Cert shows as active, is treated as if expired

So revocation is not really a thing. It’s just local deletion with no propagation to the CA that says “hey, this site has revoked this cert, let’s mark it as deleted/untrusted.”

No, revocation is something with the CA, and it does indicate that the certificate is untrusted (for clients that check OCSP). It just isn’t part of how Let’s Encrypt calculates rate limits.

1 Like

This was something I didn’t expect:

listen [::]:443 ssl ipv6only=on; # managed by Certbot

I have been OK with the config file edits by Certbot but I’m not sure about this.

I decided to simply shut down the server that is affected by all of this. Evidently, I no longer have the capacity to manage all of this…stuff as I used to. A lot can happen in 24 hours, apparently. 24 hours ago, everything was working. Now, not so much. Since I have no idea when I can get a certificate installed and working, with or without surprises, maybe it’s best to close up shop.

How can you actually lose certificates that were issued ? certbot saves them all.
You have a valid certificate:
https://crt.sh/?id=1427289889
you can get it back from /etc/letsencrypt/archive/ and install it again until the limit rate is no longer blocking you.

1 Like

That doesn't help if the certificate (and the private key) is deleted.

First Post:

Later:

If the private key is deleted, the download of the public certificate part doesn't help.

Never delete files if you don't have a backup.

1 Like

Agreed, but the private keys are saved in the archive, why whould anyone dig in the archive to delete files ? Most people don't even know that certificate files are archived.

Edit: double checking: oh. I never noticed that the 'live' files are symlinked to the archive, not duplicated. That's not great.

2 Likes

my best option seems to be to start over with the most basic nginx config and add back all the customizations til it breaks again. Right now browsers are saying I have certificates but that they are wrong. Not sure how that works. In future I will mak a timestamped copy of my configs so that I can recover from certbot edits that go wrong.

This seems conflicted: "you don't have what you asked for but congratulations for it all the same."

IMPORTANT NOTES:
- Unable to install the certificate
Congratulations! Your certificate and chain have been saved at:
/usr/local/etc/letsencrypt/live/paulbeard.org/fullchain.pem
Your key file has been saved at:
/usr/local/etc/letsencrypt/live/paulbeard.org/privkey.pem
Your cert will expire on 2019-08-31. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew all of
your certificates, run "certbot renew"

The files exist, symlinks and all.

nginx -t

nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok

nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful

What says

nginx -T

Sorry to posting about a past question, not related to the immediate issue of @paulbeard, but I just like to understand mysterious problems, and for me this message ‘no cert founds.’ for a ‘certbot certificates’ was, and what @paulbeard could have deleted to generate it.

I ruled out rm /etc/letsencrypt, rm/etc/letsencrypt/live/mydomain/*… all this leads to error messages while running certbot certificates, not ‘No cert founds’.

Looking at the code I was enlightened (I think so at least). When running certbot certificates the code looks first at the renewal configuration found in /etc/letsencrypt/renewal/mydomain.com.conf to search for the certificates that are indeed stored in /etc/letsencrypt/archive and symlinked in /etc/letsencrypt/live/mydomain
If the /etc/letsencrypt/renewal/mydomain.com.conf is missing, then certbot certificates returns ‘No certs found.’
And it could very well the case that @paulbeard deleted nothing at all, and the removal (or messing) of the renewal configuration config file occurred through a misguided renewal attempt, since the renewal configuration file is recreated everytime a certbot certicate creation is attempted.

