Getting ERR_SSL_PROTOCOL_ERROR when connecting to my website through my router

Ackis · March 10, 2020, 2:28am

I didn't issue any command with webroot. I just ran certbot renew -a nginx like you suggested.

There's a bug with nginx where the installer doesn't work on some installs, so I was forced to use the webroot method.

github.com/certbot/certbot

Nginx installer not properly reloading configuration

opened 04:16AM - 04 Oct 19 UTC

closed 07:52PM - 27 Jul 20 UTC

Ackis

bug area: nginx

Detailed conversation could be found here: https://community.letsencrypt.org/t/…cannot-renew-create-a-new-cert-when-i-had-no-issue-previously/103040/ ## My operating system is (include version): Ubuntu 18.04.3 LTS Nginx 1.17.4 (note, this isn't the version of nginx that's part of Ubuntu's repo's) ## I installed Certbot with (certbot-auto, OS package manager, pip, etc): ## I ran this command and it produced this output: `sudo certbot renew --cert-name ackis.duckdns.org --debug-challenges --dry-run` ``` Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/ackis.duckdns.org.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator nginx, Installer nginx Renewing an existing certificate Performing the following challenges: http-01 challenge for ackis.duckdns.org Waiting for verification... - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about challenges. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cleaning up challenges Attempting to renew cert (ackis.duckdns.org) from /etc/letsencrypt/renewal/ackis.duckdns.org.conf produced an unexpected error: Failed authorization procedure. ackis.duckdns.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://ackis.duckdns.org/.well-known/acme-challenge/7bO_DNxtDDyO_hPdRJcpGWEJHaLTRwtTsMWpWtQREDE [174.3.126.96]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</center>\r\n". Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/ackis.duckdns.org/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/ackis.duckdns.org/fullchain.pem (failure) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 renew failure(s), 0 parse failure(s) IMPORTANT NOTES: - The following errors were reported by the server: Domain: ackis.duckdns.org Type: unauthorized Detail: Invalid response from https://ackis.duckdns.org/.well-known/acme-challenge/7bO_DNxtDDyO_hPdRJcpGWEJHaLTRwtTsMWpWtQREDE [174.3.126.96]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</center>\r\n" To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. ``` ## Certbot's behavior differed from what I expected because: Certbot should have renewed the certificate. ## Here is the relevant nginx server block or Apache virtualhost for the domain I am configuring: ``` # HTTP server - redirect to HTTPS server { listen 80; listen [::]:80; server_name www.ackis.duckdns.org ackis.duckdns.org; location / { return 301 https://ackis.duckdns.org$request_uri; } # Workaround LE and certbot not working with nginx location /.well-known/acme-challenge/ { root /var/www/letsencrypt; } access_log syslog:server=localhost,tag=nginx_access_internet,severity=info; error_log syslog:server=localhost,tag=nginx_error_internet; add_header Strict-Transport-Security "max-age=31536000;"; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; } # www domain - redirect to domain without www server { listen 443 ssl; listen [::]:443 ssl; server_name www.ackis.duckdns.org; location / { return 301 https://ackis.duckdns.org$request_uri; } access_log syslog:server=localhost,tag=nginx_access_internet,severity=info; error_log syslog:server=localhost,tag=nginx_error_internet; ssl_certificate /etc/letsencrypt/live/www.ackis.duckdns.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.ackis.duckdns.org/privkey.pem; server_tokens off; etag off; add_header Strict-Transport-Security "max-age=31536000;"; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; } server { listen 443 ssl default_server; listen [::]:443 ssl; server_name ackis.duckdns.org; access_log syslog:server=localhost,tag=nginx_access_internet,severity=info; error_log syslog:server=localhost,tag=nginx_error_internet; ssl_certificate /etc/letsencrypt/live/ackis.duckdns.org/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/ackis.duckdns.org/privkey.pem; # managed by Certbot server_tokens off; etag off; add_header Strict-Transport-Security "max-age=31536000;"; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; location ~* /\.\./ { deny all; return 404; } location ~* "^(?:.+\.(?:htaccess|make|txt|test|markdown|md|engine|inc|info|install|module|profile|po|sh|.*sql|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Re$ return 404; } location = /favicon.ico { try_files /favicon.ico =204; } location / { root /var/www/internet; index index.html; } location /nginx_status { access_log syslog:server=localhost,tag=nginx_access_admin,severity=info; error_log syslog:server=localhost,tag=nginx_error_admin; allow 192.168.0.0/24; deny all; auth_basic "Restricted access"; auth_basic_user_file /etc/nginx/auth/admin.htpasswd; stub_status on; } } ```

