Mastodon (Host A) behind Swag (Host B) and Let's encrypt - untrusted certificate


I have a Host A with Mastodon. The Mastodon-Image from is running and works fine. With the self-signed certificate from his nginx. The container listens on the LXC host outside on 80+443 and can be reached from the reverse proxy. It can also be used with its self-signed certificate. It is working.

I also have an nginx (SWAG) on host B. Which actually handles the Let’s encrypt dns-challenge stuff. I used the supplied mastodon.conf as the configuration basis. I am using swag for many other services with lets encrypt and so I can confirm, that it is working just fine.

The relevant part for Mastodon I’ve changed is:

        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app XX.XX.XX.XX;
        set $upstream_port 80;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

There is nothing more I’ve done, besides the IP from the target host A (Mastodon) and it is reachable. I can use Mastodon behind Swag and am also offered the Let’s Encrypt certificate. However, it also has a “Dont-Trust” issue. My guess is that this conflicts with the self-signed certificate from Mastodon.

But I don’t know how to fix this. Possibly via proxy_ssl_verify off; at some point? It is the classic “SEC_ERROR_UNKNOWN_ISSUER” cert error, but if i press “view cert”, it shows me the let’s encrypt cert.

Any Ideas?

Kind regards,

Ob boy. I saw the issue the next day with a clear mind. I completely forgot, that I had lets encrypt certs against staging activated. Against prod it is working fine.

So my summary is, that the nginx distro swag + the mastodon container from lsio are working out of the box together and there are no issues with them. Just Pebkac :slight_smile:


This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.