Been googling for a half-hour without any real leads. Any suggestions? Thank you.
More info:
My domain is: jetforme.org
I ran this command: curl -v https://jetforme.org
It produced this output:
* Rebuilt URL to: https://jetforme.org/
* Trying 138.68.23.55...
* TCP_NODELAY set
* Connected to jetforme.org (138.68.23.55) port 443 (#0)
* SSL certificate problem: Invalid certificate chain
* Curl_http_done: called premature == 1
* Closing connection 0
curl: (60) SSL certificate problem: Invalid certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
My web server is (include version): nginx/1.10.0
The operating system my web server runs on is (include version): Ubuntu 16.04.2
My hosting provider, if applicable, is: Digital Ocean
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The certificate being presented by that site is 03:bc:a3:e3:f7:54:0e:04:3b:8e:80:68:29:1a:22:52:ea:8c, does this match what you expect? I think you may need to restart/reload nginx - it’s probably still using the old cert sitting in memory.
# openssl x509 -in test.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:bc:a3:e3:f7:54:0e:04:3b:8e:80:68:29:1a:22:52:ea:8c
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Validity
Not Before: Mar 22 04:39:00 2017 GMT
Not After : Jun 20 04:39:00 2017 GMT
Subject: CN=jetforme.org
Oh! Well, I’m an idiot, then. The auto renewal is happening, as the certs on disk are correct, but you’re right, Nginx wasn’t restarted. I gotta go find the docs on how to get it to reload the certs after renewal. Thank you.!
I can save you a little time: Either switch to using the Nginx authenticator (--nginx), which will automatically reload for you, or add --renew-hook "service nginx reload" to your Certbot command. I’ve definitely had the same mistake on some of my own servers, so you shouldn’t feel like an idiot.