Error - Certificate isn't trusted, RemoteCertificateNameMismatch

My domain is: ggc.world

I received this email:

" ![](https://ssl.gstatic.com/ui/v1/icons/mail/profile_mask2.png)

### Let's Encrypt Expiry Bot <expiry@letsencrypt.org> Annulla iscrizione 07:25 (2 ore fa)

a me

![](https://mail.google.com/mail/u/0/images/cleardot.gif)

Hello,

Your certificate (or certificates) for the names listed below will expire in 10 days (on 11 Jul 20 05:29  
+0000). Please make sure to renew your certificate before then, or visitors to your website will  
encounter errors.

We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let's Encrypt's current 90-day certificates, that means
renewing 30 days before expiration. See
https://letsencrypt.org/docs/integration-guide/ for details.

ggc.world
www.ggc.world"

I ran this command:

(base) marco@pc01:~$ sudo certbot renew --dry-run
[sudo] password for marco: 
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ggc.world-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 67, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 463, in __init__
    self._check_symlinks()
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 522, in _check_symlinks
    "expected {0} to be a symlink".format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/ggc.world-0001/cert.pem to be a 
symlink
Renewal configuration file /etc/letsencrypt/renewal/ggc.world-0001.conf is broken. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ggc.world-0002.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ggc.world
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/ggc.world-0002/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ggc.world.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 67, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 463, in __init__
    self._check_symlinks()
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 522, in _check_symlinks
    "expected {0} to be a symlink".format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/ggc.world/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/ggc.world.conf is broken. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/ggc.world-0002/fullchain.pem (success)

Additionally, the following renewal configurations were invalid: 
  /etc/letsencrypt/renewal/ggc.world-0001.conf (parsefail)
  /etc/letsencrypt/renewal/ggc.world.conf (parsefail)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 renew failure(s), 2 parse failure(s)

I then moved ggc.world.conf to ./temp

(base) marco@pc01:~$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ggc.world-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 67, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 463, in __init__
    self._check_symlinks()
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 522, in _check_symlinks
    "expected {0} to be a symlink".format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/ggc.world-0001/cert.pem to be a 
symlink
Renewal configuration file /etc/letsencrypt/renewal/ggc.world-0001.conf is broken. Skipping.

-  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ggc.world-0002.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ggc.world.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 67, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 463, in __init__
    self._check_symlinks()
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 522, in _check_symlinks
    "expected {0} to be a symlink".format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/ggc.world/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/ggc.world.conf is broken. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/ggc.world-0002/fullchain.pem expires on 2020-08-05 (skipped)
No renewals were attempted.

Additionally, the following renewal configurations were invalid: 
  /etc/letsencrypt/renewal/ggc.world-0001.conf (parsefail)
  /etc/letsencrypt/renewal/ggc.world.conf (parsefail)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 renew failure(s), 2 parse failure(s)

I then moved ggc.world-0001.conf to ./temp folder

(base) marco@pc01:~$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ggc.world-0002.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ggc.world.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 67, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
      File "/usr/lib/python3/dist-packages/certbot/storage.py", line 463, in __init__
        self._check_symlinks()
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 522, in _check_symlinks
    "expected {0} to be a symlink".format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/ggc.world/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/ggc.world.conf is broken. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/ggc.world-0002/fullchain.pem expires on 2020-08-05 (skipped)
No renewals were attempted.

Additionally, the following renewal configurations were invalid: 
  /etc/letsencrypt/renewal/ggc.world.conf (parsefail)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

0 renew failure(s), 1 parse failure(s)
(base) marco@pc01:~ (base) marco@pc01:~

I then moved ggc.world.conf to ./temp folder

(base) marco@pc01:~$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ggc.world-0002.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/ggc.world-0002/fullchain.pem expires on 2020-08-05 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -




(base) marco@pc01:~$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: ggc.world-0002
    Domains: ggc.world
    Expiry Date: 2020-08-05 14:31:25+00:00 (VALID: 35 days)
    Certificate Path: /etc/letsencrypt/live/ggc.world-0002/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/ggc.world-0002/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(base) marco@pc01:~$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ggc.world-0002.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/ggc.world-0002/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/ggc.world-0002/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