I'm willing to get rid of it, if you think it'll help. I did for the ackis.duckdns.org domain (which is why I had the configuration error, I had to manually edit the config file) and it didn't seem to make a difference.

9peppe · March 10, 2020, 8:32am

did you not use, at any point in time, something that looks like certbot renew|run -a webroot -w /var/www/letsencrypt [-d domain] ?

try putting a file in that directory and check if you can see it from http://plexpy.ackis.duckdns.org/.well-known/acme-challenge/yourfile.txt

(or, better, try putting a file in /var/www/letsencrypt/.well-known/acme-challenge/)

Ackis · March 10, 2020, 8:42pm

Yes I did - for all my domains that came up for renewal.

Did that - was able to see the file after messing with permissions, and then I was able to renew a couple certs.

9peppe · March 10, 2020, 8:54pm

and the others gave what error?

Ackis · March 10, 2020, 9:10pm

They've just been errors with the automatic nginx install so far - I've just had to convert them over to the webroot method. It looks like it was a permissions error.

I thought I had tested that out because I put a file in /var/www/letsencrypt and tried to access it via curl, but couldn't, but when you told me to put a file in /var/www/letsencrypt/.well-known/acme-challenge/, that's when I clued in that it may have been permissions. I'm not sure how it could have been because nothing changed there - it was an empty folder with www-data owning it, but who knows. It's working now at least so I'm able to renew the certs that need to be renewed.

Going to get them all renewed over the next few days here, and hopefully just have it left on so I can forget about it and have everything just work.

Appreciate your help and patience with me.

9peppe · March 10, 2020, 9:13pm

did you mkdir the directories before putting the file in there?

(you can become www-data with sudo -u www-data -s /bin/bash)

Ackis · March 11, 2020, 4:41am

Not originally. I had thought that the webroot declaration handled that. E.g. plexpy.ackis.duckdns.org/.well-known/acme-challenge/ was mapped directly to /var/www/letsencrypt/. So by having those folders we ended up with plexpy.ackis.duckdns.org/.well-known/acme-challenge/.well-known/acme-challenge/.

They exist in there now though (well earlier this afternoon before I made that other post).

hubbroker · March 11, 2020, 6:10am

Hi @9peppe,

How can I check such information on our website hubbroker.com?

9peppe · March 11, 2020, 8:02am

it does. but that doesn't do you any good if you put files inside manually.

You want to see the response headers?

either open the network tab in your browser development tools, or run curl -I http[s]://website in a terminal (install curl if it's not)

Ackis · March 12, 2020, 3:13am

I'm not quite following you - if I put a file inside shouldn't it be handled like a symbolic link to a directory?

9peppe · March 12, 2020, 9:28am

the webroot declaration will create the .well-known/acme-challenge directory if it does not exist, but that doesn’t mean you won’t have to do the same, you can’t put files inside a non-existing directory (the webroot declaration cleans up after itself)

system · April 11, 2020, 9:28am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Invalid response from Help	8	1154	July 10, 2019
Renew certificate in a port other than 443 Help	12	2910	August 28, 2019
I can't renew my certifcates on Nginx Help	15	169	November 4, 2024
Renewal 404 fail Help	29	1077	March 26, 2019
Certbot renew suddenly failing (Challenge failed for domain) Help	30	278	June 8, 2025

Getting ERR_SSL_PROTOCOL_ERROR when connecting to my website through my router

Related topics