[GH-ISSUE #4424] SSL Certificate Mismatch and Resolution Issues in Local Network (Nginx Proxy Manager) with Cloudflare Tunneling #2830

New issue

Open

opened 2026-02-26 07:36:55 +03:00 by kerem · 2 comments

kerem commented 2026-02-26 07:36:55 +03:00

Owner

Copy link

Originally created by @mrxehmad on GitHub (Mar 8, 2025).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/4424

I have a local network where I run various services, including Pi-hole, which is accessible via the subdomain pihole.domain.site. My domain, domain.site, is hosted externally and uses Cloudflare for tunneling. When accessing pihole.domain.site from within my local network, I encounter SSL error "ERR_SSL_UNRECOGNIZED_NAME_ALERT" in most browsers except Firefox. Additionally, some applications, like Bitwarden, fail to connect properly. However, other locally hosted services that do not rely on Cloudflare work without issues. Running an openssl s_client command shows that the wildcard SSL certificate for *.domain.site is valid and correctly issued by Let's Encrypt. This suggests that the problem may be related to how SSL certificates are being resolved or verified locally. I dont know what should i do any suggestions

`nslookup pihole.domain.site
Server: 10.1.15.103
Address: 10.1.15.103#53

Name: pihole.domain.site
Address: 10.1.15.103

openssl s_client -connect 10.1.15.103:443 -servername pihole.domain.site
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E6
verify return:1
depth=0 CN = *.domain.site
verify return:1

Certificate chain
0 s:CN = *.domain.site
i:C = US, O = Let's Encrypt, CN = E6
a:PKEY: id-ecPublicKey, 384 (bit); sigalg: ecdsa-with-SHA384
v:NotBefore: Feb 7 04:45:45 2025 GMT; NotAfter: May 8 04:45:44 2025 GMT
1 s:C = US, O = Let's Encrypt, CN = E6
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT

Server certificate
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=CN = *.domain.site
issuer=C = US, O = Let's Encrypt, CN = E6

No client certificate CA names sent
Peer signing digest: SHA384
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits

SSL handshake has read 2461 bytes and written 403 bytes
Verification: OK

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 384 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

---

Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: E8C3A7DFCFAEFFF5345A0F87D9BDB957E14636CB642D1FD38E2F7A1B53F6C1DB
Session-ID-ctx:
Resumption PSK: BAEAE62386F72740AF0316A7370F1AF1177D22B3BF557DBCC9BB2D2356AA82BE98067889DBE37A0F4D46F41358C1AA51
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket

Start Time: 1741433403
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0

---

read R BLOCK

Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: F2F6214776466893C4414A915F59595118DD9508F34F90A85EFA30A4453F0B3E
Session-ID-ctx:
Resumption PSK: EA79D8FF9CCDF5A24ABF8D512816ABECC3F6F588A278E874EAB300C75752F622381537B29177823C2F39046B11FAD6FA
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
Start Time: 1741433403
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0

