificate, I don't see the alternate names. So I don't think you've gotten them in.

 

[thebroughfamily]

Please try to make clear which post you're responding to. Not clear what you are unable to do when you say "i'm unable to do THAT." Do what? If you're responding to my post about your certificate, then you've misunderstood it. I am suggesting that you re-create your Letsencrypt certificate using thebroughfamily.com as the "main" domain, and jellyfish.thebroughfamily.com etc. as Alternative names.

Sorry I was replying to the previous message before yours arrived, so I didn't know you had messaged.

-- post merged: 16. May 2021 --

if an update of the record is not possible, delete the wrong one (the one with type cname) and then create the new one.

So is this better now?

 

[one-eyed-king]

Depends on wheter all you subdomains point to the same static ip which is handled by your nas...

At least nslookup to fellyfin. and transmission. resolve the ip now.

 

[thebroughfamily]

When I click on your certificate, I don't see the alternate names. So I don't think you've gotten them in.
View attachment 3648

On my certificate it shows this...

-- post merged: 16. May 2021 --

Depends on wheter all you subdomains point to the same static ip which is handled by your nas...

At least nslookup to fellyfin. and transmission. resolve the ip now.

Yes that IP is my static IP from my isp provider, on which the Nas is connected as a local host 192.168.1.20 static assigned.

 

[one-eyed-king]

Though, Akahan is right. The certificate currently assigned to jellyfin.thebroughfamily.com does not include the subject alternative names and seem to be a different certificate then the one from your screenshot.

Also the screenshot does not mean what you think it means. It just means you assigned to use it with those domains. It does say nothing about for which common name and subject alternative names the certificate was issued.

The common name or one of the subject alternative names must match the URL you used to access the service, in order to be considered valid. In your case, the certificates common name and suject alernative name is thebroughfamily.com, which does not match the url jellyfin.thebroughfamily.com or transmission.thebroughfamily.com.

 

[thebroughfamily]

Ah right.. I will try again then. I'm sure I've done it but must have deleted it again...

... Currently I cant get a new certificate as it says

"Invalid domain - please make sure the domain can be resolved to a public ip address"

 

[akahan]

o-e-k and I are in agreement here, I think - in order for your subdomains to work with https, you'll need to get a certificate issued which includes them all as alternative names. (Or get a wildcard certificate, but that's varsity level... a task for tomorrow.) So you'd do that in the Security/Certificates area of Control Panel on the NAS.

 

[thebroughfamily]

o-e-k and I are in agreement here, I think - in order for your subdomains to work with https, you'll need to get a certificate issued which includes them all as alternative names. (Or get a wildcard certificate, but that's varsity level... a task for tomorrow.) So you'd do that in the Security/Certificates area of Control Panel on the NAS.

It won't let me at the minute, it gives me the error I said in my previous post.

 

[akahan]

I'm guessing it's because you must first set up the CNAMEs for each of those subdomains with google DNS.

 

[Shoop]

For better understanding on how A records and CNAME work.
Quite simple and straightforward explanation : CNAME vs A Record - Domain Name Sanity Blog