After last certificate renewal, we need to ignore the certificate

Hi! First of all, thanks for this amazing community!

I am having an issue that on last week our domain certificate expired. We renewed it and everything is alright when it comes to accessing the website using a browser. But when accessing a POST request from our second server, or even through a Cron curl request originating from the application server itself, I need to the request ignoring the certificate.

On Axios I need to pass rejectUnauthorized: true, and on Curl CLI request I need to pass the -k or --insecure param so it ignore the certificate.

Ignoring the certificate, everything works fine, but I don't feel like this is the correct solution. Before the certificate renewall this was not an issue, that's why I'm concerned about.

I'm using certbot 2.3.0, and Ubuntu 22.04.1 LTS
Nginx version: nginx/1.18.0 (Ubuntu)
I can login to a root shell on my machine: yes

Any help will be welcome! :smiley:

Thanks!

1 Like

Hi @Thyoity, and welcome to the LE community forum :slight_smile:

What is the URL used that has this problem?

5 Likes

The link is example.com

You are not sending the intermediate certs only the "leaf" cert.

With nginx you should use the fullchain.pem from Certbot. Are you using cert.pem instead?

Browsers can sometimes compensate for this failure but other clients (like curl) will not.

Try a site like this SSL Checker to see for yourself

5 Likes

Is that HTTPS on port 443 only?
[or also on some other port(s) too?]

5 Likes

The cert that expired last week had two names on it:


The cert being served today has only one name on it.
What happened to the "www"?

Name:    [redacted]
Address: 192.x.y.z
Aliases: www.[redacted]
5 Likes

You also failed to mention that we can't reach your server directly:
image

Whatever you are seeing is NOT what we are seeing.
Because you are likely hitting your server directly - we are not.

5 Likes

Good eye and it might just be the Securi firewall cert is wrong. But, it's possible Securi is just a pass-thru for "normal" http(s) requests and the nginx is also involved.

curl -Ik https://[redacted]

HTTP/2 200
server: nginx
x-sucuri-cache: MISS

Whereas a "faulty" http(s) request gets this

HTTP/1.1 400 Bad Request
Server: Sucuri/Cloudproxy
4 Likes

You guys are freaking amazing! Thanks a lot.

The issue was exactly what you guys found. My domain is behind an Anti-DDoS and firewall service named Sucuri. Everything was well set on my nginx, but when I renewed the certificate, I uploaded the cert.pem file in Sucuri settings. I thought it would be sufficient, but now reading your answers I could find that I should have uploaded the fullchain.pem, as Sucuri is on the middle. I just uploaded the correct pem file on Sucuri and everything is working without the need of ignoring the certificate now!

You guys guided me and I could fix the issue.

Thanks everyone!!

3 Likes

Yeah, I will add the subdomain "www" too, forgot about this one :sweat_smile:

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.