According to https://www.ssllabs.com/ssltest/analyze.html?d=ggc.world everything looks fine:

But checking here: https://check-your-website.server-daten.de/?q=ggc.world

I get "
Error - Certificate isn’t trusted, RemoteCertificateNameMismatch"

My web server is (include version):

(base) marco@pc01:~$ nginx -v
nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.4 Desktop

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

(base) marco@pc01:~$ certbot --version
certbot 0.31.0

I attach here the configuration ggc.world.conf that the certbot renewal process says to be “broken” and that I moved to ./temp folder : ggc.world-conf.txt (502 Bytes)

and the complete /var/log/letsencrypt/letsencrypt.log : letsencrypt-log.txt (107.0 KB)

I have two folders /etc/letsencrypt/live/ :

(base) marco@pc01:/etc/letsencrypt/live/ggc.world-0002$ ls -lah
total 12K
drwxr-xr-x 2 root  root 4,0K mag  7 17:31 .
drwx------ 4 marco root 4,0K mag  7 17:31 ..
lrwxrwxrwx 1 root  root   38 mag  7 17:31 cert.pem -> ../../archive/ggc.world-0002/cert1.pem
lrwxrwxrwx 1 root  root   39 mag  7 17:31 chain.pem -> ../../archive/ggc.world-0002/chain1.pem
lrwxrwxrwx 1 root  root   43 mag  7 17:31 fullchain.pem -> ../../archive/ggc.world-0002/fullchain1.pem
lrwxrwxrwx 1 root  root   41 mag  7 17:31 privkey.pem -> ../../archive/ggc.world-0002/privkey1.pem
-rw-r--r-- 1 root  root  692 mag  7 17:31 README

(base) marco@pc01:/etc/letsencrypt/live/ggc.world$ ls -lah
total 28K
drwxr-xr-x 2 marco marco 4,0K mag  7 17:03 .
drwx------ 4 marco root  4,0K mag  7 17:31 ..
-rw-r--r-- 1 marco marco 1,9K mag  7 17:03 cert.pem
-rw-r--r-- 1 marco marco 1,7K mag  7 17:03 chain.pem
-rw-r--r-- 1 marco marco 3,5K mag  7 17:03 fullchain.pem
-rw------- 1 marco marco 1,7K mag  7 17:03 privkey.pem
-rw-r--r-- 1 marco marco  692 mag  7 17:03 README

In /etc/nginx/conf.d/default.conf :

server {
    listen 443 ssl http2 default_server;
    server_name ggc.world;

    ssl_certificate /etc/letsencrypt/live/ggc.world-0002/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/ggc.world-0002/privkey.pem; # managed by Certbot
    ssl_trusted_certificate /etc/letsencrypt/live/ggc.world-0002/chain.pem;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    ssl_session_timeout 5m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-
draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:50m;

    access_log /var/log/nginx/ggcworld-access.log combined;

    add_header Strict-Transport-Security "max-age=31536000";
    location = /favicon.ico { access_log off; log_not_found off; }

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location /weights {
      root /home/marco/www;
      try_files $uri $uri/ =404;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      # Following is necessary for Websocket support
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
    }
}

upstream websocket {
    server ggc.world:4977;
}

server {
    listen 8443 ssl;
    server_name ggc.world;

    ssl_certificate /etc/letsencrypt/live/ggc.world-0002/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/ggc.world-0002/privkey.pem; # managed by Certbot
    ssl_trusted_certificate /etc/letsencrypt/live/ggc.world-0002/chain.pem;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location /p2p {
       proxy_pass http://websocket;
        proxy_http_version 1.1;
        proxy_set_header Upgrade "Websocket";
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host ggc.world;
    }
}

How to solve the problem?
Looking forward to your kind help.
Marco

1 Like

Your certbot configuration is really messed up:

  • multiple renewal configuration files for the same domain mostly mean you’ve tried to set up your certificate multiple times, but did not remove the certificates which were not used.
  • somehow the symbolic links in the /live/ directory were removed or converted to “normal files”. Certbot requires these files to be symbolic links to the current files in the /archive/ directory. If this is broken, you’ll end up with those Python errors. Sometimes this is the result of copying the /etc/letsencrypt/ directory or recovering it from a backup where symbolic links weren’t preserved.
  • the certificate currently used seems to be for the base domain only, not the www subdomain, resulting in the error on that German site.