Finally I have changed my opinion: it’s ‘certbot certificates’ that is not really the best that could be.

nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
# configuration file /usr/local/etc/nginx/nginx.conf:
# Generated by nginxconfig.io
# https://nginxconfig.io/?0.domain=paulbeard.org&0.path=%2Fusr%2Flocal&0.document_root=%2Fwww&0.non_www=false&0.wordpress&access_log=%2Fvar%2Flog%2Fhttpd%2Fhttpd-access.log&error_log=%2Fvar%2Flog%2Fhttpd%2Fhttpd-error.log%20warn&user=www&pid=%2Fvar%2Frun%2Fnginx.pid

user www;
pid /var/run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65535;

events {
	multi_accept on;
	worker_connections 65535;
}

http {
	charset utf-8;
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	server_tokens off;
	log_not_found off;
	types_hash_max_size 2048;
	client_max_body_size 16M;

	# MIME
	include mime.types;
	default_type application/octet-stream;

	# logging
	access_log /var/log/httpd/httpd-access.log;
	error_log /var/log/httpd/httpd-error.log warn;

	# SSL
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;

	# Diffie-Hellman parameter for DHE ciphersuites
	ssl_dhparam /usr/local/etc/nginx/dhparam.pem;

	# OWASP B (Broad Compatibility) configuration
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256;
	ssl_prefer_server_ciphers on;

	# OCSP Stapling
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
	resolver_timeout 2s;

	# load configs
	include /usr/local/etc/nginx/conf.d/*.conf;
	include /usr/local/etc/nginx/sites-enabled/*;
}

# configuration file /usr/local/etc/nginx/mime.types:

types {
    text/html                                        html htm shtml;
    text/css                                         css;
    text/xml                                         xml;
    image/gif                                        gif;
    image/jpeg                                       jpeg jpg;
    application/javascript                           js;
    application/atom+xml                             atom;
    application/rss+xml                              rss;

    text/mathml                                      mml;
    text/plain                                       txt;
    text/vnd.sun.j2me.app-descriptor                 jad;
    text/vnd.wap.wml                                 wml;
    text/x-component                                 htc;

    image/png                                        png;
    image/svg+xml                                    svg svgz;
    image/tiff                                       tif tiff;
    image/vnd.wap.wbmp                               wbmp;
    image/webp                                       webp;
    image/x-icon                                     ico;
    image/x-jng                                      jng;
    image/x-ms-bmp                                   bmp;

    font/woff                                        woff;
    font/woff2                                       woff2;

    application/java-archive                         jar war ear;
    application/json                                 json;
    application/mac-binhex40                         hqx;
    application/msword                               doc;
    application/pdf                                  pdf;
    application/postscript                           ps eps ai;
    application/rtf                                  rtf;
    application/vnd.apple.mpegurl                    m3u8;
    application/vnd.google-earth.kml+xml             kml;
    application/vnd.google-earth.kmz                 kmz;
    application/vnd.ms-excel                         xls;
    application/vnd.ms-fontobject                    eot;
    application/vnd.ms-powerpoint                    ppt;
    application/vnd.oasis.opendocument.graphics      odg;
    application/vnd.oasis.opendocument.presentation  odp;
    application/vnd.oasis.opendocument.spreadsheet   ods;
    application/vnd.oasis.opendocument.text          odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                     pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                     xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                     docx;
    application/vnd.wap.wmlc                         wmlc;
    application/x-7z-compressed                      7z;
    application/x-cocoa                              cco;
    application/x-java-archive-diff                  jardiff;
    application/x-java-jnlp-file                     jnlp;
    application/x-makeself                           run;
    application/x-perl                               pl pm;
    application/x-pilot                              prc pdb;
    application/x-rar-compressed                     rar;
    application/x-redhat-package-manager             rpm;
    application/x-sea                                sea;
    application/x-shockwave-flash                    swf;
    application/x-stuffit                            sit;
    application/x-tcl                                tcl tk;
    application/x-x509-ca-cert                       der pem crt;
    application/x-xpinstall                          xpi;
    application/xhtml+xml                            xhtml;
    application/xspf+xml                             xspf;
    application/zip                                  zip;

    application/octet-stream                         bin exe dll;
    application/octet-stream                         deb;
    application/octet-stream                         dmg;
    application/octet-stream                         iso img;
    application/octet-stream                         msi msp msm;

