Expired certification

Help
21

revert this part of the changes:

we can tackle the v01 to v02 issue separately; as it really makes little/no difference at this point.

22

revert to v01 heres what i get

root@westfield-nas:/letsencrypt# ./letsencrypt-auto --nginx renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/portal.dhc.nz.conf

Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for portal.dhc.nz
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (portal.dhc.nz) from /etc/letsencrypt/renewal/portal.dhc.nz.conf produced an unexpected error: Failed authorization procedure. portal.dhc.nz (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested a3658b72747ab7480a9e895a5df7ab85.fe11c43b5909fdb91c269579fce9fab8.acme.invalid from 103.68.58.20:443. Received 3 certificate(s), first certificate had names “project.dhc.org.nz”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/portal.dhc.nz/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/portal.dhc.nz/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: portal.dhc.nz
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    a3658b72747ab7480a9e895a5df7ab85.fe11c43b5909fdb91c269579fce9fab8.acme.invalid
    from 103.68.58.20:443. Received 3 certificate(s), first certificate
    had names “project.dhc.org.nz”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

23

switch to http:
--preferred-challenges http-01
or
--preferred-challenges http

This may require an exclusion for the challenge request folder:
http://project.dhc.org.nz/.well-known/acme-challenge/*
As there seems to be an HTTP to HTTPS redirect in place.

Place a test.txt file at:
http://project.dhc.org.nz/.well-known/acme-challenge/test.txt
and ensure it can be reached from the Internet.

24

success. thank heaps

root@westfield-nas:/etc/letsencrypt/renewal# cd /letsencrypt
root@westfield-nas:/letsencrypt# ./letsencrypt-auto --nginx renew --force-renewal --preferred-challenges http-01
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/portal.dhc.nz.conf

Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for portal.dhc.nz
Waiting for verification…
Cleaning up challenges

new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/portal.dhc.nz/fullchain.pem

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/portal.dhc.nz/fullchain.pem (success)

25

OK now show the new contents of:

26

renew_before_expiry = 30 days

cert = /etc/letsencrypt/live/portal.dhc.nz/cert.pem
privkey = /etc/letsencrypt/live/portal.dhc.nz/privkey.pem
chain = /etc/letsencrypt/live/portal.dhc.nz/chain.pem
fullchain = /etc/letsencrypt/live/portal.dhc.nz/fullchain.pem
version = 0.23.0
archive_dir = /etc/letsencrypt/archive/portal.dhc.nz

Options and defaults used in the renewal process

[renewalparams]
installer = nginx
authenticator = nginx
account = 7f918b69102628ecaa2633f7821d1a2f
pref_challs = http-01,
portal.dhc.nz.conf (END)

27

So

can now be reduced to:
./letsencrypt-auto renew
or just
./letsencrypt-auto

as the conf now has:

28

You now need to work on the cron job to get this automated and be done with it.

To that end, first gather some useful info:
which letsencrypt
find / -name nginx.pid

Use that to create a cron job something along these lines (or whatever you feel comfortable with):
9 */12 * * * sudo /usr/bin/letsencrypt -q --deploy-hook ‘kill -HUP $( cat /run/nginx.pid )’

see: https://www.nginx.com/resources/wiki/start/topics/tutorials/commandline/

29

Sorry, I skipped the v01 to v02 issue.
If that is of concern (it would be if you wanted to do wild card validation), I suggest opening a new thread topic for just that.

30

are you able to advise why the certificate is still invalid?
https://portal.dhc.nz

have already restarted the nginx service

31

How is Nginx configured? You can use “nginx -T” to display it.

Has Nginx really been reloaded or restarted?

And what does “./letsencrypt-auto certificates” display?

32

done service nginx restart and reload
root@westfield-nas:/etc/nginx/sites-available# nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

configuration file /etc/nginx/nginx.conf:

user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
worker_connections 768;
# multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    client_max_body_size 2000M;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;
    gzip_disable "msie6";

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

}

#mail {

# See sample authentication script at:

# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript

# auth_http localhost/auth.php;

# pop3_capabilities “TOP” “USER”;

# imap_capabilities “IMAP4rev1” “UIDPLUS”;

server {

listen localhost:110;

protocol pop3;

proxy on;

}

server {

listen localhost:143;

protocol imap;

proxy on;

