Hi! First of all, thanks for this amazing community!
I am having an issue that on last week our domain certificate expired. We renewed it and everything is alright when it comes to accessing the website using a browser. But when accessing a POST request from our second server, or even through a Cron curl request originating from the application server itself, I need to the request ignoring the certificate.
On Axios I need to pass rejectUnauthorized: true, and on Curl CLI request I need to pass the -k or --insecure param so it ignore the certificate.
Ignoring the certificate, everything works fine, but I don't feel like this is the correct solution. Before the certificate renewall this was not an issue, that's why I'm concerned about.
I'm using certbot 2.3.0, and Ubuntu 22.04.1 LTS
Nginx version: nginx/1.18.0 (Ubuntu)
I can login to a root shell on my machine: yes
Any help will be welcome!
Hi @Thyoity, and welcome to the LE community forum
What is the URL used that has this problem?
You are not sending the intermediate certs only the "leaf" cert.
With nginx you should use the fullchain.pem from Certbot. Are you using cert.pem instead?
Browsers can sometimes compensate for this failure but other clients (like curl) will not.
Try a site like this SSL Checker to see for yourself
Is that HTTPS on port 443 only?
[or also on some other port(s) too?]
The cert that expired last week had two names on it:
The cert being served today has only one name on it.
What happened to the "
You also failed to mention that we can't reach your server directly:
Whatever you are seeing is NOT what we are seeing.
Because you are likely hitting your server directly - we are not.
Good eye and it might just be the Securi firewall cert is wrong. But, it's possible Securi is just a pass-thru for "normal" http(s) requests and the nginx is also involved.
curl -Ik https://[redacted]
Whereas a "faulty" http(s) request gets this
HTTP/1.1 400 Bad Request
You guys are freaking amazing! Thanks a lot.
The issue was exactly what you guys found. My domain is behind an Anti-DDoS and firewall service named Sucuri. Everything was well set on my nginx, but when I renewed the certificate, I uploaded the cert.pem file in Sucuri settings. I thought it would be sufficient, but now reading your answers I could find that I should have uploaded the fullchain.pem, as Sucuri is on the middle. I just uploaded the correct pem file on Sucuri and everything is working without the need of ignoring the certificate now!
You guys guided me and I could fix the issue.
Yeah, I will add the subdomain "www" too, forgot about this one
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.