    audio/midi                                       mid midi kar;
    audio/mpeg                                       mp3;
    audio/ogg                                        ogg;
    audio/x-m4a                                      m4a;
    audio/x-realaudio                                ra;

    video/3gpp                                       3gpp 3gp;
    video/mp2t                                       ts;
    video/mp4                                        mp4;
    video/mpeg                                       mpeg mpg;
    video/quicktime                                  mov;
    video/webm                                       webm;
    video/x-flv                                      flv;
    video/x-m4v                                      m4v;
    video/x-mng                                      mng;
    video/x-ms-asf                                   asx asf;
    video/x-ms-wmv                                   wmv;
    video/x-msvideo                                  avi;
}

# configuration file /usr/local/etc/nginx/sites-enabled/paulbeard.org.conf:
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name www.paulbeard.org;
	set $base /usr/local;
	root $base/www;

	# SSL
	ssl_certificate /usr/local/etc/letsencrypt/live/paulbeard.org/fullchain.pem;
	ssl_certificate_key /usr/local/etc/letsencrypt/live/paulbeard.org/privkey.pem;
	ssl_trusted_certificate /usr/local/etc/letsencrypt/live/paulbeard.org/chain.pem;

	# security
	include nginxconfig.io/security.conf;

	# index.php
	index index.php;

	# index.php fallback
	location / {
		try_files $uri $uri/ /index.php?$query_string;
	}

	# handle .php
	location ~ \.php$ {
		include nginxconfig.io/php_fastcgi.conf;
	}

	# additional config
	include nginxconfig.io/general.conf;
	include nginxconfig.io/wordpress.conf;
}

# non-www, subdomains redirect
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name .paulbeard.org;

	# SSL
	ssl_certificate /usr/local/etc/letsencrypt/live/paulbeard.org/fullchain.pem;
	ssl_certificate_key /usr/local/etc/letsencrypt/live/paulbeard.org/privkey.pem;
	ssl_trusted_certificate /usr/local/etc/letsencrypt/live/paulbeard.org/chain.pem;

	return 301 https://www.paulbeard.org$request_uri;
}

# HTTP redirect
server {
	listen 80;
	listen [::]:80;

	server_name .paulbeard.org;

	include nginxconfig.io/letsencrypt.conf;

	location / {
		return 301 https://www.paulbeard.org$request_uri;
	}
}

# configuration file /usr/local/etc/nginx/nginxconfig.io/security.conf:
# security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

# . files
location ~ /\.(?!well-known) {
	deny all;
}

# configuration file /usr/local/etc/nginx/nginxconfig.io/php_fastcgi.conf:
# 404
try_files $fastcgi_script_name =404;

# default fastcgi_params
include fastcgi_params;

# fastcgi settings
fastcgi_pass			unix:/var/run/php/php7.2-fpm.sock;
fastcgi_index			index.php;
fastcgi_buffers			8 16k;
fastcgi_buffer_size		32k;

# fastcgi params
fastcgi_param DOCUMENT_ROOT		$realpath_root;
fastcgi_param SCRIPT_FILENAME	$realpath_root$fastcgi_script_name;
fastcgi_param PHP_ADMIN_VALUE	"open_basedir=$base/:/usr/lib/php/:/tmp/";

# configuration file /usr/local/etc/nginx/fastcgi_params:

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

# configuration file /usr/local/etc/nginx/nginxconfig.io/general.conf:
# favicon.ico
location = /favicon.ico {
	log_not_found off;
	access_log off;
}

# robots.txt
location = /robots.txt {
	log_not_found off;
	access_log off;
}

# assets, media
location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
	expires 7d;
	access_log off;
}

# svg, fonts
location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
	add_header Access-Control-Allow-Origin "*";
	expires 7d;
	access_log off;
}

