My domain is: crypto.tradingcompare.com
My website is dysfunctional, sometimes it works and sometimes it does not with this error: Error 525 SSL handshake failed.
I just specify, I have other domains on this server, and I have the same problem for those other domain.
Here are some commands and output I run:
1) command: curl -svo /dev/null https://crypto.tradingcompare.com --connect-to ::my-ip-adress 2>&1 | egrep -v "^{.*$|^}.*$|^* http.*$"
output:
* TCP_NODELAY set
* Connected to my-ip-adress (my-ip-adress) port 443 (#0)
* ALPN, offering h2
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: certificate has expired
* stopped the pause stream!
* Closing connection 0
2) command: curl -I https://my-ip-adress
output:
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
3)command: cat /etc/ssl/certs/ca-certificates.crt | openssl x509 -noout -enddate
output: notAfter=Dec 31 09:37:37 2030 GMT
I tried to renew certbot by doing:
command: sudo certbot certonly --nginx -d crypto.tradingcompare.com --dry-run
I got output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for crypto.tradingcompare.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. crypto.tradingcompare.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://crypto.tradingcompare.com/.well-known/acme-challenge/Ui81CIT8b25aRjQBUxFd8e7_DJ1dKrbH8LBsirJhrLE [2606:4700:3033::681b:b925]: "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot GET /.well-known/"
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: crypto.tradingcompare.com
Type: unauthorized
Detail: Invalid response from
https://crypto.tradingcompare.com/.well-known/acme-challenge/Ui81CIT8b25aRjQBUxFd8e7_DJ1dKrbH8LBsirJhrLE
[2606:4700:3033::681b:b925]: "<!DOCTYPE html>\n<html
lang=\"en\">\n<head>\n<meta
charset=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot
GET /.well-known/"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Configuration in /etc/letsencrypt/renewal:
renew_before_expiry = 30 days
version = 0.26.1
archive_dir = /etc/letsencrypt/archive/crypto.tradingcompare.com
cert = /etc/letsencrypt/live/crypto.tradingcompare.com/cert.pem
privkey = /etc/letsencrypt/live/crypto.tradingcompare.com/privkey.pem
chain = /etc/letsencrypt/live/crypto.tradingcompare.com/chain.pem
fullchain = /etc/letsencrypt/live/crypto.tradingcompare.com/fullchain.pem
Options used in the renewal process
[renewalparams]
account = a5e0b9652f9ead29418937b7c381b611
authenticator = nginx
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory
My nginx/sites-available configuration is:
server {
server_name crypto.tradingcompare.com;
location / {
proxy_pass http://localhost:8002;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location /technical {
proxy_pass http://localhost:8001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/crypto.tradingcompare.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/crypto.tradingcompare.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = crypto.tradingcompare.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name crypto.tradingcompare.com;
return 404; # managed by Certbot
}
My web server is (include version): nginx
The operating system my web server runs on is (include version): Ubuntu 18.04.
My hosting provider, if applicable, is: Digital Ocean
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): 0.31.0