Firstly, you’ll need to fix your /live/ directory: it should contain symbolic links to the corresponding files in /archive/ only, not actual files.
Secondly, you’ll need to identify which “lineage” of all those duplicate certificates you want to use: run certbot certificates, identify the cert you want to use, check if it’s already in use by nginx. If not, modify nginx. When you’re certain the other certs aren’t used and needed, you should delete them, so they won’t be renewed needlessly

1 Like

Thanks for your reply.

sudo certbot certificates
[sudo] password for marco:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: ggc.world-0002
Domains: ggc.world
Expiry Date: 2020-08-05 14:31:25+00:00 (VALID: 35 days)
Certificate Path: /etc/letsencrypt/live/ggc.world-0002/fullchain.pem
Private Key Path: /etc/letsencrypt/live/ggc.world-0002/privkey.pem

So, I removed /etc/letsencrypt/live/ggc.world folder and kept /etc/letsencrypt/live/ggc.world-002 folder

(base) marco@pc01:/etc/letsencrypt/live$ sudo rm -rf ggc.world
(base) marco@pc01:/etc/letsencrypt/live$ ls -lah
total 16K
drwx------ 3 marco root 4,0K lug 1 14:03 .
drwxr-xr-x 9 marco root 4,0K lug 1 14:02 …
drwxr-xr-x 2 root root 4,0K mag 7 17:31 ggc.world-0002
-rw-r–r-- 1 marco root 740 feb 11 12:32 README

I then made brand new sym links from /etc/letsencypt/live/ggc.world-0002/ files to the corresponding /etc/letsencrypt/archive/ggc.world-0002/ files :

(base) marco@pc01:/etc/letsencrypt/live/ggc.world-0002$ sudo rm cert.pem chain.pem fullchain.pem 
privkey.pem

(base) marco@pc01:/etc/letsencrypt/live/ggc.world-0002$ sudo ln -s /etc/letsencrypt/archive
/ggc.world-0002/cert1.pem cert.pem

(base) marco@pc01:/etc/letsencrypt/live/ggc.world-0002$ sudo ln -s /etc/letsencrypt/archive
/ggc.world-0002/chain1.pem chain.pem

(base) marco@pc01:/etc/letsencrypt/live/ggc.world-0002$ sudo ln -s /etc/letsencrypt/archive
/ggc.world-0002/fullchain1.pem fullchain.pem

(base) marco@pc01:/etc/letsencrypt/live/ggc.world-0002$ sudo ln -s /etc/letsencrypt/archive
/ggc.world-0002/privkey1.pem privkey.pem

(base) marco@pc01:/etc/letsencrypt/live/ggc.world-0002$ ls -lah
total 12K
drwxr-xr-x 2 root  root 4,0K lug  1 14:18 .
drwx------ 4 marco root 4,0K lug  1 14:14 ..
lrwxrwxrwx 1 root  root   49 lug  1 14:16 cert.pem -> /etc/letsencrypt/archive/ggc.world-
0002/cert1.pem
lrwxrwxrwx 1 root  root   50 lug  1 14:17 chain.pem -> /etc/letsencrypt/archive/ggc.world-
0002/chain1.pem
lrwxrwxrwx 1 root  root   54 lug  1 14:17 fullchain.pem -> /etc/letsencrypt/archive/ggc.world-
0002/fullchain1.pem
lrwxrwxrwx 1 root  root   52 lug  1 14:18 privkey.pem -> /etc/letsencrypt/archive/ggc.world-
0002/privkey1.pem
-rw-r--r-- 1 root  root  692 mag  7 17:31 README

This is my complete /etc/nginx/conf.d/default.conf file :

server {
    listen 443 ssl http2 default_server;
    server_name ggc.world;

    ssl_certificate /etc/letsencrypt/live/ggc.world-0002/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/ggc.world-0002/privkey.pem; # managed by Certbot
    ssl_trusted_certificate /etc/letsencrypt/live/ggc.world-0002/chain.pem;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    ssl_session_timeout 5m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-
draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:50m;

    access_log /var/log/nginx/ggcworld-access.log combined;

    add_header Strict-Transport-Security "max-age=31536000";
    location = /favicon.ico { access_log off; log_not_found off; }