# gzip
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;

# configuration file /usr/local/etc/nginx/nginxconfig.io/wordpress.conf:
# WordPress: allow TinyMCE
location = /wp-includes/js/tinymce/wp-tinymce.php {
	include nginxconfig.io/php_fastcgi.conf;
}

# WordPress: deny wp-content, wp-includes php files
location ~* ^/(?:wp-content|wp-includes)/.*\.php$ {
	deny all;
}

# WordPress: deny wp-content/uploads nasty stuff
location ~* ^/wp-content/uploads/.*\.(?:s?html?|php|js|swf)$ {
	deny all;
}

# WordPress: deny wp-content/plugins (except earlier rules)
location ~ ^/wp-content/plugins {
	deny all;
}

# WordPress: deny scripts and styles concat
location ~* \/wp-admin\/load-(?:scripts|styles)\.php {
	deny all;
}

# WordPress: deny general stuff
location ~* ^/(?:xmlrpc\.php|wp-links-opml\.php|wp-config\.php|wp-config-sample\.php|wp-comments-post\.php|readme\.html|license\.txt)$ {
	deny all;
}

# configuration file /usr/local/etc/nginx/nginxconfig.io/letsencrypt.conf:
# ACME-challenge
location ^~ /.well-known/acme-challenge/ {
	root /var/www/_letsencrypt;
}

Is this a wildcard server name?

It's possible that Certbot doesn't deal with wildcard server names. So Certbot doesn't understand your port 80 vHosts and doesn't know how to create the 443 port vHosts.

Hmm. Commented those out. That seems confusing.

The error Chrome returns is NET::ERR_CERT_COMMON_NAME_INVALID which seems like it should be telling me something.

the Nginx config redirects the non-www to the www, but your certificate is only for the www version.
note that you created several certificates, from

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:paulbeard.org&lu=cert_search

you seem to have created 4 valid certificates in 2 days, some of them having the 2 required names, some of them not (the one having a ‘1’ in #DNS Names). You are currently using one of these certificates.

This seems to be a pretty circular conversation. My certificates no longer work. I have too many, unintentionally; I am using the wrong ones, which is easy when you have more than one, but I have no idea how/if I can prune them down to where i have just one for the domain/three hostnames I want and just use that one certificate.

# configuration file /usr/local/etc/nginx/nginx.conf:
	user  nobody;
	worker_processes  auto;
	worker_cpu_affinity auto 0001;
	pid        /var/run/nginx.pid;
	error_log  /var/log/httpd/httpd-error.log;
	
	events {
		worker_connections  1024;
	}
	http {
	fastcgi_buffers 16 32k;
	fastcgi_param HTTP_PROXY "";
	fastcgi_buffer_size 32k;
	include       mime.types;
	default_type  application/octet-stream;

	log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
	      '$status $body_bytes_sent "$http_referer" '
	      '"$http_user_agent" "$http_x_forwarded_for"';
	access_log  /var/log/httpd/httpd-access.log  main;
	error_log  /var/log/httpd/httpd-error.log;

	sendfile        on;
	tcp_nopush     on;

	keepalive_timeout  300;

	gzip  on;
	# Upstream to abstract backend connection(s) for PHP.
	upstream php {
	#this should match value of "listen" directive in php-fpm pool
	#server 127.0.0.1:9000;
	server unix:/tmp/php-fpm.sock;
	}
	

