I’m running into issues with my network setup and could use some guidance.
I have a remote site with no internet that runs several Docker containers including Nginx Proxy Manager, a web application, database, and Pi-hole for DNS. The Pi-hole directs traffic for myapp.domain.com and api.domain.com to the local server where NPM routes everything properly.
To update SSL certificates, I bring this server online periodically and connect it to my main network using Tailscale. My domain’s CNAME records point to my home network where I run another NPM instance.
The idea is to chain the proxy managers so my home NPM forwards requests through Tailscale to the remote NPM. This should allow Let’s Encrypt renewal and temporary web access through both proxy layers.
The traffic forwarding works, but I can’t generate new SSL certificates. HTTPS connections give me SSL_ERROR_UNRECOGNIZED_NAME_ALERT in browsers, and HTTP requests return 502 errors. I tried creating certificates on the home server and copying them as custom certs to the remote server, but got the same SSL name error.
I feel like I’m missing something fundamental about how the certificate chain should work between these two NPM instances. Has anyone successfully set up this type of configuration before?
Yeah, this SSL chain issue happens all the time with multiple proxy layers. Your certificates are tied to specific domains, but the proxy chain breaks the SNI flow.
Here’s what’s happening: requests hit your home NPM, SSL terminates there, then it forwards plain HTTP to the remote NPM. Your remote NPM tries serving HTTPS again with certificates that don’t match the connection path.
Don’t wrestle with certificate chains and manual copying - automate the whole SSL management process. I’ve seen setups like yours turn into a mess when you’re manually handling certificates across multiple instances.
You need a system that automatically detects when your remote server comes online, triggers certificate renewals, handles forwarding logic, and manages certificate distribution between NPM instances.
Latenode can monitor your Tailscale connections, auto-trigger Let’s Encrypt renewals when your remote server connects, copy certificates between instances, and restart your NPM containers with the right configs. Set up webhooks to detect network changes and chain multiple actions together.
This kills the manual certificate copying and ensures your SSL chain works properly every time your remote server comes online.
That SSL name error means your certificate’s Subject Alternative Names don’t match what’s actually happening in the request flow. When you chain NPM instances like this, the remote one gets requests with the original hostname but the SSL handshake gets confused.
I’ve run similar setups before - wildcard certs work way better than individual domain certs here. Generate a wildcard cert for *.domain.com on your home NPM, then copy that single cert to handle both myapp.domain.com and api.domain.com on the remote side when it connects through Tailscale.
Also check your Tailscale DNS. Your remote NPM might be trying to validate certs against localhost or the Tailscale IP instead of the actual domain names. Make sure your remote Pi-hole resolves those domains to the local server IP, not back through the tunnel.
For those 502 HTTP errors, double-check that your upstream configs in both NPM instances point to the right internal container addresses and ports.
You’re hitting a certificate validation issue across proxy boundaries. When your home NPM forwards to the remote one, the SSL context gets lost - each proxy layer wants to handle its own cert validation. I dealt with this exact nightmare on a multi-site setup last year.
Here’s what worked: Configure your home NPM as a transparent proxy without SSL termination for those domains. Set up stream blocks in your home NPM’s nginx config to pass TCP traffic directly through the Tailscale tunnel instead of HTTP forwarding.
For Let’s Encrypt renewals, switch to DNS challenge instead of HTTP challenge. This skips the whole mess of the CA trying to reach your server through the proxy chain. Most DNS providers have APIs that work with certbot plugins.
Once your remote server’s connected via Tailscale, run the DNS challenge directly on the remote NPM instance. Certificates get validated against your DNS records instead of trying to reach through your proxy setup. Should eliminate those SSL name mismatches you’re seeing.
you’re overcomplicating this. just turn off ssl on the remote npm and let your home instance handle the certificates. forward plain http through tailscale - much simpler than managing certs on both sides. your remote npm just becomes a basic reverse proxy without ssl headaches.