Nginx + LetsEncrypt + not working

My domain is: and
My web server is (include version): Ubuntu 18.04 LTS and Ubuntu 20.04 LTS
The command line I run: 'sudo certbot --nginx -d' and 'sudo certbot --nginx -d'
I can login to a root shell on my machine (yes or no, or I don't know): YES
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): tried with certbot 0.31.0 and certbot 0.40.0

Hello everybody,

I have a web api using NodeJS server (FeathersJS) after an Nginx proxy on my server and use on browsers and desktop clients to access the API.

SInce 2 days ago, my web app was working properly, and all desktop app clients also using to connect to the API where working properly, but suddenly, 2 days ago, all desktop clients where unable to connect to the API through The odd thing is that browser clients are still working properly...

After lots of tests with the "production" server I decided to start again from scratch and installed a new server to see which step or configuration was failing...

Each step seemed to work properly, but after installing LetsEncrypt certificate and changing client app (desktop) to use HTTPS, then the clients are not connecting anymore.

I've been 2 days debugging and changing parameters, but nothing seems to be working.

After a lot of tests I've concluded that there must be something wrong with the LetsEncrypt certificate because adding 'rejectUnauthorized: false' flag when creating the client makes the client work using HTTPS, otherwise it is not connecting, and according to documentation (Troubleshooting connection issues | Socket.IO) this problem is most likely due to an invalid SSL certificate.

Also, debugging NodeJS server, connections from desktop clients never reach the server and Nginx debug log throws errors after each client connection retry:

2021/10/02 10:41:20 [debug] 11001#11001: accept on, ready: 0
2021/10/02 10:41:20 [debug] 11001#11001: posix_memalign: 000055A8C07CFA30:512 @16
2021/10/02 10:41:20 [debug] 11001#11001: *188 accept: fd:15
2021/10/02 10:41:20 [debug] 11001#11001: *188 event timer add: 15: 60000:46471214
2021/10/02 10:41:20 [debug] 11001#11001: *188 reusable connection: 1
2021/10/02 10:41:20 [debug] 11001#11001: *188 epoll add event: fd:15 op:1 ev:80002001
2021/10/02 10:41:20 [debug] 11001#11001: *188 http check ssl handshake
2021/10/02 10:41:20 [debug] 11001#11001: *188 http recv(): 1
2021/10/02 10:41:20 [debug] 11001#11001: *188 https ssl handshake: 0x16
2021/10/02 10:41:20 [debug] 11001#11001: *188 tcp_nodelay
2021/10/02 10:41:20 [debug] 11001#11001: *188 reusable connection: 0
2021/10/02 10:41:20 [debug] 11001#11001: *188 SSL server name: ""
2021/10/02 10:41:20 [debug] 11001#11001: *188 SSL_do_handshake: -1
2021/10/02 10:41:20 [debug] 11001#11001: *188 SSL_get_error: 2
2021/10/02 10:41:20 [debug] 11001#11001: *188 SSL handshake handler: 0
2021/10/02 10:41:20 [debug] 11001#11001: *188 SSL_do_handshake: -1
2021/10/02 10:41:20 [debug] 11001#11001: *188 SSL_get_error: 5
2021/10/02 10:41:20 [info] 11001#11001: *188 peer closed connection in SSL handshake while SSL handshaking, client:, server:
2021/10/02 10:41:20 [debug] 11001#11001: *188 close http connection: 15
2021/10/02 10:41:20 [debug] 11001#11001: *188 event timer del: 15: 46471214
2021/10/02 10:41:20 [debug] 11001#11001: *188 reusable connection: 0
2021/10/02 10:41:20 [debug] 11001#11001: *188 free: 000055A8C07CFA30, unused: 104

I cannot change all desktop clients and add the 'rejectUnauthorized: false' flag because it is not recommended for production and also I've lots of desktop clients which I cannot access (and also everything was working properly 2 days before and I haven't changed anything from server nor clients...)

Is there anyone that has any clue on how to solve this problem?

Thank you!

1 Like

Hi @jordiblanchcarles welcome to the LE community forum :slight_smile:

Yes, there is plenty here on that topic.
I won't make you look for it - LOL

Your site is serving the default trusted path; which ends with the cross-signed "ISRG Root X1" cert that links to "DST Root CA X3 (recently expired).
This path was specifically chosen to allow older Android devices (who don't care about root cert expiry dates) to continue to connect securely (well past their supported lifecycles).
If you don't need to support any old Android devices OR your need to fix the broken ones outweighs that need, then you can simply switch the trusted path being served by:

  • automated fashion: reissue your cert with the --preferred-chain "ISRG Root X1" selection
    note: this requires certbot 1.12 (or higher) or using another ACME client compatible with that selection
  • manual fashion: remove the last cert from the fullchain.pem file

Hello @rg305 !!!

Thank you very much for your answer!!!!

Manually removing last certificate from fullchain.pem file did the trick!!!

Trying to reissue the certificate with the --preferred-chain "ISRG Root X1" selection didn't work for me (I suppose I didn't do it correctly....), but at least now I've some weeks to try it with my "test" server and when it's working move the solution to the "production" server.

Thank you again!!!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.