	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

     ssl_certificate /usr/local/etc/letsencrypt/live/paulbeard.org/fullchain.pem; # managed by Certbot
     ssl_certificate_key /usr/local/etc/letsencrypt/live/paulbeard.org/privkey.pem; # managed by Certbot
     include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
     ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

	add_header X-Clacks-Overhead "GNU Terry Pratchett";
	# add Strict-Transport-Security to prevent man in the middle attacks
	add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
	server_name  www.paulbeard.org paulbeard.org;
	return		301 https://$host$request_uri;

	root           /usr/local/www/;
	disable_symlinks off;

	location / {
	root           /usr/local/www/;
	try_files $uri $uri/ /index.php?$args;
	index index.html index.php;
	}
	if ($request ~* liker.profile_URL) { 
	return 301 http://www.answers.com/fail ;
	}

	location /wordpress {
	try_files $uri /wordpress/index.php;
	index index.html index.php;
	}
	location /cacti {
	try_files $uri $uri/ /cacti/index.php;
	index index.html index.php;
	}
    if ($host = www.paulbeard.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = paulbeard.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = cloud.paulbeard.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

	location /nextcloud {
	try_files $uri $uri/ /nextcloud/index.php;
	index index.html index.php;
       	rewrite ^   https://cloud.paulbeard.org/$request_uri? permanent;
#	access_log off;
	}

	location  /status {
	stub_status on;
	access_log off;
	allow 192.168.0.1;
	deny all;
	}

	location  /fpm.status {
	#access_log off;
	allow 127.0.0.1;
	allow 192.168.0.1;
	deny all;
	include fastcgi_params;
	#fastcgi_pass 127.0.0.1:9000;
	fastcgi_pass unix:/tmp/php-fpm.sock;
	}

	rewrite /wp-admin$ $scheme://$host$uri/ permanent;
	rewrite /movabletype* $scheme://paulbeard.org/wordpress permanent;

	location ~ ^/~(.+?)(/.*)?$ {
	alias /usr/home/$1/public_html$2;
	index  index.html index.htm;
	autoindex on;
	}

	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
	#
	location ~ \.php$ {
	fastcgi_split_path_info ^(.+\.php)(/.+)$;

#	fastcgi_pass   127.0.0.1:9000;
	fastcgi_index  index.php;
	fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
	include        fastcgi_params;
	fastcgi_pass php;
	fastcgi_read_timeout 300;
	}
	location ~ /\.ht {
	deny  all;
	}




} 
	
	server {
	#ssl on;
	listen 443;
	server_name cloud.paulbeard.org;
	access_log  /var/log/httpd/httpd-cloud-access.log; 
        # add Strict-Transport-Security to prevent man in the middle attacks
        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;

	#access_log off;
	
	# Path to the root of your installation
	root /usr/local/www/nextcloud;
	
	client_max_body_size 10G; # set max upload size
	fastcgi_buffers 64 4K;
	
	rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
	rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
	rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
	
	index index.php;
	error_page 403 /core/templates/403.php;
	error_page 404 /core/templates/404.php;
	
	location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
	}
	
	location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
	deny all;
	}
	
	location / {
	# The following 2 rules are only needed with webfinger
	rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
	rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
	
	rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
	rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
	
	rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
	
	try_files $uri $uri/ index.php;
	}
	
	location ~ ^(.+?\.php)(/.*)?$ {
	try_files $1 = 404;
	
	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $document_root$1;
	fastcgi_param PATH_INFO $2;
	fastcgi_param HTTPS on;
	#fastcgi_pass 127.0.0.1:9000;
	fastcgi_pass unix:/tmp/php-fpm.sock;
	}
	
	# Optional: set long EXPIRES header on static assets
	location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
	expires 30d;
	# Optional: Don't log access to assets
	#access_log off;
	}
	

	}

	
#	server {
#    if ($host = paulbeard.org) {
#        return 301 https://$host$request_uri;
#    } # managed by Certbot
#
#
#	listen 	     80 default_server;
#	listen 	     [::]:80 default_server;
#	server_name  www.paulbeard.org paulbeard.org;
#    return 404; # managed by Certbot
#
#
#	}
}

