HTTPS failed after I renew my SSL

I was trying to renew my SSL by letsencrypt renew with Certbot v0.28.0. However, the SSL crashed after the renewal.

I even tried revoke and delete my current certificate, and re-fetch it again, and the message look like it succeed, but I still can not use HTTPS for some reason.

root@linode:/home/billdagou# letsencrypt certonly -d dev.dagoutime.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Nginx Web Server plugin (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)


Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for dev.dagoutime.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/dev.dagoutime.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/dev.dagoutime.com/privkey.pem
    Your cert will expire on 2019-05-05. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    "certbot renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
    Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

I also checked my Nginx configuration, but didn't find anything incorrect.

server {
        listen 80;
        server_name dev.dagoutime.com;
        return 301 https://$server_name$request_uri;
}

server {
        listen 443 ssl;
        server_name dev.dagoutime.com;
        ......
        ssl on;
        ssl_certificate /etc/letsencrypt/live/dev.dagoutime.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/dev.dagoutime.com/privkey.pem;
        ......
}

Any suggestion is appreciated!

My domain is: dev.dagoutime.com

I ran this command: letsencrypt renew

It produced this output: See description above.

My web server is (include version): Nginx

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.28.0

If you haven’t already, try re-opening your browser tab that contains the website. Some browsers have a bad habit of keeping around stale SSL errors.

What error message are you getting?

I can connect to http://dev.dagoutime.com/ and https://dev.dagoutime.com/ using IPv4.

IPv6 results in “Connection refused” because the server blocks don’t have “listen [::]:80;” or “listen [::]:443 ssl;”.

That needs to be fixed, but most clients will work anyway (possibly slowly).

Please explain this or give more detail on:

This all looks good:

EXCEPT:

I've never seen that used anywhere.

You should try checking the nginx config with:
nginx -t

ssl on;” is deprecated and can be removed – the modern way to do it is with the ssl parameter on the listen directive, which the configuration here is also using – but it’s not doing any harm.

I also don't get how you ran a standalone server (while nginx was running):

Or did you stop nginx at some point?

Yes, I did, I also cleared all my caches.

Thank you for all your replies. Yes, I did all I could, like clear the browser caches, try different browsers, run ipconfig /flushdns, restart nginx or even reboot the server, but all couldn’t help.

I found a tricky thing just now. I connected to my VPN by a chance, and visited the domain, it worked!!! That is magic!!! But with my own network, it never works. So, my curious is, will my problem be something with my network provider?

I tried curl on both my server and my end, and the results are totally different. The server works as expected, while my end says curl: (35) schannel: failed to receive handshake, SSL/TLS connection failed

BTW, I’m in China.

I transfered my website to a fresh new server and setup the certificate with Certbot this afternoon, but with no luck. Transferred it back now.

Is there any further step I could take?

Could anyone help further?

Probably, since it works for everyone else.

The other possibility is that it is due to the IPv6 address of your domain, which does not have a web server listening on it: Let's Debug

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.