Why can't I reach my subdomains on one machine, but can on another?

kosymodo

kosymodo

kosymodo

Associate
Joined
18 Jun 2020
Posts
363
Location
Warminster
Hey folks - this is a bit of a weird one (to me anyway). I'd appreciate some advice!

I have three laptops, the first being my work Windows laptop, the second being a personal Windows laptop, and the third being a new personal MacBook Pro. What I'm finding is that I can access my subdomains on both Windows laptops, but not on my MBP. For example, I have Bitwarden self-hosted at bitwarden.DOMAIN.co.uk. I can access Bitwarden on both Windows laptops, but if I try to access on my MBP it throws up errors. The same applies to other subdomains, such as pihole.DOMAIN.co.uk.

Something which might help diagnose the issue is that when trying to access pihole.DOMAIN.co.uk, the error message I get is "the certificate for this site is invalid", and when I click to accept the risk and visit the site, it takes me to my router's homepage, but with the correct address in the address bar, albeit suffixed with additional info (i.e. the browser tab is called UniFi OS, and the address bar shows https://pihole.domain.co.uk/login?redirect=/admin/login.php)

What I find odd about the above example is that my reverse DNS is handled by Nginx Proxy Manager, in which the Pihole proxy host is configured as http://pihole.DOMAIN.co.uk, rather than https://pihole.DOMAIN.co.uk

However, the same happens when I try to access subdomains which do have SSL certificates, such as https://synology.domain.co.uk

Any ideas what's going on? More than likely something I'm completely overlooking, but it would be good to know what this is!
 
the-evaluator said:
Does the MBP resolve bitwarden.domain.co.uk correctly? When you say access, are you referring only to HTTP/HTTPS access? What about SSH or something else?
Click to expand...
Thanks @the-evaluator for your reply...

No it doesn't, this is the issue

Access to me = stick it in the address bar of a browser and expect to reach the site (e.g. my Bitwarden vault or my Pihole dashboard)

In terms of SSH, I can SSH into the hosts (Pi's running on 192.168.1.100 and 192.168.1.200), is that what you mean?
 
Sounds like a DNS issue to me. Is the Macbook using DoH? What browser(s) have you tried?

I was asking about something other than HTTP/HTTPS to see if it's a browser problem. Can you SSH into something from the MBP using the FQDN or can you only do it by IP address?
 
Last edited:
the-evaluator said:
Sounds like a DNS issue to me. Is the Macbook using DoH?
Click to expand...
I haven't set up anything specific on the MBP, the DNS is my Pihole which runs Unbound

the-evaluator said:
What browser(s) have you tried?
Click to expand...
OK, so just testing a bit more...it doesn't work in DuckDuckGo browser, it does work in Safari, it doesn't work in Chrome. The Bitwarden app doesn't work (I get an error 'Failed to fetch')

the-evaluator said:
Can you SSH into something from the MBP using the FQDN or can you only do it by IP address?
Click to expand...
The only things I ever SSH into are my Pi's and my router (UDM-Pro), none of which I'd ever use an FQDN to access. What else could I try to SSH into? I'm happy to try anything :)
 
kosymodo said:
OK, so just testing a bit more...it doesn't work in DuckDuckGo browser, it does work in Safari, it doesn't work in Chrome. The Bitwarden app doesn't work (I get an error 'Failed to fetch')
Click to expand...

Sounds like DuckDuckGo & Chrome are using DNS over HTTPS (DoH) so the DNS queries are being resolved externally. Go to https://one.one.one.one/help/ in each browser and see what it says there.

kosymodo said:
The only things I ever SSH into are my Pi's and my router (UDM-Pro), none of which I'd ever use an FQDN to access. What else could I try to SSH into? I'm happy to try anything :)
Click to expand...

Setup an A record to something else internally (a Pi maybe?) and see if you can SSH by FQDN. I'm trying to work out what's broken, but I'm fairly sure it's DoH causing it
 
the-evaluator said:
I'm trying to work out what's broken, but I'm fairly sure it's DoH causing it
Click to expand...
Seems like it could actually be a cert error...

A networking friend suggested running openssl s_client -connect synology.domain.co.uk:443 on my MBP and the result was:
depth=0 CN = unifi.local
verify error:num=18:self signed certificate
 
Just throwing this out there, but would mDNS be causing the DNS issue? I'm frantically Googling, and came across mDNS as the cause of something vaguely similar

mDNS is enabled on my UDM-Pro. I have a LAN network (VLAN ID 1) and an IoT network (VLAN ID 10). Do I need mDNS to allow devices on LAN to communicate with devices on IoT? Advice on a forum post (albeit 7yrs old) I found says this "If you don't know why you'd need it, then you don't". I don't really understand why I'd need it, though I appreciate that having 2 VLANs isn't what Joe Public does, but pretty common for those frequenting this forum! I'm therefore stuck between a rock and a hard place in knowing whether my set-up requires it
 
kosymodo said:
Seems like it could actually be a cert error...

A networking friend suggested running openssl s_client -connect synology.domain.co.uk:443 on my MBP and the result was:
depth=0 CN = unifi.local
verify error:num=18:self signed certificate
Click to expand...

What's the IP address of synology.domain.co.uk? If you open a Terminal on the MBP and 'ping synology.domain.co.uk' what IP address is returned?
 
the-evaluator said:
Interesting. Please do the same thing on one of the other laptops.

I can see why hitting your WAN IP (it'll be hairpinning) on port 443 will return the SSL certificate of your UDMP so next step is to work out why the traffic is ending up there.
Click to expand...
Same result on 2 other laptops - but both can access via browsers
 
You must log in or register to reply here.
Back
Top Bottom