# configuration file /usr/local/etc/nginx/mime.types:

types {
    text/html                                        html htm shtml;
    text/css                                         css;
    text/xml                                         xml;
    image/gif                                        gif;
    image/jpeg                                       jpeg jpg;
    application/javascript                           js;
    application/atom+xml                             atom;
    application/rss+xml                              rss;

    text/mathml                                      mml;
    text/plain                                       txt;
    text/vnd.sun.j2me.app-descriptor                 jad;
    text/vnd.wap.wml                                 wml;
    text/x-component                                 htc;

    image/png                                        png;
    image/svg+xml                                    svg svgz;
    image/tiff                                       tif tiff;
    image/vnd.wap.wbmp                               wbmp;
    image/webp                                       webp;
    image/x-icon                                     ico;
    image/x-jng                                      jng;
    image/x-ms-bmp                                   bmp;

    font/woff                                        woff;
    font/woff2                                       woff2;

    application/java-archive                         jar war ear;
    application/json                                 json;
    application/mac-binhex40                         hqx;
    application/msword                               doc;
    application/pdf                                  pdf;
    application/postscript                           ps eps ai;
    application/rtf                                  rtf;
    application/vnd.apple.mpegurl                    m3u8;
    application/vnd.google-earth.kml+xml             kml;
    application/vnd.google-earth.kmz                 kmz;
    application/vnd.ms-excel                         xls;
    application/vnd.ms-fontobject                    eot;
    application/vnd.ms-powerpoint                    ppt;
    application/vnd.oasis.opendocument.graphics      odg;
    application/vnd.oasis.opendocument.presentation  odp;
    application/vnd.oasis.opendocument.spreadsheet   ods;
    application/vnd.oasis.opendocument.text          odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                     pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                     xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                     docx;
    application/vnd.wap.wmlc                         wmlc;
    application/x-7z-compressed                      7z;
    application/x-cocoa                              cco;
    application/x-java-archive-diff                  jardiff;
    application/x-java-jnlp-file                     jnlp;
    application/x-makeself                           run;
    application/x-perl                               pl pm;
    application/x-pilot                              prc pdb;
    application/x-rar-compressed                     rar;
    application/x-redhat-package-manager             rpm;
    application/x-sea                                sea;
    application/x-shockwave-flash                    swf;
    application/x-stuffit                            sit;
    application/x-tcl                                tcl tk;
    application/x-x509-ca-cert                       der pem crt;
    application/x-xpinstall                          xpi;
    application/xhtml+xml                            xhtml;
    application/xspf+xml                             xspf;
    application/zip                                  zip;

    application/octet-stream                         bin exe dll;
    application/octet-stream                         deb;
    application/octet-stream                         dmg;
    application/octet-stream                         iso img;
    application/octet-stream                         msi msp msm;

    audio/midi                                       mid midi kar;
    audio/mpeg                                       mp3;
    audio/ogg                                        ogg;
    audio/x-m4a                                      m4a;
    audio/x-realaudio                                ra;

    video/3gpp                                       3gpp 3gp;
    video/mp2t                                       ts;
    video/mp4                                        mp4;
    video/mpeg                                       mpeg mpg;
    video/quicktime                                  mov;
    video/webm                                       webm;
    video/x-flv                                      flv;
    video/x-m4v                                      m4v;
    video/x-mng                                      mng;
    video/x-ms-asf                                   asx asf;
    video/x-ms-wmv                                   wmv;
    video/x-msvideo                                  avi;
}

# configuration file /usr/local/etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";

# configuration file /usr/local/etc/nginx/fastcgi_params:

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

Yes it’s circular. I admit I have no idea why your nginx config is not workable for certbot. I don’t use nginx plugin, I use nginx but without the plugin.
I have looked a bit at nginx plugin code but it’s not easy to guess what could go wrong. I had hoped to find a way to activate a maximum debug mode but I don’t think there is any such thing.

