Newbie problem with expanding the certificate

hkim009 · February 8, 2019, 4:05pm

Probably messed up something since it is not working. I have entered this in my nginx config:

server {

    #
 listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
index index.html index.htm index.nginx-debian.html;
server_name psykolog.nu www.psykolog.nu; # managed by Certbot


ssl_certificate /etc/letsencrypt/live/psykolog.nu-0001/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/psykolog.nu-0001/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

And I reloaded my server

service nginx restart

hkim009 · February 8, 2019, 4:06pm

Thank you. I cleaned up the /psykolog.nu/ files in archive, live and renewal. No more errors when I enter

certbot certificates

JuergenAuer · February 8, 2019, 4:07pm

Then you have more then one server with this server-name. Or your default server is used.

So check which certificate your default server is using.

hkim009 · February 8, 2019, 4:08pm

Strange thing when I type curl -v https://psykolog.nu:

curl -v https://psykolog.nu

Rebuilt URL to: https://psykolog.nu/
Trying 127.0.0.1…
TCP_NODELAY set
Connected to psykolog.nu (127.0.0.1) port 443 (#0)
ALPN, offering h2
ALPN, offering http/1.1
successfully set certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs

and when I enter curl -v https://www.psykolog.nu:

curl -v https://www.psykolog.nu

Rebuilt URL to: https://www.psykolog.nu/
Trying 178.79.154.124…
TCP_NODELAY set
Connected to www.psykolog.nu (178.79.154.124) port 443 (#0)
ALPN, offering h2
ALPN, offering http/1.1
successfully set certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs

why not 127.0.0.1 for https://www.psykolog.nu as well?

hkim009 · February 8, 2019, 4:09pm

Only got one server. So should I change this line?

mnordhoff · February 8, 2019, 4:15pm

What certificate(s) does “certbot certificates” show now?

JuergenAuer · February 8, 2019, 4:18pm

You must have a second server config. If you change your certificate and if my browser can't see it, then it isn't used -> second config, perhaps the default config without a server-name.

JuergenAuer · February 8, 2019, 4:21pm

What’s that?

I see, you have rechecked your domain via https://check-your-website.server-daten.de/?q=psykolog.nu

There is this (Html-content):

link
	stylesheet
	https://psykolog.nu/wp-content/plugins/cmp-coming-soon-maintenance/css/animate.min.css

Is there a Wordpress? Perhaps there is the second server.

hkim009 · February 8, 2019, 4:52pm

Yes. I have a nginx webserver and a wordpress installation.

hkim009 · February 8, 2019, 4:52pm

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: psykolog.nu-0001
Domains: psykolog.nu www.psykolog.nu
Expiry Date: 2019-05-08 19:49:33+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/psykolog.nu-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/psykolog.nu-0001/privkey.pem

hkim009 · February 8, 2019, 5:31pm

I’m using Easy Engine 4. From what I understand ee4 uses nginx proxy. Could this problem be due to this? That I have to edit the default.conf file of the nginx-proxy? The server block in that file only defines psykolog.nu and not www.psykolog.nu.

rg305 · February 8, 2019, 5:49pm

That is a DNS issue.
Check your /etc/hosts file.

hkim009 · February 8, 2019, 5:51pm

Nope too early. That fixed the curl issues though.

curl -v https://www.psykolog.nu

Rebuilt URL to: https://www.psykolog.nu/

Trying 127.0.0.1...
TCP_NODELAY set
Connected to www.psykolog.nu (127.0.0.1) port 443 (#0)
ALPN, offering h2
ALPN, offering http/1.1
successfully set certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
(304) (OUT), TLS handshake, Client hello (1):
(304) (IN), TLS handshake, Server hello (2):
(304) (IN), TLS Unknown, Certificate Status (22):
(304) (IN), TLS handshake, Unknown (8):
(304) (IN), TLS Unknown, Certificate Status (22):
(304) (IN), TLS handshake, Certificate (11):
(304) (IN), TLS Unknown, Certificate Status (22):
(304) (IN), TLS handshake, CERT verify (15):
(304) (IN), TLS Unknown, Certificate Status (22):
(304) (IN), TLS handshake, Finished (20):
(304) (OUT), TLS change cipher, Client hello (1):
(304) (OUT), TLS Unknown, Certificate Status (22):
(304) (OUT), TLS handshake, Finished (20):
SSL connection using unknown / TLS_AES_256_GCM_SHA384
ALPN, server accepted to use http/1.1
Server certificate:
subject: CN=psykolog.nu
start date: Feb 7 19:49:33 2019 GMT
expire date: May 8 19:49:33 2019 GMT
subjectAltName: host "www.psykolog.nu" matched cert's "www.psykolog.nu"
issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
SSL certificate verify ok.
(304) (OUT), TLS Unknown, Unknown (23):

