HTTPS failed after I renew my SSL


#1

I was trying to renew my SSL by letsencrypt renew with Certbot v0.28.0. However, the SSL crashed after the renewal.

I even tried revoke and delete my current certificate, and re-fetch it again, and the message look like it succeed, but I still can not use HTTPS for some reason.

root@linode:/home/billdagou# letsencrypt certonly -d dev.dagoutime.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Nginx Web Server plugin (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)


Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 2
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for dev.dagoutime.com
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/dev.dagoutime.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/dev.dagoutime.com/privkey.pem
    Your cert will expire on 2019-05-05. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

I also checked my Nginx configuration, but didn’t find anything incorrect.

server {
        listen 80;
        server_name dev.dagoutime.com;
        return 301 https://$server_name$request_uri;
}

server {
        listen 443 ssl;
        server_name dev.dagoutime.com;
        ......
        ssl on;
        ssl_certificate /etc/letsencrypt/live/dev.dagoutime.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/dev.dagoutime.com/privkey.pem;
        ......
}

Any suggestion is appreciated!

My domain is: dev.dagoutime.com

I ran this command: letsencrypt renew

It produced this output: See description above.

My web server is (include version): Nginx

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0


#2

If you haven’t already, try re-opening your browser tab that contains the website. Some browsers have a bad habit of keeping around stale SSL errors.


#3

What error message are you getting?

I can connect to http://dev.dagoutime.com/ and https://dev.dagoutime.com/ using IPv4.

IPv6 results in “Connection refused” because the server blocks don’t have “listen [::]:80;” or “listen [::]:443 ssl;”.

That needs to be fixed, but most clients will work anyway (possibly slowly).


#4

Please explain this or give more detail on:

This all looks good:

EXCEPT:

I’ve never seen that used anywhere.

You should try checking the nginx config with:
nginx -t


#5

ssl on;” is deprecated and can be removed – the modern way to do it is with the ssl parameter on the listen directive, which the configuration here is also using – but it’s not doing any harm.


#6

I also don’t get how you ran a standalone server (while nginx was running):

Or did you stop nginx at some point?


#7

Yes, I did, I also cleared all my caches.


#8

Thank you for all your replies. Yes, I did all I could, like clear the browser caches, try different browsers, run ipconfig /flushdns, restart nginx or even reboot the server, but all couldn’t help.

I found a tricky thing just now. I connected to my VPN by a chance, and visited the domain, it worked!!! That is magic!!! But with my own network, it never works. So, my curious is, will my problem be something with my network provider?

I tried curl on both my server and my end, and the results are totally different. The server works as expected, while my end says curl: (35) schannel: failed to receive handshake, SSL/TLS connection failed

BTW, I’m in China.


#9

I transfered my website to a fresh new server and setup the certificate with Certbot this afternoon, but with no luck. Transferred it back now.

Is there any further step I could take?


#10

Could anyone help further?


#11

Probably, since it works for everyone else.

The other possibility is that it is due to the IPv6 address of your domain, which does not have a web server listening on it: https://letsdebug.net/dev.dagoutime.com/21834