Newbie problem with expanding the certificate


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: psykolog.nu

I ran this command: curl -v https://psykolog.nu

It produced this output:

t# curl -v https://psykolog.nu

  • Rebuilt URL to: https://psykolog.nu/
  • Trying 127.0.0.1…
  • TCP_NODELAY set
  • Connected to psykolog.nu (127.0.0.1) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • (304) (OUT), TLS handshake, Client hello (1):
  • OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to psykolog.nu:443
  • Closing connection 0
    curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to psykolog.nu:443

My web server is (include version): Nginx 1.14.0

The operating system my web server runs on is (include version):
Ubuntu 18.04 LTS
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No, but I am using Easy Engine 4

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Certbot 0.28.0

I’ve create my site using Easy Engine 4. Everything seems to be fine but it seems that my certificate only inludes ‘psykolog.nu’ and not ‘www.psykolog.nu’. From the error curl is displaying it may also be some other misconfiguration with nginx config?

I tried to expand the certificate to include www.psykolog.nu with:

certbot --webroot -w /webroot_folder/ certonly -d psykolog.nu -d www.psykolog.nu but it results in following error:

An unexpected error occurred:
There were too many requests of a given type :: Error finalizing order :: too many certificates already issued for exact set of domains: psykolog.nu,www.psykolog.nu: see https://letsencrypt.org/docs/rate-limits/

Looking at https://tools.letsdebug.net/cert-search?m=domain&q=psykolog.nu&d=168 verifies that I indeed have created too many duplicates.

I can try again tomorrow (when the ceritifcate can be issued again due to rate-limit) but am I doing right regarding the certbot command? Will this remove the error I get when I run curl -v https://psykolog.nu?


#2

I have no idea why you’re getting that error, but my curl works perfectly and when I surf to your site with Chromium, I’m not getting any error either.

Seems to me, everything works just fine.


#3

Yes. I edit my nginx.conf file. I had too many server blocks defined. Now curl -v https://psykolog.nu works at it should.

Not the only issue left is to get www.psykolog.nu to be included in the same certificate? What I have done is to redirect all www.psykolog.nu to psykolog.nu via nginx.conf. Do I then really have to included the www.psykolog.nu to to certificate?


#4

Perhaps Server_Name psykolog.nu is NOT bound to 127.0.0.1:443
[but to some real IP:443 instead]

If so, these could produce to different results:
openssl s_client -connect 127.0.0.1:443 -servername psykolog.nu
openssl s_client -connect [use-real-IP]:443 -servername psykolog.nu


#5

openssl s_client -connect 178.79.154.124:443 -servername psykolog.nu
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
verify return:1
depth=0 CN = psykolog.nu
verify return:1

Certificate chain
0 s:CN = psykolog.nu
i:C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
1 s:C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3

openssl s_client -connect 127.0.0.1:443 -servername psykolog.nu CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
verify return:1
depth=0 CN = psykolog.nu
verify return:1

Certificate chain
0 s:CN = psykolog.nu
i:C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
1 s:C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3


#6

Ok so they use the same cert…
But they don’t serve the same content?
[maybe this problem you have already fixed]

I would say yes.
Some people always automatically type in the “www” when going to sites.
For those, not including the “www” in your cert may create a security blocked page.

It is easy to include the name in the config and in the cert.

Unfortunately you tried too many times before, so you may have to wait a week for it to reset:

OR maybe find and use one of the certs already issued:
Please show the output of:
certbot certificates


#7

Hi @hkim009

yes, you should include the www version.

The browser first connects your website, then a valide certificate is required. After that comes the redirect.

And your www-version doesn’t work ( https://check-your-website.server-daten.de/?q=psykolog.nu ):

Domainname Http-Status redirect Sec. G
http://psykolog.nu/
178.79.154.124 301 https://psykolog.nu/ 0.043 A
http://www.psykolog.nu/
178.79.154.124 503 0.044 S
Service Temporarily Unavailable
https://psykolog.nu/
178.79.154.124 200 5.517 A
https://www.psykolog.nu/
178.79.154.124 200 5.273 N
Certificate error: RemoteCertificateNameMismatch
http://psykolog.nu/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
178.79.154.124 301 https://psykolog.nu/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.046 A
http://www.psykolog.nu/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
178.79.154.124 503 0.043 S
Service Temporarily Unavailable
https://psykolog.nu/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 5.230 A
Not Found

And your http + www throws a 503, this isn’t good.

