Getting ERR_SSL_PROTOCOL_ERROR when connecting to my website through my router

Ackis · March 10, 2020, 2:28am

I didn't issue any command with webroot. I just ran certbot renew -a nginx like you suggested.

There's a bug with nginx where the installer doesn't work on some installs, so I was forced to use the webroot method.

github.com/certbot/certbot

Nginx installer not properly reloading configuration

opened 04:16AM - 04 Oct 19 UTC

closed 07:52PM - 27 Jul 20 UTC

Ackis

bug area: nginx

Detailed conversation could be found here: https://community.letsencrypt.org/t/…cannot-renew-create-a-new-cert-when-i-had-no-issue-previously/103040/ ## My operating system is (include version): Ubuntu 18.04.3 LTS Nginx 1.17.4 (note, this isn't the version of nginx that's part of Ubuntu's repo's) ## I installed Certbot with (certbot-auto, OS package manager, pip, etc): ## I ran this command and it produced this output: `sudo certbot renew --cert-name ackis.duckdns.org --debug-challenges --dry-run` ``` Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/ackis.duckdns.org.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator nginx, Installer nginx Renewing an existing certificate Performing the following challenges: http-01 challenge for ackis.duckdns.org Waiting for verification... - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about challenges. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cleaning up challenges Attempting to renew cert (ackis.duckdns.org) from /etc/letsencrypt/renewal/ackis.duckdns.org.conf produced an unexpected error: Failed authorization procedure. ackis.duckdns.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://ackis.duckdns.org/.well-known/acme-challenge/7bO_DNxtDDyO_hPdRJcpGWEJHaLTRwtTsMWpWtQREDE [174.3.126.96]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</center>\r\n". Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/ackis.duckdns.org/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/ackis.duckdns.org/fullchain.pem (failure) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 renew failure(s), 0 parse failure(s) IMPORTANT NOTES: - The following errors were reported by the server: Domain: ackis.duckdns.org Type: unauthorized Detail: Invalid response from https://ackis.duckdns.org/.well-known/acme-challenge/7bO_DNxtDDyO_hPdRJcpGWEJHaLTRwtTsMWpWtQREDE [174.3.126.96]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</center>\r\n" To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. ``` ## Certbot's behavior differed from what I expected because: Certbot should have renewed the certificate. ## Here is the relevant nginx server block or Apache virtualhost for the domain I am configuring: ``` # HTTP server - redirect to HTTPS server { listen 80; listen [::]:80; server_name www.ackis.duckdns.org ackis.duckdns.org; location / { return 301 https://ackis.duckdns.org$request_uri; } # Workaround LE and certbot not working with nginx location /.well-known/acme-challenge/ { root /var/www/letsencrypt; } access_log syslog:server=localhost,tag=nginx_access_internet,severity=info; error_log syslog:server=localhost,tag=nginx_error_internet; add_header Strict-Transport-Security "max-age=31536000;"; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; } # www domain - redirect to domain without www server { listen 443 ssl; listen [::]:443 ssl; server_name www.ackis.duckdns.org; location / { return 301 https://ackis.duckdns.org$request_uri; } access_log syslog:server=localhost,tag=nginx_access_internet,severity=info; error_log syslog:server=localhost,tag=nginx_error_internet; ssl_certificate /etc/letsencrypt/live/www.ackis.duckdns.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.ackis.duckdns.org/privkey.pem; server_tokens off; etag off; add_header Strict-Transport-Security "max-age=31536000;"; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; } server { listen 443 ssl default_server; listen [::]:443 ssl; server_name ackis.duckdns.org; access_log syslog:server=localhost,tag=nginx_access_internet,severity=info; error_log syslog:server=localhost,tag=nginx_error_internet; ssl_certificate /etc/letsencrypt/live/ackis.duckdns.org/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/ackis.duckdns.org/privkey.pem; # managed by Certbot server_tokens off; etag off; add_header Strict-Transport-Security "max-age=31536000;"; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; location ~* /\.\./ { deny all; return 404; } location ~* "^(?:.+\.(?:htaccess|make|txt|test|markdown|md|engine|inc|info|install|module|profile|po|sh|.*sql|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Re$ return 404; } location = /favicon.ico { try_files /favicon.ico =204; } location / { root /var/www/internet; index index.html; } location /nginx_status { access_log syslog:server=localhost,tag=nginx_access_admin,severity=info; error_log syslog:server=localhost,tag=nginx_error_admin; allow 192.168.0.0/24; deny all; auth_basic "Restricted access"; auth_basic_user_file /etc/nginx/auth/admin.htpasswd; stub_status on; } } ```

I'm willing to get rid of it, if you think it'll help. I did for the ackis.duckdns.org domain (which is why I had the configuration error, I had to manually edit the config file) and it didn't seem to make a difference.