}

#}

configuration file /etc/nginx/mime.types:

types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;

text/mathml                           mml;
text/plain                            txt;
text/vnd.sun.j2me.app-descriptor      jad;
text/vnd.wap.wml                      wml;
text/x-component                      htc;

image/png                             png;
image/tiff                            tif tiff;
image/vnd.wap.wbmp                    wbmp;
image/x-icon                          ico;
image/x-jng                           jng;
image/x-ms-bmp                        bmp;
image/svg+xml                         svg svgz;
image/webp                            webp;

application/font-woff                 woff;
application/java-archive              jar war ear;
application/json                      json;
application/mac-binhex40              hqx;
application/msword                    doc;
application/pdf                       pdf;
application/postscript                ps eps ai;
application/rtf                       rtf;
application/vnd.apple.mpegurl         m3u8;
application/vnd.ms-excel              xls;
application/vnd.ms-fontobject         eot;
application/vnd.ms-powerpoint         ppt;
application/vnd.wap.wmlc              wmlc;
application/vnd.google-earth.kml+xml  kml;
application/vnd.google-earth.kmz      kmz;
application/x-7z-compressed           7z;
application/x-cocoa                   cco;
application/x-java-archive-diff       jardiff;
application/x-java-jnlp-file          jnlp;
application/x-makeself                run;
application/x-perl                    pl pm;
application/x-pilot                   prc pdb;
application/x-rar-compressed          rar;
application/x-redhat-package-manager  rpm;
application/x-sea                     sea;
application/x-shockwave-flash         swf;
application/x-stuffit                 sit;
application/x-tcl                     tcl tk;
application/x-x509-ca-cert            der pem crt;
application/x-xpinstall               xpi;
application/xhtml+xml                 xhtml;
application/xspf+xml                  xspf;
application/zip                       zip;

application/octet-stream              bin exe dll;
application/octet-stream              deb;
application/octet-stream              dmg;
application/octet-stream              iso img;
application/octet-stream              msi msp msm;

application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

audio/midi                            mid midi kar;
audio/mpeg                            mp3;
audio/ogg                             ogg;
audio/x-m4a                           m4a;
audio/x-realaudio                     ra;

video/3gpp                            3gpp 3gp;
video/mp2t                            ts;
video/mp4                             mp4;
video/mpeg                            mpeg mpg;
video/quicktime                       mov;
video/webm                            webm;
video/x-flv                           flv;
video/x-m4v                           m4v;
video/x-mng                           mng;
video/x-ms-asf                        asx asf;
video/x-ms-wmv                        wmv;
video/x-msvideo                       avi;

}

configuration file /etc/nginx/sites-enabled/default:

You should look at the following URL’s in order to grasp a solid understanding

of Nginx configuration files in order to fully unleash the power of Nginx.

http://wiki.nginx.org/Pitfalls

http://wiki.nginx.org/QuickStart

http://wiki.nginx.org/Configuration

Generally, you will want to move this file somewhere, and start with a clean

file but keep this around for reference. Or just disable in sites-enabled.

Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.

Default server configuration

server {
listen 80 default_server;
listen [::]:80 default_server;

    # SSL configuration
    #
    # listen 443 ssl default_server;
    # listen [::]:443 ssl default_server;
    #
    # Note: You should disable gzip for SSL traffic.
    # See: https://bugs.debian.org/773332
    #
    # Read up on ssl_ciphers to ensure a secure configuration.
    # See: https://bugs.debian.org/765782
    #
    # Self signed certs generated by the ssl-cert package
    # Don't use them in a production server!
    #
    # include snippets/snakeoil.conf;

    root /var/www/html;

    # Add index.php to the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;

    server_name _;

    location / {
            # First attempt to serve request as file, then
            # as directory, then fall back to displaying a 404.
            try_files $uri $uri/ =404;
    }

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #       include snippets/fastcgi-php.conf;
    #
    #       # With php7.0-cgi alone:
    #       fastcgi_pass 127.0.0.1:9000;
    #       # With php7.0-fpm:
    #       fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #       deny all;
    #}

}

Virtual Host configuration for example.com

You can move that to a different file under sites-available/ and symlink that

to sites-enabled/ to enable it.

