Newbie problem with expanding the certificate


#21

Probably messed up something since it is not working. I have entered this in my nginx config:

server {

    #
 listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
index index.html index.htm index.nginx-debian.html;
server_name psykolog.nu www.psykolog.nu; # managed by Certbot


ssl_certificate /etc/letsencrypt/live/psykolog.nu-0001/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/psykolog.nu-0001/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

And I reloaded my server

service nginx restart


#22

Thank you. I cleaned up the /psykolog.nu/ files in archive, live and renewal. No more errors when I enter

certbot certificates


#23

Then you have more then one server with this server-name. Or your default server is used.

So check which certificate your default server is using.


#24

Strange thing when I type curl -v https://psykolog.nu:

curl -v https://psykolog.nu

  • Rebuilt URL to: https://psykolog.nu/
  • Trying 127.0.0.1…
  • TCP_NODELAY set
  • Connected to psykolog.nu (127.0.0.1) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs

and when I enter curl -v https://www.psykolog.nu:

curl -v https://www.psykolog.nu

  • Rebuilt URL to: https://www.psykolog.nu/
  • Trying 178.79.154.124…
  • TCP_NODELAY set
  • Connected to www.psykolog.nu (178.79.154.124) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs

why not 127.0.0.1 for https://www.psykolog.nu as well?


#25

Only got one server. So should I change this line?


#26

What certificate(s) does “certbot certificates” show now?


#27

You must have a second server config. If you change your certificate and if my browser can’t see it, then it isn’t used -> second config, perhaps the default config without a server-name.


#28

What’s that?

I see, you have rechecked your domain via https://check-your-website.server-daten.de/?q=psykolog.nu

There is this (Html-content):

link
	stylesheet
	https://psykolog.nu/wp-content/plugins/cmp-coming-soon-maintenance/css/animate.min.css

Is there a Wordpress? Perhaps there is the second server.


#29

Yes. I have a nginx webserver and a wordpress installation.


#30

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: psykolog.nu-0001
Domains: psykolog.nu www.psykolog.nu
Expiry Date: 2019-05-08 19:49:33+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/psykolog.nu-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/psykolog.nu-0001/privkey.pem



#31

I’m using Easy Engine 4. From what I understand ee4 uses nginx proxy. Could this problem be due to this? That I have to edit the default.conf file of the nginx-proxy? The server block in that file only defines psykolog.nu and not www.psykolog.nu.


#32

That is a DNS issue.
Check your /etc/hosts file.


#33

Nope too early. That fixed the curl issues though.

curl -v https://www.psykolog.nu

Rebuilt URL to: https://www.psykolog.nu/

  • Trying 127.0.0.1…
  • TCP_NODELAY set
  • Connected to www.psykolog.nu (127.0.0.1) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • (304) (OUT), TLS handshake, Client hello (1):
  • (304) (IN), TLS handshake, Server hello (2):
  • (304) (IN), TLS Unknown, Certificate Status (22):
  • (304) (IN), TLS handshake, Unknown (8):
  • (304) (IN), TLS Unknown, Certificate Status (22):
  • (304) (IN), TLS handshake, Certificate (11):
  • (304) (IN), TLS Unknown, Certificate Status (22):
  • (304) (IN), TLS handshake, CERT verify (15):
  • (304) (IN), TLS Unknown, Certificate Status (22):
  • (304) (IN), TLS handshake, Finished (20):
  • (304) (OUT), TLS change cipher, Client hello (1):
  • (304) (OUT), TLS Unknown, Certificate Status (22):
  • (304) (OUT), TLS handshake, Finished (20):
  • SSL connection using unknown / TLS_AES_256_GCM_SHA384
  • ALPN, server accepted to use http/1.1
  • Server certificate:
  • subject: CN=psykolog.nu
  • start date: Feb 7 19:49:33 2019 GMT
  • expire date: May 8 19:49:33 2019 GMT
  • subjectAltName: host “www.psykolog.nu” matched cert’s “www.psykolog.nu”
  • issuer: C=US; O=Let’s Encrypt; CN=Let’s Encrypt Authority X3
  • SSL certificate verify ok.
  • (304) (OUT), TLS Unknown, Unknown (23):

GET / HTTP/1.1
Host: www.psykolog.nu
User-Agent: curl/7.58.0
Accept: /

  • (304) (IN), TLS Unknown, Certificate Status (22):
  • (304) (IN), TLS handshake, Newsession Ticket (4):
  • (304) (IN), TLS Unknown, Certificate Status (22):
  • (304) (IN), TLS handshake, Newsession Ticket (4):
  • (304) (IN), TLS Unknown, Unknown (23):
    < HTTP/1.1 301 Moved Permanently
    < Server: nginx/1.14.0 (Ubuntu)
    < Date: Fri, 08 Feb 2019 18:00:14 GMT
    < Content-Type: text/html
    < Content-Length: 194
    < Connection: keep-alive
    < Location: https://psykolog.nu/
    <
301 Moved Permanently

301 Moved Permanently


nginx/1.14.0 (Ubuntu) * Connection #0 to host www.psykolog.nu left intact

curl -v http://www.psykolog.nu

curl -v http://www.psykolog.nu

  • Rebuilt URL to: http://www.psykolog.nu/
  • Trying 127.0.0.1…
  • TCP_NODELAY set
  • Connected to www.psykolog.nu (127.0.0.1) port 80 (#0)

GET / HTTP/1.1
Host: www.psykolog.nu
User-Agent: curl/7.58.0
Accept: /

< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.14.0 (Ubuntu)
< Date: Fri, 08 Feb 2019 18:00:42 GMT
< Content-Type: text/html
< Content-Length: 194
< Connection: keep-alive
< Location: https://psykolog.nu/
<

301 Moved Permanently

301 Moved Permanently


nginx/1.14.0 (Ubuntu) * Connection #0 to host www.psykolog.nu left intact

Shouldn’t this mean that this is fixed? But SSL-Checker and Check-your-website.server-daten.de still reports 503 error and certificate mismatch. And of course, if I enter http:// and https://www.psykolog.nu I still get errors on the webbrowser…


#34

That’s the problem: The individual vHost isn’t used, instead the default config is used.


#35

No, it isn’t fixed. Your https + non www uses the certificate with one domain name.

And your https + www has the wrong certificate.

But if you have two vHosts with the same server name, only one is used. So change the SSL configuration of that vHost.


#36

I see, you have rechecked your domain ( https://check-your-website.server-daten.de/?q=psykolog.nu ):

Now it’s fixed:

Both connections use the same certificate with both domain names:

CN=psykolog.nu
	07.02.2019
	08.05.2019
	psykolog.nu, www.psykolog.nu - 2 entries

Now fix your http + www - 503 error.

Perhaps there is the same - no server defined.


#37

I got this working now - I think. For some reason the certs for nginx-proxy was not updated. After updating this www.psykolog.nu is working as it should.

Thank you all for your help!


#38

Yeah. I do not get this. But this must be a nginx configuration error?


#39

Yes. This nginx-proxy must handle that correct.

Check the port 80 definition of this proxy, if there the www version is defined.


#40

I have now fixed the last 503 error. It was nginx-proxy related: I had to create a file under /opt/easyengine/services/nginx-proxy/conf.d with the specific www.psykolog.nu-redirect.conf with a server block:

server {
listen 80;
server_name www.psykolog.nu;
return 301 $host$request_uri;
}

to get that last error fixed.

Thank you all for your help!