Browsers not picking up my certificate

Help
1

My domain is: BobbyCycles.in
My web server is (include version): nginx version: nginx/1.18.0 (Ubuntu)
My hosting provider, if applicable, is: Hetzner
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO.
The version of my client is : certbot 1.21.0

I've successfully produced certificates for BobbyCycles.in (I've checked by certbot certificates also.

Found the following certs:
  Certificate Name: bathindahelper.com
    Serial Number: 48219cf566c96a863888ad817b992487ae8
    Key Type: RSA
    Domains: bathindahelper.com www.bathindahelper.com
    Expiry Date: 2023-10-22 08:43:22+00:00 (VALID: 66 days)
    Certificate Path: /etc/letsencrypt/live/bathindahelper.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/bathindahelper.com/privkey.pem
  Certificate Name: bobbycycles.in-1
    Serial Number: 46be57a8b6df048f0732008dad2bfe17809
    Key Type: RSA
    Domains: bobbycycles.in *.bobbycycles.in
    Expiry Date: 2023-11-14 12:15:41+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/bobbycycles.in/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/bobbycycles.in/privkey.pem
  Certificate Name: bobbycycles.in
    Serial Number: 46be57a8b6df048f0732008dad2bfe17809
    Key Type: RSA
    Domains: bobbycycles.in *.bobbycycles.in
    Expiry Date: 2023-11-14 12:15:41+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/bobbycycles.in/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/bobbycycles.in/privkey.pem
  Certificate Name: bobbycycleshop.com-0001
    Serial Number: 372c5a3577937bad05c29ba1720988ea779
    Key Type: RSA
    Domains: bobbycycleshop.com *.bobbycycleshop.com
    Expiry Date: 2023-11-14 11:25:04+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/bobbycycleshop.com-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/bobbycycleshop.com-0001/privkey.pem
  Certificate Name: www.zopfan.com
    Serial Number: 471fad90ab20b306b95791dfa3acbeff2fe
    Key Type: RSA
    Domains: www.zopfan.com zopfan.com
    Expiry Date: 2023-10-22 12:59:14+00:00 (VALID: 66 days)
    Certificate Path: /etc/letsencrypt/live/www.zopfan.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.zopfan.com/privkey.pem

Pls note that I've put this domain name to forward to another domain name.
And also, that it (certificates for this domain and domain forwarding) was working ok 2-3 days ago.

Problem:
Yet, when I type BobbyCycles.in in any browser, it either gives 'Problem Loading Page' error:
The connection has timed out or forwards to some wrong domain (BobbyCycles.com). Though earlier this forwarding was set. But no longer. At this day/moment, my conf file is set to forward https://BobbyCycles.into forward to BathindaHelper.com.

2

I would check your firewalls. It looks like port 80 is listening but 443 isn't

5 Likes
3

These two certs are duplicates of each other. Please only use one of both in your services such as nginx and remove the other, un-used certificate.

(Not a fix to your issue, but something that stands out.)

2 Likes
4

Thank you.

Pls tell what to do to remove the one of the undesired. Because both certificates show the same path/file. If I delete

/etc/letsencrypt/live/bobbycycles.in/fullchain.pem

then both certs would get deleted.

1 Like
5

Well, that's weird.

Did someone manually make a copy of /etc/letsencrypt/renew/bobbycycles.in.conf perhaps? And if so, why? Very strange..

1 Like
6

Yes I did somethings manually yesterday. I really got confused. I shouldn't have done that.

But pls tell me any way to fix the same. I can access my instance thru ssh and thru WinScp both.

7

With regard to your seemingly duplicate certificate: if both the renewal configuration files are equal in contents, you should be fine with deleting just one of the two configuration files, e.g. bobbycycles.in-1.conf

With regard to your initial question: works for me now, the only thing I noticed currently is that there's no HTTP to HTTPS redirect for the .com site. Couldn't check the rest from where I am now.

3 Likes
8

Either I didn't understand something, or you didn't notice that both certificates are in the same file.

Same path, same file. I.e.:

/etc/letsencrypt/live/bobbycycles.in/fullchain.pem

If I'd delete one, both would go. And even though I could delete this one and create new one, but I'm afraid there would be remnants of the old certs. Particularly because I did tinker with cert/renewal files manually. So if there is some command which could delete all related cert files without leaving any remnants, then it could be great. And then I could create/go for creating new one.

One one thing still would bother me, what if it said that I've already generated 5 times (though I remember to have generated only 3, or at the most 4, times)? So, is there another way with which I could backu the these (corrupt or non-standard) certs first?

Thanks.

1 Like
9

Certbot "knows" about its certs due to the renewal configuration files in /etc/letsencrypt/renewal/ and those renewal configuration files contain links to the files in /etc/letsencrypt/live/.

With my post aboven I only refered to the configuration files in /renewal/, NOT the files in /live/ or /archive/.

If the problem is with the webserver, there is absolutely NO NEED to keep forcibly renewing perfectly fine certificates. If you don't force certificate renewals, there's no problem with the rate limit you're mentioning.

5 Likes
10

Ohk.
I got it.

I did exactly as told you. I moved the duplicate file /etc/letsencrypt/renewal/discardable/bobbycycles.in-1.conf into a subfolder named discardable:

image
image1360×768 53.4 KB

Now the certbot certificates command shows this output:

image
image1354×570 16.9 KB

But even after reloading nginx service, browser still gives same 'timeout' error.

11

Your need to change your DNS A record to point directly to your nginx server

Right now it is using a URL Forwarding (or URL Redirect) service. These do not work with HTTPS

We often see this with new GoDaddy hosting setups but other vendors have such a thing to.

Is your bathindahelper.com on the same server as the bobbycycles? If so, that one is working fine so just copy that method

4 Likes
12

I got it. But I found that while Godaddy is allowing me to create/edit 'a' records for my domain BathindaHelper.com (and others), it is not allowing (the option is grayed out) me to edit 'a' records of BobbyCycles.in

image
image1089×655 13.2 KB

I'll contact godaddy regarding this.
Thanks again.

2 Likes
13

You need to disable the URL forwarding service first and then you can update the A record

6 Likes
14

They are were literally the same cert - LOL

That was a bad idea!

3 Likes
15

I think I've already deleted any duplicates. And have pasted the current output of certbot certificates command above.

If you mean something else/other way, pls tell a bit in detail.

In the mean time, I'm doing as told by @MikeMcQ (thanks to him again).
To @MikeMcQ I've edited the 'a' records successfully.

And now am waiting for the propagation of the same.
lets meet tomorrow IST.

Thanks all. Shutting down the pc for the day. Hoping that all hurdles have been removed now and https will work on BobbyCycles.in

1 Like
16

Yes, I did notice that.
I was commenting on it [late] nonetheless.

You only need to wait for the authoritative servers to show the update.
[which should be done very quickly]

3 Likes
17

Thanks .

Seems that problem has been resolved. (by deleting the duplicate conf file in /etc/letsencrypt/renew and correcting the domains 'A' records in GoDaddy panel (after removing domain forwarding set inadvertently).

@Osiris
@MikeMcQ
@rg305
@9peppe

You rock. In this world.

6 Likes
18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.