Can't access my website via https


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:prefer not post

I ran this command:certbot renew --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /usr/local/etc/letsencrypt/renewal/<my.domain.net>.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for <my.domain.net>
Waiting for verification…
Cleaning up challenges


new certificate deployed without reload, fullchain is
/usr/local/etc/letsencrypt/live/<my.domain.net>/fullchain.pem


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/usr/local/etc/letsencrypt/live/<my.domain.net>/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

My web server is (include version):nginx/1.12.2

The operating system my web server runs on is (include version):
freenas 11.1U2
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#2

I messed up my ssl cerficates in not sure how to fix the problem. After running the certbot command while trying to create an automated script I created multiple version of my certificate <mydomain.net>.0001 …0002 etc. I tried to fix by delete some of the directories in /usr/local/etc/letsencrypt/ (live,acccounts.archive,<mydomain.net>,renewal, renewal hooks. Prior to deleting I made copies of those directories “oldlive” etc. Because I ran the certbot command to many time I had to wait a week as my max was exceeded.

One week later I’ve tried to get it working running certbot certonly --webroot -w /usr/local/www -d <mydomain.net> -d <mydomain.net> --staging, certbot renew and certbot renew --dry run.
It seems like it was sucessful but /usr/local/etc/letsencrypt/live/<mydomain.net>/ have links to the archive/<mydomain.net>/certl.pem etc.

When I try to go to the Https web site I get the error NET::ERR_CERT_AUTHORITY_INVALID
/var/log/letsencrypt/letsencrypt.log says on the last line certbot.renewal:no renewal failures

I’m not sure if my ssl certificate on my server is messed up or my browser is remembering the old ssl certificate. Unfortunately I’m way over my head and any assistance would be appreciated.


#3

Without a domain to look at it’s hard to tell. Your nginx configuration might be pointing to cert.pem instead of fullchain.pem as it should, or it might be pointing to some default self-signed certificate instead of the Let’s Encrypt one you have obtained.


#4

It is pointing to fullchain.pem in my nginx.conf file. What would I have to do to remove all the current letsencrypt stuff from my current server and start over from scratch by issuing the command
certbot certonly --webroot -w /usr/local/www -d <domain_name> -d www.<domain_name>?

Would I run into the limit of the number of time I can run that command? How can I find out how many attempts I have left for the week?


#5

Hi,

The reason it’s showing certificate authority not vaild is because you are using the staging server to successfully get the certificate.
(Staging environment is not going to gave you an valid (browser trusted) certificate)

As you said (created several your domain -000x), you probably going to hit the production server rate limit soon.

Count how many cert you issued at same week (exact set) (or use crt.sh, however it’s not updated instantly)

It depend on how many times you successfully get a certificate for the domain set. (Even you are rate limited, you can still run the command, will only get a error telling you “rate limited”


#6

Also, can you try to paste your server conf to a pastebin
file (or got list, whatever text editor ) and share us the link? (If you can share the domain is best, or i could check your Nginx conf and trying to figure how what’s happened)

Thank you


#7

Show:
sudo certbot --version
sudo certbot certificates

Then try:
sudo certbot renew


#8

certbot 0.22.2
Found the following certs:
Certificate Name: <my.domain.net>
Domains: <my.domain.net>
Expiry Date: 2018-07-14 23:11:37+00:00 (INVALID: TEST_CERT)
Certificate Path: /usr/local/etc/letsencrypt/live/<my.domain.net>/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/<my.domain.net>/privkey.pem

root@nextcloud2:~ # certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /usr/local/etc/letsencrypt/renewal/<my.domain.net>.conf

Cert not yet due for renewal


The following certs are not due for renewal yet:
/usr/local/etc/letsencrypt/live/<my.domain.net>/fullchain.pem expires on 2018-07-14 (skipped)
No renewals were attempted.

Now when I go to the service web address I have the lock symbol. Maybe it takes time for chrome to use the new certificate? certbot certificates says my certificate is invalid:test_cert not sure why. Probably from the staging option. How do I fix that?


#9

That is good. No, you may need to restart the web service to use the newer cert after a renewal or any cert change.

Yes, that does look like staging.
Find and show the cli.ini file to advise further.
normally at:
/etc/letsencrypt/cli.ini


#10

/usr/local/lib/python2.7/site-packages/certbot/tests/testdata/cli.ini

agree-dev-preview = True


#11

from https://certbot.eff.org/docs/using.html
When a certificate is issued, by default Certbot creates a renewal configuration file that tracks the options that were selected when Certbot was run. This allows Certbot to use those same options again when it comes time for renewal. These renewal configuration files are located at /etc/letsencrypt/renewal/CERTNAME.

So, show:
/etc/letsencrypt/renewal/<my.domain.net>

Or, at least ensure you don’t have anything conflicting with these:

staging = False
dry_run = False
server = https://acme-v01.api.letsencrypt.org/directory

#12

here is my /etc/letsencrypt/renewal/<my.domain.net>.conf

renew_before_expiry = 30 days

version = 0.22.2
archive_dir = /usr/local/etc/letsencrypt/archive/<my.domain.net>
cert = /usr/local/etc/letsencrypt/live/<my.domain.net>/cert.pem
privkey = /usr/local/etc/letsencrypt/live/<my.domain.net>/privkey.pem
chain = /usr/local/etc/letsencrypt/live/<my.domain.net>/chain.pem
fullchain = /usr/local/etc/letsencrypt/live/<my.domain.net>/fullchain.pem

Options used in the renewal process

[renewalparams]
account = xxxxxxxxxxxxxxxxxxxxxxx
server = https://acme-staging-v02.api.letsencrypt.org/directory
authenticator = webroot
installer = None
webroot_path = /usr/local/www,
[[webroot_map]]
<my.domain.net> = /usr/local/www


#13

change that line to:

and then:
sudo certbot renew


#14

Why not use acme V2? (Certbot 0.22 already support it)

@NasKar
You can also change that to https://acme-v02.api.letsencrypt.org/directory

Thank you


#15

it now says valid for 88 days and I changed the renewal server to acme-v02…

I appreciate the help but still can’t get the https working on that server.
I have recreated the server that wasn’t working so I could execute the certbot command from scratch and that server gets a lock symbol. The old server on the same ddns gets an invalid certificate despite running certbot renew as we have been discussing. I switch between the 2 servers by changing the IP address in my router to point to the server I want to use my ddns address.

  1. Can I not have 2 servers that are not used at the same time using the same server keys copied from one to the other using the same letsencrypt certificate?
  2. if I have the same /nginx/ssl/ directory in both servers will running the certbot certonly --webroot -w /usr/local/www -d <domain_name> -d www.<domain_name> give me the same certificate for both?

My preference would be to get the original server that isn’t working with ssl going to save time recreating the stuff on it.


#16

A1. Yes, you can have many.
A2. It might NOT give you the exact same certificate. But both requests should complete and each will have a valid certificate.


#17

It will generate a different private key, so you’ll end up with two (concurrently valid) certificates that refer to different encryption keys. But they’ll each cover the same names.


#18

Why is the original server showing an invalid certificate if the renewal is showing its valid for 88 days?


#19

Have you restarted the web service?


#20

I have restart the entire jail and the nginx service but it shows:
Certificate invalid issued by Fake LE Intermediate X1