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location /weights {
      root /home/marco/www;
      try_files $uri $uri/ =404;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      # Following is necessary for Websocket support
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
    }
}

server {
    if ($host = ggc.world) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80 default_server;
    listen [::]:80 default_server;

    error_page 497 https://$host:$server_port$request_uri;
    server_name ggc.world;
    return 301 https://$server_name$request_uri;

    access_log /var/log/nginx/ggcworld-access.log combined;

    add_header Strict-Transport-Security "max-age=31536000";

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

upstream websocket {
    server ggc.world:4977;
}

server {
    listen 8443 ssl;
    server_name ggc.world;

    ssl_certificate /etc/letsencrypt/live/ggc.world-0002/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/ggc.world-0002/privkey.pem; # managed by Certbot
    ssl_trusted_certificate /etc/letsencrypt/live/ggc.world-0002/chain.pem;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location /p2p {
        proxy_pass http://websocket;
        proxy_http_version 1.1;
        proxy_set_header Upgrade "Websocket";
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host ggc.world;
    }
}

upstream golang-webserver {
    ip_hash;
    server 127.0.0.1:2000;
}

server {

    root /puser/add;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-
draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:50m;

    location / {
        proxy_pass http://golang-webserver;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

I updated the certification expanding it to also www.ggc.world:

(base) marco@pc01:~$ sudo certbot --expand -d ggc.world,www.ggc.world
[sudo] password for marco: 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ggc.world
http-01 challenge for www.ggc.world
nginx: [error] invalid PID number "" in "/run/nginx.pid"
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/default.conf
Deploying Certificate to VirtualHost /etc/nginx/conf.d/default.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Traffic on port 80 already redirecting to ssl in /etc/nginx/conf.d/default.conf
No matching insecure server blocks listening on port 80 found.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://ggc.world and
https://www.ggc.world

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=ggc.world
https://www.ssllabs.com/ssltest/analyze.html?d=www.ggc.world
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/ggc.world-0002/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/ggc.world-0002/privkey.pem
   Your cert will expire on 2020-09-29. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"


The new certificate covers the following domains: https://ggc.world and
https://www.ggc.world

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=ggc.world
https://www.ssllabs.com/ssltest/analyze.html?d=www.ggc.world
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/ggc.world-0002/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/ggc.world-0002/privkey.pem
   Your cert will expire on 2020-09-29. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

I then modified the nginx config as follows:

server {
    listen 443 ssl http2 default_server;
    server_name ggc.world;

server {
    if ($host = ggc.world) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80 default_server;
    listen [::]:80 default_server;

    error_page 497 https://$host:$server_port$request_uri;
    server_name www.ggc.world;

upstream websocket {
    server ggc.world:4977;
}

server {
    listen 8443 ssl;
    server_name ggc.world;


server {
    listen 443 ssl http2 ;
    server_name ggc.world; # managed by Certbot

https://www.ssllabs.com/ssltest/analyze.html?d=ggc.world

But with https://check-your-website.server-daten.de/?q=ggc.world

And still get this:

C	Error - more then one version with Http-Status 200. After all redirects, all users (and search 
engines) should see the same https url: Non-www or www, but not both with http status 200.
N	https://37.116.211.76/ 37.116.211.76
200

Error - Certificate isn't trusted, RemoteCertificateNameMismatch
N	37.116.211.76:8443


Error - Certificate isn't trusted, RemoteCertificateNameMismatch

How to solve it?

1 Like

I think that was a cached result. Just use SSLlabs. That German server-data test gives way too much irrelevant information to be really helpful. Not really understandable for most people. Too cluttered, too much text, not easily interpretable.

I tried to modify again nginx configuration few times but again with https://www.ssllabs.com/ssltest/analyze.html?d=ggc.world A+ grade, with https://check-your-website.server-daten.de/?q=ggc.world E or C grade.

Thank you very much for your kind help.
Marco

You might want to add the www subdomain to your nginx server_name configuration: https://www.ssllabs.com/ssltest/analyze.html?d=www.ggc.world

1 Like