Why can't I reach my subdomains on one machine, but can on another?

Associate
Joined
18 Jun 2020
Posts
363
Location
Warminster
Hey folks - this is a bit of a weird one (to me anyway). I'd appreciate some advice!

I have three laptops, the first being my work Windows laptop, the second being a personal Windows laptop, and the third being a new personal MacBook Pro. What I'm finding is that I can access my subdomains on both Windows laptops, but not on my MBP. For example, I have Bitwarden self-hosted at bitwarden.DOMAIN.co.uk. I can access Bitwarden on both Windows laptops, but if I try to access on my MBP it throws up errors. The same applies to other subdomains, such as pihole.DOMAIN.co.uk.

Something which might help diagnose the issue is that when trying to access pihole.DOMAIN.co.uk, the error message I get is "the certificate for this site is invalid", and when I click to accept the risk and visit the site, it takes me to my router's homepage, but with the correct address in the address bar, albeit suffixed with additional info (i.e. the browser tab is called UniFi OS, and the address bar shows https://pihole.domain.co.uk/login?redirect=/admin/login.php)

What I find odd about the above example is that my reverse DNS is handled by Nginx Proxy Manager, in which the Pihole proxy host is configured as http://pihole.DOMAIN.co.uk, rather than https://pihole.DOMAIN.co.uk

However, the same happens when I try to access subdomains which do have SSL certificates, such as https://synology.domain.co.uk

Any ideas what's going on? More than likely something I'm completely overlooking, but it would be good to know what this is!
 
Does the MBP resolve bitwarden.domain.co.uk correctly? When you say access, are you referring only to HTTP/HTTPS access? What about SSH or something else?
Thanks @the-evaluator for your reply...

No it doesn't, this is the issue

Access to me = stick it in the address bar of a browser and expect to reach the site (e.g. my Bitwarden vault or my Pihole dashboard)

In terms of SSH, I can SSH into the hosts (Pi's running on 192.168.1.100 and 192.168.1.200), is that what you mean?
 
Sounds like a DNS issue to me. Is the Macbook using DoH?
I haven't set up anything specific on the MBP, the DNS is my Pihole which runs Unbound

What browser(s) have you tried?
OK, so just testing a bit more...it doesn't work in DuckDuckGo browser, it does work in Safari, it doesn't work in Chrome. The Bitwarden app doesn't work (I get an error 'Failed to fetch')

Can you SSH into something from the MBP using the FQDN or can you only do it by IP address?
The only things I ever SSH into are my Pi's and my router (UDM-Pro), none of which I'd ever use an FQDN to access. What else could I try to SSH into? I'm happy to try anything :)
 
I'm trying to work out what's broken, but I'm fairly sure it's DoH causing it
Seems like it could actually be a cert error...

A networking friend suggested running openssl s_client -connect synology.domain.co.uk:443 on my MBP and the result was:
depth=0 CN = unifi.local
verify error:num=18:self signed certificate
 
Just throwing this out there, but would mDNS be causing the DNS issue? I'm frantically Googling, and came across mDNS as the cause of something vaguely similar

mDNS is enabled on my UDM-Pro. I have a LAN network (VLAN ID 1) and an IoT network (VLAN ID 10). Do I need mDNS to allow devices on LAN to communicate with devices on IoT? Advice on a forum post (albeit 7yrs old) I found says this "If you don't know why you'd need it, then you don't". I don't really understand why I'd need it, though I appreciate that having 2 VLANs isn't what Joe Public does, but pretty common for those frequenting this forum! I'm therefore stuck between a rock and a hard place in knowing whether my set-up requires it
 
Interesting. Please do the same thing on one of the other laptops.

I can see why hitting your WAN IP (it'll be hairpinning) on port 443 will return the SSL certificate of your UDMP so next step is to work out why the traffic is ending up there.
Same result on 2 other laptops - but both can access via browsers
 
Back
Top Bottom