starred/nginx-proxy-manager-NginxProxyManager

Fork 0

mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-25 17:35:52 +03:00

[GH-ISSUE #2202] SSL certificate mismatch error when using Cloudflare's DNS proxy feature on a sub-sub domain #1578

New issue

Closed

opened 2026-02-26 07:31:38 +03:00 by kerem · 2 comments

kerem commented

2026-02-26 07:31:38 +03:00

Owner

Originally created by @CarrotManMatt on GitHub (Aug 16, 2022).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2202

Checklist

Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
- Yes / No
Are you sure you're not using someone else's docker image?
- Yes / No
Have you searched for similar issues (both open and closed)?
- Yes / No

Describe the bug
I get this error when trying to connect to a service behind my nginx reverse proxy with a sub-sub domain:

This site can’t provide a secure connection
app.service.example.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Nginx Proxy Manager Version
v2.9.18

Steps to reproduce error:

Start a service on a different device host on the local network (e.g. 192.168.1.50), with an open port (e.g. 8123)
Create a DNS entry in cloudflare with DNS proxying turned off (e.g. app.service.example.xyz)
Verify that the service is accessible from the device host running NPM with curl http + ip address
Add a new proxy host on NPM management interface with these settings:

Domain Names = app.service.example.xyz
Scheme = http
Forward Hostname / IP = 192.168.1.50
Forward Port = 8123
Cache Assets = True
Block Common Exploits = True
Generate new SSL certificate (using the lets encrypt feature built into NPM)
Force SSL = True

Save new proxy host
Verify that the service is accessible from https://app.service.example.com
Turn Cloudflare DNS proxy feature on for app.service.example.com
Get the SSL error

Expected behavior
Service connects successfully with https for domains with 2 sub parts. (E.g. https://app.service.example.com)

Operating System
Ubuntu Server 22.04.1 + Docker 20.10.17

Originally created by @CarrotManMatt on GitHub (Aug 16, 2022). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2202 **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? - **Yes** / ~~No~~ - Are you sure you're not using someone else's docker image? - **Yes** / ~~No~~ - Have you searched for similar issues (both open and closed)? - **Yes** / ~~No~~ **Describe the bug** I get this error when trying to connect to a service behind my nginx reverse proxy with a sub-sub domain: ``` This site can’t provide a secure connection app.service.example.com uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH ``` **Nginx Proxy Manager Version** v2.9.18 Steps to reproduce error: 1. Start a service on a different device host on the local network (e.g. 192.168.1.50), with an open port (e.g. 8123) 2. Create a DNS entry in cloudflare with DNS proxying *turned off* (e.g. app.service.example.xyz) 3. Verify that the service is accessible from the device host running NPM with curl http + ip address 4. Add a new proxy host on NPM management interface with these settings: * Domain Names = app.service.example.xyz * Scheme = http * Forward Hostname / IP = 192.168.1.50 * Forward Port = 8123 * Cache Assets = True * Block Common Exploits = True * Generate new SSL certificate (using the lets encrypt feature built into NPM) * Force SSL = True 5. Save new proxy host 6. Verify that the service is accessible from https://app.service.example.com 7. Turn Cloudflare DNS proxy feature on for app.service.example.com 8. Get the SSL error **Expected behavior** Service connects successfully with https for domains with 2 sub parts. (E.g. https://app.service.example.com) **Operating System** Ubuntu Server 22.04.1 + Docker 20.10.17

kerem

2026-02-26 07:31:38 +03:00

closed this issue
added the
bug
label

kerem commented

2026-02-26 07:31:38 +03:00

Author

Owner

@the1ts commented on GitHub (Aug 20, 2022):

Isn't this covered in this page? the standard SSL cert from cloudflare covers domain.com and *.domain.com so will not cover *.service.domain.com, wildcard certs never cover additional dotted domain names.

@the1ts commented on GitHub (Aug 20, 2022): Isn't this covered in [this](https://community.cloudflare.com/t/community-tip-fixing-err-ssl-version-or-cipher-mismatch-in-google-chrome/42162) page? the standard SSL cert from cloudflare covers domain.com and *.domain.com so will not cover *.service.domain.com, wildcard certs never cover additional dotted domain names.

kerem commented

2026-02-26 07:31:38 +03:00

Author

Owner

@CarrotManMatt commented on GitHub (Sep 5, 2022):

Thanks! That seems to be the issue. I did not realise that when using the Cloudflare proxy feature it also uses its own SSl certificate, rather than the origin one, which then causes an error as the cloudflare certificates are only given out to a single sub-domain level, as you described. Cheers!

@CarrotManMatt commented on GitHub (Sep 5, 2022): Thanks! That seems to be the issue. I did not realise that when using the Cloudflare proxy feature it also uses its own SSl certificate, rather than the origin one, which then causes an error as the cloudflare certificates are only given out to a single sub-domain level, as you described. Cheers!

kerem referenced this issue

2026-02-26 08:30:44 +03:00

[PR #1578] [MERGED] Reverts back to proxy_pass without variables #3462

kerem referenced this issue

2026-02-26 08:30:45 +03:00

[PR #1667] [MERGED] v2.9.13 #3467

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#1578

No description provided.

Rows
Columns