Originally created by @mrxehmad on GitHub (Mar 8, 2025). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/4424 I have a local network where I run various services, including Pi-hole, which is accessible via the subdomain `pihole.domain.site`. My domain, `domain.site`, is hosted externally and uses Cloudflare for tunneling. When accessing `pihole.domain.site` from within my local network, I encounter SSL error "ERR_SSL_UNRECOGNIZED_NAME_ALERT" in most browsers except Firefox. Additionally, some applications, like Bitwarden, fail to connect properly. However, other locally hosted services that do not rely on Cloudflare work without issues. Running an `openssl s_client` command shows that the wildcard SSL certificate for `*.domain.site` is valid and correctly issued by Let's Encrypt. This suggests that the problem may be related to how SSL certificates are being resolved or verified locally. I dont know what should i do any suggestions `nslookup pihole.domain.site Server: 10.1.15.103 Address: 10.1.15.103#53 Name: pihole.domain.site Address: 10.1.15.103 openssl s_client -connect 10.1.15.103:443 -servername pihole.domain.site CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = E6 verify return:1 depth=0 CN = *.domain.site verify return:1 --- Certificate chain 0 s:CN = *.domain.site i:C = US, O = Let's Encrypt, CN = E6 a:PKEY: id-ecPublicKey, 384 (bit); sigalg: ecdsa-with-SHA384 v:NotBefore: Feb 7 04:45:45 2025 GMT; NotAfter: May 8 04:45:44 2025 GMT 1 s:C = US, O = Let's Encrypt, CN = E6 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256 v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT --- Server certificate -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- subject=CN = *.domain.site issuer=C = US, O = Let's Encrypt, CN = E6 --- No client certificate CA names sent Peer signing digest: SHA384 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 2461 bytes and written 403 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 384 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: E8C3A7DFCFAEFFF5345A0F87D9BDB957E14636CB642D1FD38E2F7A1B53F6C1DB Session-ID-ctx: Resumption PSK: BAEAE62386F72740AF0316A7370F1AF1177D22B3BF557DBCC9BB2D2356AA82BE98067889DBE37A0F4D46F41358C1AA51 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket Start Time: 1741433403 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: F2F6214776466893C4414A915F59595118DD9508F34F90A85EFA30A4453F0B3E Session-ID-ctx: Resumption PSK: EA79D8FF9CCDF5A24ABF8D512816ABECC3F6F588A278E874EAB300C75752F622381537B29177823C2F39046B11FAD6FA PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: Start Time: 1741433403 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 ---

kerem commented 2026-02-26 07:36:55 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Sep 23, 2025):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:3322113652 --> @github-actions[bot] commented on GitHub (Sep 23, 2025): Issue is now considered stale. If you want to keep it open, please comment :+1:

kerem commented 2026-02-26 07:36:55 +03:00

Author

Owner

Copy link

@bt1v1 commented on GitHub (Oct 10, 2025):

I have a local network where I run various services, including Pi-hole, which is accessible via the subdomain pihole.domain.site. My domain, domain.site, is hosted externally and uses Cloudflare for tunneling. When accessing pihole.domain.site from within my local network, I encounter SSL error "ERR_SSL_UNRECOGNIZED_NAME_ALERT" in most browsers except Firefox. Additionally, some applications, like Bitwarden, fail to connect properly. However, other locally hosted services that do not rely on Cloudflare work without issues. Running an openssl s_client command shows that the wildcard SSL certificate for *.domain.site is valid and correctly issued by Let's Encrypt. This suggests that the problem may be related to how SSL certificates are being resolved or verified locally. I dont know what should i do any suggestions

`nslookup pihole.domain.site Server: 10.1.15.103 Address: 10.1.15.103#53

Name: pihole.domain.site Address: 10.1.15.103

openssl s_client -connect 10.1.15.103:443 -servername pihole.domain.site

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E6
verify return:1
depth=0 CN = *.domain.site
verify return:1

Certificate chain

0 s:CN = *.domain.site
i:C = US, O = Let's Encrypt, CN = E6
a:PKEY: id-ecPublicKey, 384 (bit); sigalg: ecdsa-with-SHA384
v:NotBefore: Feb 7 04:45:45 2025 GMT; NotAfter: May 8 04:45:44 2025 GMT
1 s:C = US, O = Let's Encrypt, CN = E6
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT

Server certificate

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=CN = *.domain.site
issuer=C = US, O = Let's Encrypt, CN = E6

No client certificate CA names sent

Peer signing digest: SHA384
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits

SSL handshake has read 2461 bytes and written 403 bytes

Verification: OK

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384

Server public key is 384 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: E8C3A7DFCFAEFFF5345A0F87D9BDB957E14636CB642D1FD38E2F7A1B53F6C1DB Session-ID-ctx: Resumption PSK: BAEAE62386F72740AF0316A7370F1AF1177D22B3BF557DBCC9BB2D2356AA82BE98067889DBE37A0F4D46F41358C1AA51 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket

Start Time: 1741433403
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0

read R BLOCK

Post-Handshake New Session Ticket arrived:

SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: F2F6214776466893C4414A915F59595118DD9508F34F90A85EFA30A4453F0B3E
Session-ID-ctx:
Resumption PSK: EA79D8FF9CCDF5A24ABF8D512816ABECC3F6F588A278E874EAB300C75752F622381537B29177823C2F39046B11FAD6FA
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
Start Time: 1741433403
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0

I have the same problem. Did you find a fix for this?