There are always different users. Some add never www, some use everytime www.

So a website should always have http + non-www, http + www and both https versions.


#8

Thank you!

But, what is the correct procedure to remedy this?


#9

Find out why the 503 error occurs and correct that problem.


#10

You have one certificate with two domain names:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:psykolog.nu&lu=cert_search

So use that.

Why your server sends a 503? Check your logs.


#11

Regarding the 503 error, isn’t the probable cause thr fact that I have not added www.psykolog.nu to the certificate? ( I need to wait due to the rate limit).

Or can this be due to nginx configuration error?


#12

Your port 80 has the 503, not your port 443.

You have already a certificate, so use that. Check your config with

certbot certificates

You don’t need to create a new certificate.

Rechecked your domain ( https://check-your-website.server-daten.de/?q=psykolog.nu ):

Domainname Http-Status redirect Sec. G
http://psykolog.nu/
178.79.154.124 301 https://psykolog.nu/ 0.050 A
http://www.psykolog.nu/
178.79.154.124 503 0.046 S
Service Temporarily Unavailable
https://psykolog.nu/
178.79.154.124 200 5.283 A
https://www.psykolog.nu/
178.79.154.124 200 5.273 N
Certificate error: RemoteCertificateNameMismatch

Your non-www works, both https are working.


#13

PS:

Your VirtualHost should have two rows:

    ssl_certificate     www.example.com.crt;
    ssl_certificate_key www.example.com.key;

You need only to replace these rows with the lines

certbot certificates

shows for your certificates with both domain names -> reload nginx.


#14

Thank you for your help! :+1:

I did that and this was what I got:

root@localhost:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/psykolog.nu.conf produced an unexpected error: expected /etc/letsencrypt/live/psykolog.nu/cert.pem to be a s ymlink. Skipping.


Found the following certs:
Certificate Name: psykolog.nu-0001
Domains: psykolog.nu www.psykolog.nu
Expiry Date: 2019-05-08 19:49:33+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/psykolog.nu-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/psykolog.nu-0001/privkey.pem

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/psykolog.nu.conf

From the letsencrypt.log:

2019-02-08 12:41:38,872:DEBUG:certbot.main:certbot version: 0.28.0
2019-02-08 12:41:38,873:DEBUG:certbot.main:Arguments:
2019-02-08 12:41:38,874:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntry$
2019-02-08 12:41:38,884:DEBUG:certbot.log:Root logging level set at 20
2019-02-08 12:41:38,885:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-02-08 12:41:38,889:WARNING:certbot.cert_manager:Renewal configuration file /etc/letsencrypt/renewal/psykolog.$
2019-02-08 12:41:38,889:DEBUG:certbot.cert_manager:Traceback was:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/cert_manager.py”, line 79, in certificates
renewal_candidate = storage.RenewableCert(renewal_file, config)
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 460, in init
self._check_symlinks()
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 519, in _check_symlinks
“expected {0} to be a symlink”.format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/psykolog.nu/cert.pem to be a symlink


#15

Please post the output of “sudo ls -alR /etc/letsencrypt/{archive,live,renewal}/”.

Did you delete or rename or modify anything in /etc/letsencrypt/?


#16

There are the two lines you need. This is a new certificate:

Expiry Date: 2019-05-08 19:49:33+00:00 (VALID: 89 days)

So use these two lines in your nginx-configuration. Then you have one certificate with both domain names.


#17

That may well be… It’s been a real mess and I have been a little bit crazy trying to correct this…

Here is the output:

root@localhost:/etc/nginx/sites-enabled# ls -alR /etc/letsencrypt/{archive,live,renewal}/
/etc/letsencrypt/archive/:
total 16
drwxr-xr-x 4 root root 4096 Feb 7 21:32 .
drwxr-xr-x 9 root root 4096 Feb 8 15:08 …
drwxr-xr-x 2 root root 4096 Feb 4 22:59 psykolog.nu
drwxr-xr-x 2 root root 4096 Feb 7 20:49 psykolog.nu-0001