GET / HTTP/1.1
Host: www.psykolog.nu
User-Agent: curl/7.58.0
Accept: /

(304) (IN), TLS Unknown, Certificate Status (22):
(304) (IN), TLS handshake, Newsession Ticket (4):
(304) (IN), TLS Unknown, Certificate Status (22):
(304) (IN), TLS handshake, Newsession Ticket (4):
(304) (IN), TLS Unknown, Unknown (23):
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.14.0 (Ubuntu)
< Date: Fri, 08 Feb 2019 18:00:14 GMT
< Content-Type: text/html
< Content-Length: 194
< Connection: keep-alive
< Location: https://psykolog.nu/
<

301 Moved Permanently

nginx/1.14.0 (Ubuntu) * Connection #0 to host www.psykolog.nu left intact

curl -v http://www.psykolog.nu

Rebuilt URL to: http://www.psykolog.nu/
Trying 127.0.0.1...
TCP_NODELAY set
Connected to www.psykolog.nu (127.0.0.1) port 80 (#0)

GET / HTTP/1.1
Host: www.psykolog.nu
User-Agent: curl/7.58.0
Accept: /

< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.14.0 (Ubuntu)
< Date: Fri, 08 Feb 2019 18:00:42 GMT
< Content-Type: text/html
< Content-Length: 194
< Connection: keep-alive
< Location: https://psykolog.nu/
<

301 Moved Permanently

nginx/1.14.0 (Ubuntu) * Connection #0 to host www.psykolog.nu left intact

Shouldn't this mean that this is fixed? But SSL-Checker and Check-your-website.server-daten.de still reports 503 error and certificate mismatch. And of course, if I enter http:// and https://www.psykolog.nu I still get errors on the webbrowser...

JuergenAuer · February 8, 2019, 5:51pm

That's the problem: The individual vHost isn't used, instead the default config is used.

JuergenAuer · February 8, 2019, 6:26pm

No, it isn't fixed. Your https + non www uses the certificate with one domain name.

And your https + www has the wrong certificate.

But if you have two vHosts with the same server name, only one is used. So change the SSL configuration of that vHost.

JuergenAuer · February 8, 2019, 6:47pm

I see, you have rechecked your domain ( https://check-your-website.server-daten.de/?q=psykolog.nu ):

Now it’s fixed:

Both connections use the same certificate with both domain names:

CN=psykolog.nu
	07.02.2019
	08.05.2019
	psykolog.nu, www.psykolog.nu - 2 entries

Now fix your http + www - 503 error.

Perhaps there is the same - no server defined.

hkim009 · February 8, 2019, 6:48pm

I got this working now - I think. For some reason the certs for nginx-proxy was not updated. After updating this www.psykolog.nu is working as it should.

Thank you all for your help!

hkim009 · February 8, 2019, 6:48pm

Yeah. I do not get this. But this must be a nginx configuration error?

JuergenAuer · February 8, 2019, 6:50pm

Yes. This nginx-proxy must handle that correct.

Check the port 80 definition of this proxy, if there the www version is defined.

hkim009 · February 9, 2019, 10:54pm

I have now fixed the last 503 error. It was nginx-proxy related: I had to create a file under /opt/easyengine/services/nginx-proxy/conf.d with the specific www.psykolog.nu-redirect.conf with a server block:

server {
listen 80;
server_name www.psykolog.nu;
return 301 $host$request_uri;
}

to get that last error fixed.

Thank you all for your help!