#server {

listen 80;

listen [::]:80;

server_name example.com;

root /var/www/example.com;

index index.html;

location / {

try_files $uri $uri/ =404;

}

#}

configuration file /etc/nginx/sites-enabled/portal.dhc.nz:

Drop connections that have an invalid “Host” request parameter

server {
listen 192.168.3.4:80 default_server;
server_name _;
return 444;
}

HTTP Server

server {

    server_name
            portal.dhc.nz
    ;


    #return 301 https://portal.dhc.nz$request_uri;

    index index.php index.html;

    if ( $host != 'portal.dhc.nz' ){
            return 301 https://portal.dhc.nz$request_uri;
    }

    client_max_body_size 20M;

    access_log /var/log/nginx/portal.dhc.nz_access.log;
    error_log /var/log/nginx/portal.dhc.nz_error.log;

    root /srv/www/portal.dhc.nz/public/;

    location / {
            #try_files $uri $uri/ @rewrite;
            try_files $uri $uri/ /index.php?$query_string;

            expires 1h;
            add_header Pragma public;
            add_header Cache-Control "public, must-revalidate, proxy-revalidate";

            #include options.d/cache_10m.conf;
    }

    location ~ \.php$ {
            try_files $uri /index.php =404;
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_pass   unix:/var/run/php/php7.0-fpm.sock;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
            include fastcgi_params;
            fastcgi_read_timeout 1800;
    }


listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/portal.dhc.nz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/portal.dhc.nz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
if ($host = portal.dhc.nz) {
return 301 https://$host$request_uri;
} # managed by Certbot

    listen 192.168.3.4:80;


    server_name
            portal.dhc.nz
    ;
return 404; # managed by Certbot

}

configuration file /etc/nginx/fastcgi_params:

fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;

fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;

fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;

fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;

PHP only, required if PHP was built with --enable-force-cgi-redirect

fastcgi_param REDIRECT_STATUS 200;

configuration file /etc/letsencrypt/options-ssl-nginx.conf:

This file contains important security parameters. If you modify this file

manually, Certbot will be unable to automatically provide future security

updates. Instead, Certbot will print and log an error message with a path to

the up-to-date file that you will need to refer to when manually updating

this file.

ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

ssl_ciphers “ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS”;

configuration file /etc/nginx/sites-enabled/portal_ssl.dhc.nz:

server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
include snippets/ssl-params.conf;

    root /srv/www/portal.dhc.nz/public;

    # Add index.php to the list if you are using PHP
    index index.html index.htm index.nginx-debian.html index.php;

    error_log /var/log/nginx/error.portal.log warn;

    server_name _;

    location / {
            # First attempt to serve request as file, then
            # as directory, then fall back to displaying a 404.
            try_files $uri $uri/ /index.php$is_args$args;
    }

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            # With php7.0-cgi alone:
            #fastcgi_pass 127.0.0.1:9000;
            # With php7.0-fpm:
            fastcgi_pass unix:/run/php/php7.0-fpm.sock;
            fastcgi_read_timeout 600;
    }
    ssl_certificate /etc/letsencrypt/live/portal.dhc.nz/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/portal.dhc.nz/privkey.pem;
    #ssl_certificate /etc/letsencrypt/live/portal.bluedoor.nz/fullchain.pem;
    #ssl_certificate_key     /etc/letsencrypt/live/portal.bluedoor.nz/privkey.pem;

    error_page 404 /index.php;

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    location ~ /\.ht {
            deny all;
    }

}

configuration file /etc/nginx/snippets/ssl-params.conf:

from https://cipherli.st/

and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers “EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH”;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

Disable preloading HSTS for now. You can use the commented out header line that includes

the “preload” directive if you understand the implications.

#add_header Strict-Transport-Security “max-age=63072000; includeSubdomains; preload”;
add_header Strict-Transport-Security “max-age=63072000; includeSubdomains”;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/private/dh4096.pem;

configuration file /etc/nginx/snippets/fastcgi-php.conf:

regex to split $uri to $fastcgi_script_name and $fastcgi_path

fastcgi_split_path_info ^(.+.php)(/.+)$;

Check that the PHP script exists before passing it

try_files $fastcgi_script_name =404;

Bypass the fact that try_files resets $fastcgi_path_info

see: http://trac.nginx.org/nginx/ticket/321

set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;

fastcgi_index index.php;
include fastcgi.conf;

configuration file /etc/nginx/fastcgi.conf:

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;

fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;

fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;

fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;

PHP only, required if PHP was built with --enable-force-cgi-redirect

fastcgi_param REDIRECT_STATUS 200;

Found the following certs:
Certificate Name: portal.dhc.nz
Domains: portal.dhc.nz
Expiry Date: 2018-07-22 04:04:39+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/portal.dhc.nz/fullchain.pem
Private Key Path: /etc/letsencrypt/live/portal.dhc.nz/privkey.pem

