I have a Host A with Mastodon. The Mastodon-Image from linuxserver.io is running and works fine. With the self-signed certificate from his nginx. The container listens on the LXC host outside on 80+443 and can be reached from the reverse proxy. It can also be used with its self-signed certificate. It is working.
I also have an nginx (SWAG) on host B. Which actually handles the Let’s encrypt dns-challenge stuff. I used the supplied mastodon.conf as the configuration basis. I am using swag for many other services with lets encrypt and so I can confirm, that it is working just fine.
The relevant part for Mastodon I’ve changed is:
include /config/nginx/proxy.conf; include /config/nginx/resolver.conf; set $upstream_app XX.XX.XX.XX; set $upstream_port 80; set $upstream_proto http; proxy_pass $upstream_proto://$upstream_app:$upstream_port;
There is nothing more I’ve done, besides the IP from the target host A (Mastodon) and it is reachable. I can use Mastodon behind Swag and am also offered the Let’s Encrypt certificate. However, it also has a “Dont-Trust” issue. My guess is that this conflicts with the self-signed certificate from Mastodon.
But I don’t know how to fix this. Possibly via proxy_ssl_verify off; at some point? It is the classic “SEC_ERROR_UNKNOWN_ISSUER” cert error, but if i press “view cert”, it shows me the let’s encrypt cert.