Whatever having a working config for you should be relatively easy if you have not really deleted any certificate as I think is the case, with a bit of Unix lore; look at your certificates, in (probably)

/usr/local/etc/letsencrypt/archive

do you see .pem files ? if yes you can open them with
openssl x509 -in fullchain(number).pem -text
for example
openssl x509 -in fullchain10.pem -text
and find out the last one issued with the right names
Then
in
/usr/local/etc/letsencrypt/live
you will find 3 symbolic links to the last files in the archives.
Remove them and recreate them by linking to the right file and it should give you a working site (I hope that I don’t have to explain to you about ln -s…)
It would not solve the general problem of course.

Yes it’s circular. I admin I have no idea why your nginx config is not workable for certbot. I don’t use nginx plugin, I use nginx but without the plugin.
I have looked a bit at nginx plugin code but it’s not easy to guess what could go wrong. I had hoped to find a way to activate a maximum debug mode but I don’t think there is any such thing.

I have tried to reinstall with and without the plugin code.

Whatever having a working config for you should be relatively easy if you have not really deleted any certificate as I think is the case, with a bit of Unix lore; look at your certificates, in (probably)

/usr/local/etc/letsencrypt/archive

do you see .pem files ? if yes you can open them with
openssl x509 -in fullchain(number).pem -text
for example
openssl x509 -in fullchain10.pem -text
and find out the last one issued with the right names
Then
in
/usr/local/etc/letsencrypt/live
you will find 3 symbolic links to the last files in the archives.
Remove them and recreate them by linking to the right file and it should give you a working site (I hope that I don’t have to explain to you about ln -s…)

This is all as expected. Four files, four links.

`README

cert.pem -> ../../archive/paulbeard.org/cert1.pem

chain.pem -> ../../archive/paulbeard.org/chain1.pem

fullchain.pem -> ../../archive/paulbeard.org/fullchain1.

privkey.pem -> ../../archive/paulbeard.org/privkey1.pem`

`-rw-r--r-- 1 root wheel 1907 Jun 1 18:48 cert1.pem

-rw-r--r-- 1 root wheel 1647 Jun 1 18:48 chain1.pem

-rw-r--r-- 1 root wheel 3554 Jun 1 18:48 fullchain1.pem

-rw------- 1 root wheel 1700 Jun 1 18:48 privkey1.pem`

This seems concerning:

[cert name]/cert.pem : will break many server configurations, and should not be used

             without reading further documentation (see link below).

I don't have keys.

/etc/letsencrypt/archive and /etc/letsencrypt/keys contain all previous keys and certificates, while /etc/letsencrypt/live symlinks to the latest versions.

Or more precisely, the keys I have don't match the certs.

So it seems that what I want/need is to erase/delete/revoke this cert, since it can't be used without the (missing) key. Seems to me there should be a way to do that. If someone got hold of someone else's private key, they could impersonate them. That seems to go against what this project is about.

Any guidance there would be appreciated. I have tried what I see in the docs (revoke/delete) but it didn't seem to work).

Well, if you reinstall the software you risk losing certs and private keys depending on how the packaging software works. If you use Freebsd I guess it’s packaged outside of Letsencrypt. You should avoid reinstalling.
If your archive has only files suffixed by ‘1’ that’s probably the reason you lost your certificates files. Given what the certificate spotter sites says, you should have suffixes until 7 at least.

In this case you have indeed to restart certbot to create new certificates. Since you created 5 certificates the 1/6 you have to wait until 8/6 I think (5 identical certificates for 7 rolling days IIRC). You could try to create one immediately with only the paulbeard.ord and www.paulbeard.org since it would be missing the cloud.paulbeard.org it could probably be accepted immediately.

Nginx works fine for me with only 2 files (fullchain.pem and privkey.pem). Once you have these 2 files and they have the right names on the corresponding certificates, you can always set them by hand in the nginx config even if the nginx certbot code can’t understand your setup.

I ended up just doing as you hint here, getting a new cert for each record. That worked, though now my http-> https redirects are all b0rked. Easily fixed, I expect. That was where some of this began, with Certbot making unwise edits.

Plainly this is a hard problem.