My certs were expired. What I have to do to rescue?


#1

Hi everybody,

My domain techpush.xyz points to a Ubuntu 16.04 based server located at Digital Ocean. It’s a small website built with Node.js 7.3.0, MongoDB v3.2.8, and nginx/1.10.0.

3 months ago I followed the tutorial “How To Secure Nginx with Let’s Encrypt on Ubuntu 16.04” and configured successfully my first SSL certificate. The domain with HTTPS works like a charm.

But today it has expired. Here is the scanned result by SSLLabs:

`

I’ve tried to renew, here is the error reported:

`

It also printed out:

  IMPORTANT NOTES:
   - The following errors were reported by the server:

     Domain: techpush.xyz
     Type:   unauthorized
     Detail: Invalid response from http://techpush.xyz/.well-known/acme-
     challenge/SvC3fLieF3tHbCRCx0FQ3Ay5hEQcp4fUqCzNBo2s9z8: "<html>
     <head><title>502 Bad Gateway</title></head>
     <body bgcolor="white">
     <center><h1>502 Bad Gateway</h1></center>
     <hr><cen"
     
     To fix these errors, please make sure that your domain name was
     entered correctly and the DNS A record(s) for that domain
     contain(s) the right IP address.

`
I’ve tried to change nginx config file to enable HTTP for techpush.xyz, but I got the same result. It said it could not access the website.

I’ve tried to generate new certificates and repeat the steps as same as 3 months ago. Nothing changes.

Please give me some advice. How I should do to get it works again?

Thank you,
Dong


#2

Your site is redirecting non-HTTPS traffic to HTTPS. And for some reason, your HTTPS site is broken. Not sure why.

If you’d disable your redirect, it should be possible to renew the certificate.


#3

If you can afford 1 minute of downtime – the fastest way to reissue the cert would be to turn nginx off, run certbot in standalone mode to renew, then turn nginx back on again. Then you can work on fixing server’s routing of http/https.


#4

Thank you all. I think the problem has just been resolved:

Hope that it works again in few hours.


#5

Hah, it worked for me now. That’s really cool. Thank you all again. Also thank you so much Let’s Encrypt team.

So here is my conclusion:

  • Once the cert expires, just need to reconfigure domain to get it works as normal without HTTPS
  • Do renew using “sudo letsencrypt renew” command
  • If everything is ok, restore the previous domain config. It would work.

Cert fails on creating. Open port 80 for letsencrypt useragent or ip?
#6

Do I really have to reset the whole domain to port 80? Aren’t there any User-Agent tags to let it open only for the bot? Google punishes us if were are not available on 443 first.


#7

HI @ortreum

You may be better opening a new topic with your issue and details, rather than hijacking an existing thread.

Google does not punish for having port 80 available and redirecting to port 443 as far as I’m aware


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.