33

Please post the contents of (it’s the public cert, so no need to worry):
/etc/letsencrypt/live/portal.dhc.nz/fullchain.pem

and also the result of:
ls -l /etc/letsencrypt/live/portal.dhc.nz/

34

root@westfield-nas:/etc/letsencrypt/live/portal.dhc.nz# less fullchain.pem

dGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFu
ZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5
IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMIIB
BAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYA23Sv7ssp7LH+yj5xbSzluaq7NveEcYPH
XZ1PN7Yfv2QAAAFi8XW7gQAABAMARzBFAiAwGiqoMkkAZWivkqo75Z53Oz8KcqdE
l5KBnqd1IKCN+AIhAOeA1/SSeB7EhLzBMvTdZgcM/QXaRIKs98cAxc5SvsUkAHYA
KTxRllTIOWW6qlD8WAfUt2+/WHopctykwwz05UVH9HgAAAFi8XW7ogAABAMARzBF
AiEA6XRtE4wSUO8RPrLWU6xzvEx8ue6McYlFJp7usAOeIUcCIFAwLRXeAvSDsWwL
VHt+8IRxtuLHVHpRKKoh6TxZ+LP2MA0GCSqGSIb3DQEBCwUAA4IBAQAtzwOoq+E9
S0xlTwrdgIl7xF1a7mopRcI/kvUii8drjjWWEXz5fENRBfnun1wLroHdmgvQHRt1
k+m1TweBCn9WLX1KZ685Qrw0Zcd/l+40Z1iEXzLTjp1hOmDN3EJHhVEHFvObAsWF
LHFCbDWkSaj/aE8ETa6q4i5nmHM7uK77TaoicYIlmahOzyJxRnbsEfpZU5kHDhwq
TFXAQVOitAIRB942vHqgcZa5WS1ifkxUucWKs4lDkNzqMQbQhC8qJEMVGESp8xJY
TEvw2JYzdrf+m6YqdD+sChAIts9DOtKYwmsicf+r2KC2khd3r5cZQyO6AkY3JYQa
Ct3SsQCMvhsb
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

root@westfield-nas:/etc/letsencrypt/live/portal.dhc.nz# ls -l
total 0
lrwxrwxrwx 1 root root 37 Apr 23 19:44 cert.pem -> …/…/archive/portal.dhc.nz/c ert3.pem
lrwxrwxrwx 1 root root 38 Apr 23 19:44 chain.pem -> …/…/archive/portal.dhc.nz/ chain3.pem
lrwxrwxrwx 1 root root 42 Apr 23 19:44 fullchain.pem -> …/…/archive/portal.dhc .nz/fullchain3.pem
lrwxrwxrwx 1 root root 40 Apr 23 19:44 privkey.pem -> …/…/archive/portal.dhc.nz/privkey3.pem

35

That “looks good” in that it has multiple certs; but less fullchain.pem command didn’t show the entire file so it is difficult to see if it is correct.
Also online system isn’t sending out the fullchain.pem (multiple cert).
As shown by:
openssl s_client -connect portal.dhc.nz:443 -servername portal.dhc.nz -showcerts
only the simple public cert is being provided (cert.pem).