<!-- gh-comment-id:3392487396 --> @bt1v1 commented on GitHub (Oct 10, 2025): > I have a local network where I run various services, including Pi-hole, which is accessible via the subdomain `pihole.domain.site`. My domain, `domain.site`, is hosted externally and uses Cloudflare for tunneling. When accessing `pihole.domain.site` from within my local network, I encounter SSL error "ERR_SSL_UNRECOGNIZED_NAME_ALERT" in most browsers except Firefox. Additionally, some applications, like Bitwarden, fail to connect properly. However, other locally hosted services that do not rely on Cloudflare work without issues. Running an `openssl s_client` command shows that the wildcard SSL certificate for `*.domain.site` is valid and correctly issued by Let's Encrypt. This suggests that the problem may be related to how SSL certificates are being resolved or verified locally. I dont know what should i do any suggestions > > `nslookup pihole.domain.site Server: 10.1.15.103 Address: 10.1.15.103#53 > > Name: pihole.domain.site Address: 10.1.15.103 > > ## openssl s_client -connect 10.1.15.103:443 -servername pihole.domain.site > CONNECTED(00000003) > depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 > verify return:1 > depth=1 C = US, O = Let's Encrypt, CN = E6 > verify return:1 > depth=0 CN = *.domain.site > verify return:1 > ## Certificate chain > 0 s:CN = *.domain.site > i:C = US, O = Let's Encrypt, CN = E6 > a:PKEY: id-ecPublicKey, 384 (bit); sigalg: ecdsa-with-SHA384 > v:NotBefore: Feb 7 04:45:45 2025 GMT; NotAfter: May 8 04:45:44 2025 GMT > 1 s:C = US, O = Let's Encrypt, CN = E6 > i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 > a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256 > v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT > ## Server certificate > -----BEGIN CERTIFICATE----- > -----END CERTIFICATE----- > subject=CN = *.domain.site > issuer=C = US, O = Let's Encrypt, CN = E6 > ## No client certificate CA names sent > Peer signing digest: SHA384 > Peer signature type: ECDSA > Server Temp Key: X25519, 253 bits > ## SSL handshake has read 2461 bytes and written 403 bytes > Verification: OK > ## New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 > Server public key is 384 bit > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > Early data was not sent > Verify return code: 0 (ok) > Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: E8C3A7DFCFAEFFF5345A0F87D9BDB957E14636CB642D1FD38E2F7A1B53F6C1DB Session-ID-ctx: Resumption PSK: BAEAE62386F72740AF0316A7370F1AF1177D22B3BF557DBCC9BB2D2356AA82BE98067889DBE37A0F4D46F41358C1AA51 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket > > ``` > Start Time: 1741433403 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > Extended master secret: no > Max Early Data: 0 > ``` > > ## read R BLOCK > ## Post-Handshake New Session Ticket arrived: > SSL-Session: > Protocol : TLSv1.3 > Cipher : TLS_AES_256_GCM_SHA384 > Session-ID: F2F6214776466893C4414A915F59595118DD9508F34F90A85EFA30A4453F0B3E > Session-ID-ctx: > Resumption PSK: EA79D8FF9CCDF5A24ABF8D512816ABECC3F6F588A278E874EAB300C75752F622381537B29177823C2F39046B11FAD6FA > PSK identity: None > PSK identity hint: None > SRP username: None > TLS session ticket lifetime hint: 300 (seconds) > TLS session ticket: > Start Time: 1741433403 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > Extended master secret: no > Max Early Data: 0 I have the same problem. Did you find a fix for this?

kerem referenced this issue 2026-02-26 08:31:21 +03:00

[PR #2830] [CLOSED] Update default Docker subnet CIDR #3627

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#2830

No description provided.