/etc/letsencrypt/archive/psykolog.nu:
total 24
drwxr-xr-x 2 root root 4096 Feb 4 22:59 .
drwxr-xr-x 4 root root 4096 Feb 7 21:32 …
-rw-r–r-- 1 root root 1899 Feb 4 21:34 cert1.pem
-rw-r–r-- 1 root root 1647 Feb 4 21:34 chain1.pem
-rw-r–r-- 1 root root 3546 Feb 4 21:34 fullchain1.pem
-rw-r–r-- 1 root root 1704 Feb 4 21:34 privkey1.pem

/etc/letsencrypt/archive/psykolog.nu-0001:
total 40
drwxr-xr-x 2 root root 4096 Feb 7 20:49 .
drwxr-xr-x 4 root root 4096 Feb 7 21:32 …
-rw-r–r-- 1 root root 1903 Feb 5 00:05 cert1.pem
-rw-r–r-- 1 root root 1923 Feb 7 20:49 cert2.pem
-rw-r–r-- 1 root root 1647 Feb 5 00:05 chain1.pem
-rw-r–r-- 1 root root 1647 Feb 7 20:49 chain2.pem
-rw-r–r-- 1 root root 3550 Feb 5 00:05 fullchain1.pem
-rw-r–r-- 1 root root 3570 Feb 7 20:49 fullchain2.pem
-rw-r–r-- 1 root root 1704 Feb 5 00:05 privkey1.pem
-rw-r–r-- 1 root root 1704 Feb 7 20:49 privkey2.pem

/etc/letsencrypt/live/:
total 20
drwxr-xr-x 4 root root 4096 Feb 7 21:31 .
drwxr-xr-x 9 root root 4096 Feb 8 15:08 …
drwxr-xr-x 2 root root 4096 Feb 4 22:59 psykolog.nu
drwxr-xr-x 2 root root 4096 Feb 7 20:49 psykolog.nu-0001
-rw-r–r-- 1 root root 740 Feb 4 21:34 README

/etc/letsencrypt/live/psykolog.nu:
total 28
drwxr-xr-x 2 root root 4096 Feb 4 22:59 .
drwxr-xr-x 4 root root 4096 Feb 7 21:31 …
-rw-r–r-- 1 root root 1899 Feb 4 21:34 cert.pem
-rw-r–r-- 1 root root 1647 Feb 4 21:34 chain.pem
-rw-r–r-- 1 root root 3546 Feb 4 21:34 fullchain.pem
-rw-r–r-- 1 root root 1704 Feb 4 21:34 privkey.pem
-rw-r–r-- 1 root root 692 Feb 4 21:34 README

/etc/letsencrypt/live/psykolog.nu-0001:
total 12
drwxr-xr-x 2 root root 4096 Feb 7 20:49 .
drwxr-xr-x 4 root root 4096 Feb 7 21:31 …
lrwxrwxrwx 1 root root 40 Feb 7 20:49 cert.pem -> …/…/archive/psykolog.nu-0001/cert2.pem
lrwxrwxrwx 1 root root 41 Feb 7 20:49 chain.pem -> …/…/archive/psykolog.nu-0001/chain2.pem
lrwxrwxrwx 1 root root 45 Feb 7 20:49 fullchain.pem -> …/…/archive/psykolog.nu-0001/fullchain2.pem
lrwxrwxrwx 1 root root 43 Feb 7 20:49 privkey.pem -> …/…/archive/psykolog.nu-0001/privkey2.pem
-rw-r–r-- 1 root root 692 Feb 5 00:05 README

/etc/letsencrypt/renewal/:
total 16
drwxr-xr-x 2 root root 4096 Feb 7 21:31 .
drwxr-xr-x 9 root root 4096 Feb 8 15:08 …
-rw-r–r-- 1 root root 577 Feb 7 20:49 psykolog.nu-0001.conf
-rw-r–r-- 1 root root 512 Feb 4 21:34 psykolog.nu.conf


#18

Those are supposed to be symlinks to files in ../../archive/psykolog.nu/. Similar to this:

Maybe they got converted from symlinks to files by some sort of copying or backup restoration procedure?

In any case, it’s your choice what to do next. You could replace the 4 files with 4 symlinks, or triple check your software isn’t still using that certificate and “sudo certbot delete --cert-name psykolog.nu” (if it works) or manually delete /etc/letsencrypt/archive/psykolog.nu/, /etc/letsencrypt/live/psykolog.nu/ and /etc/letsencrypt/renewal/psykolog.nu.conf.


#19

Done that. Same error prevails though.


#20

There

is the certificate with one domain name. So you didn’t it correct or you didn’t reload your server.