36

resending fullchaim.pem

root@westfield-nas:/etc/letsencrypt/live/portal.dhc.nz# more fullchain.pem
-----BEGIN CERTIFICATE-----
MIIGBTCCBO2gAwIBAgISAwPLxpUIebQOvy7ogK7uyPNRMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA0MjMwNjQ0MDdaFw0x
ODA3MjIwNjQ0MDdaMBgxFjAUBgNVBAMTDXBvcnRhbC5kaGMubnowggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDoUx9ax0OWz/0lenY6WUco2jcc03HoPVgO
bS4tXKNvFmk6haVFg1iLXShlcVyD/41aHIx2kJfLe10X8PW16khkzQqDPZFjhr3Y
n48QSD1vTxaO12g/iXaQ/MWXYNZECXSjUo+FFOELYGS3FMvZocYYCHqdcqdnomhz
RY3lKGrwX9Lqb1oxuu1hP4GGujxD/FVu7wIBYcROKVZuttKaOIGcvK7eJdEyarSN
TG1dijCjeuafg0bFExaMHCeI1JBKUMF34QUP/mcYY0trEHD7ygIdf89rlMzVZMN2
z8U2pxuAoRRXxhtd/mtAVomv8o3ljegBUg01aJ91vpB6PtOl4wyJAgMBAAGjggMV
MIIDETAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFOKpenJtwxjlRzIvLv9PR5etj+FA
MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMw
YTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9y
ZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wGAYDVR0RBBEwD4INcG9ydGFsLmRoYy5uejCB/gYDVR0gBIH2MIHzMAgGBmeB
DAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMu
bGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNh
dGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFu
ZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5
IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMIIB
BAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYA23Sv7ssp7LH+yj5xbSzluaq7NveEcYPH
XZ1PN7Yfv2QAAAFi8XW7gQAABAMARzBFAiAwGiqoMkkAZWivkqo75Z53Oz8KcqdE
l5KBnqd1IKCN+AIhAOeA1/SSeB7EhLzBMvTdZgcM/QXaRIKs98cAxc5SvsUkAHYA
KTxRllTIOWW6qlD8WAfUt2+/WHopctykwwz05UVH9HgAAAFi8XW7ogAABAMARzBF
AiEA6XRtE4wSUO8RPrLWU6xzvEx8ue6McYlFJp7usAOeIUcCIFAwLRXeAvSDsWwL
VHt+8IRxtuLHVHpRKKoh6TxZ+LP2MA0GCSqGSIb3DQEBCwUAA4IBAQAtzwOoq+E9
S0xlTwrdgIl7xF1a7mopRcI/kvUii8drjjWWEXz5fENRBfnun1wLroHdmgvQHRt1
k+m1TweBCn9WLX1KZ685Qrw0Zcd/l+40Z1iEXzLTjp1hOmDN3EJHhVEHFvObAsWF
LHFCbDWkSaj/aE8ETa6q4i5nmHM7uK77TaoicYIlmahOzyJxRnbsEfpZU5kHDhwq
TFXAQVOitAIRB942vHqgcZa5WS1ifkxUucWKs4lDkNzqMQbQhC8qJEMVGESp8xJY
TEvw2JYzdrf+m6YqdD+sChAIts9DOtKYwmsicf+r2KC2khd3r5cZQyO6AkY3JYQa
Ct3SsQCMvhsb
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

37

That is the correct FULLCHAIN cert but NOT the same cert being served:

nz
portal.dhc.nz.jpg409×508 38.9 KB

-----BEGIN CERTIFICATE-----
MIIE/TCCA+WgAwIBAgISA+bPbCwiPEoQzpC8BuzicNo0MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODAxMTQyMDE1NTJaFw0x
ODA0MTQyMDE1NTJaMBgxFjAUBgNVBAMTDXBvcnRhbC5kaGMubnowggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoM+wxReVcanvuN337RPpNUsL+SRSdxBDk
YRkaB/cGlGmaoHOgFji89W2oJv6Mm8DOlgYZPgvSglHENxGZwnuqi2HvIPcHbHHn
8jQiy9j/Nbmx34i8uaJqGDTf9hQTURH8ME23RaBr51bg5XjIrj0MRdnJC+VCilbA
pO/CabxD60tFO/OQld4bIUP2mq9PJXX6AMgEwNvXKlYCksg9QCrC1oZTSSsXq+vs
y4+CJjrVrY//L4DbhLyrgc1Iw2JOKdn9SDPxoZima318XopiwDBBppah+hbjUhSg
oZ7+ryvFUye3G0pwP1ZCpxI2TQE57D+QKYNrxyvKTqQpWusOo181AgMBAAGjggIN
MIICCTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFHxGr3MoeDm2O4DOqTHl1T134cec
MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMw
YTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9y
ZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wGAYDVR0RBBEwD4INcG9ydGFsLmRoYy5uejCB/gYDVR0gBIH2MIHzMAgGBmeB
DAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMu
bGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNh
dGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFu
ZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5
IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMA0G
CSqGSIb3DQEBCwUAA4IBAQAzVC661M019XkfvNopKKaFzgy3MvssSacA3ZsPTep5
iXvFSpveTessWuj1Pb5DwRxHI1Wg0Avh9/JScNacu9MQ5RVjde3dnljK8zfvdwNH
+xeVGKhUlfmG/pXEUZT/tC9BqekBr5Nofwq+4MW5XwJ4/6J09hoyjuZcfgUlx6JP
RhhPGqgScOwbwHe7SJ+NUwsSf6MTaaAdZWHsVcD6YM2qB8pdhNdVJEV/6cCNRwN0
T6FRMHgov9f575voYxJEPUw1nGH/RGOLoVgGZ67QaotlH/dmNRpSzxLuBirp23OH
FImvTGKyS7Ve4aJP4b+cFV7vXJ7hmw8NNV6/U9GrNUmn
-----END CERTIFICATE-----

38

Have you restarted the server/service since the cert was renewed?
service nginx restart

39

yes done service nginx restart and reload

even stop and start

would it require to reboot the server?

40

No, that shouldn’t have any effect. Maybe try

grep -r ssl_certificate /etc/nginx

or something?