Renewed My Cert, But Still Have Error in Browser About Invalid Response and Such

My domain is: dragonosman.dynu.net

I ran this command: acme.sh -r -d dragonosman.dynu.net

It worked properly.

My web server is (include version): Boost.Beast version, the one included in Boost version 1.78.0. Going to upgrade to 1.79.0.

The operating system my web server runs on is (include version): Windows 10

I'm running the app on my own computer, and it's a web server app in C++.

I can login to a root shell on my machine (yes or no, or I don't know): No root shell login, but I run the C++ server app my shell via Command Prompt.

I'm using acme.sh manually.

What happened was that when I tried to visit the app in my browser after the certs were renewed, I got an error saying that the page gave an invalid response and that it's not certified. Aside from trying to port Boost 1.78.0 when it came out, as well as trying to move from #includeing header files to importing header units (for consuming the C++ Standard Library), I didn't even touch my code which was fine before this (the app still worked properly with HTTPS).

Here's the app's GitHub repo.

hmm...

Let's confirm the cert renewed, with:
acme.sh --list

and then (if it has), restart the web service (or w/e "Boost.Beast" is).
[it looks like you got three certs today]

Boost.Beast is boost::beast; it's a Boost library that handles HTTP/S and WebSockets, built on top of boost::asio. I used it to built a web server app.

I'll try out what you suggested. Thanks.

The problem happened from the first one already. I got the other two to be sure I got it right.

Since I'm using Windows, I have to use a Git bash shell to run the acme.sh commands. The bash window closes before I can see the output for the --list command-line option. So I'll have to direct the output to a file to see it.

I just get an empty text file. How do I stop it long enough to let me see the output?

hmm...
acme.sh --list > /some.file.name

That's what I did. It just gives me an empty text file before doing the actual stuff in the Git bash shell and exiting like normal.

Let's assume it's there (for now).

How did you "use" the cert within "boost" ?

You can see that in my C++ code. I did post a link to the GitHub repo. The files to look at are the three C++ files in here. The two .hpp files aren't that large. The main .cpp file kind of is, though, so I'll just apologize for that now.

Show:
dir C:/Users/Osman/.acme.sh/dragonosman.dynu.net/fullchain.cer

You want to see the actual cert file?

No, I want the output of that request.

Output of command:

 Volume in drive C is Acer
 Volume Serial Number is 980C-8B4B

 Directory of C:\Users\Osman\.acme.sh\dragonosman.dynu.net

07/16/2022  03:47 AM             5,609 fullchain.cer
               1 File(s)          5,609 bytes
               0 Dir(s)  115,759,726,592 bytes free

The timestamp seems correct.

Can you show the output of:
openssl s_client -connect ip.ip.ip.ip:port -servername dragonosman.dynu.net
[replace ip.ip.ip.ip:port with actual IP and port]

19224:error:0200274D:system library:connect:reason(1869):crypto\bio\b_sock2.c:110:
19224:error:2008A067:BIO routines:BIO_connect:connect error:crypto\bio\b_sock2.c:111:
connect:errno=0

that's what I get.

Never mind; I didn't start the server before running that command, so that's not the proper result of running it.

Started the server and ran the command again (built the code first after upgrading Boost to latest version); output:

CONNECTED(0000004C)
depth=0 CN = dragonosman.dynu.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = dragonosman.dynu.net
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = dragonosman.dynu.net
verify return:1
---
Certificate chain
 0 s:CN = dragonosman.dynu.net
   i:C = US, O = Let's Encrypt, CN = R3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFLjCCBBagAwIBAgISBNGYA4dghKZBmMhR9+RG0OFQMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA3MTUyMTQ3MDZaFw0yMjEwMTMyMTQ3MDVaMB8xHTAbBgNVBAMT
FGRyYWdvbm9zbWFuLmR5bnUubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAqtWF0MAUxTexmI0PN+AEIexkm6w6srfLfjlDUx6YIUgBjBZs+UTyZwhl
w4TkbGUJlcHgomJhiavBvjNZhmqYnhcEs7RZ2G9yaWxpvzy4SUf7NEC7MSRanuTL
rFHM29MAX42BsB2crax87cFkmNFBcN9Y9WTWaasd4bgmUUohBqxUPkRv3KQLBW6j
R0uAomRJjy5iF1RDkMRt46KOVh1Mv619nJc/EOY7AkJTAcoegXimVR7aLJb/j61D
hBrFwD+tJxrIW3jv417/fLGXHIxAbiY5FT9ZcSHELXHsgSwUimlKUEon8fLAZooN
AQRwl3nCIEhHMu5tiA3nCou5HpgpOQIDAQABo4ICTzCCAkswDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
MB0GA1UdDgQWBBTihU/ykkKhmo3ohkXqn+FZh9zI2TAfBgNVHSMEGDAWgBQULrMX
t1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0
dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVu
Y3Iub3JnLzAfBgNVHREEGDAWghRkcmFnb25vc21hbi5keW51Lm5ldDBMBgNVHSAE
RTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRw
Oi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2
AN+lXqtogk8fbK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAABggQLUDwAAAQDAEcw
RQIhAIkL1YEm5aGSmTp//F53I61ImYHz8x2J6GX160Tp3tDIAiB7HXh+lt8AK9Jx
wXRnd9sQLcMbO74ocvY7g9VY5gYx5QB2ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4
+U1dJlwlXceEAAABggQLUDoAAAQDAEcwRQIhAKFFFw6XUKjyXxtlpfWYh/AvpYWZ
P+4q45lL+LGvFOu8AiA4kUDoQzgKxmju1OTEr5FP0MFoyN/8ly0X4WnsZR4SeDAN
BgkqhkiG9w0BAQsFAAOCAQEAIKYSAJHOARET5SRNDjyn0nHML5pgTtNXZYcdnSWu
pvX6Wg6DGqiKItpzP9RePmi9K3VSgtW9lxTY9EcJKsZpk24dmO1OSbYPHlbJ/b9k
BUO59htBPNji8POu5w03fFHWZ+5T0v+CdtwmF2BDxgOED07m/HXeF4PwNUXvk/TB
tnyT2eQExvyyGkh7MpYuym5CPZ+oWR6dcI6QeVsG5utphareWIAX7sbkZwGQrGza
ppCYN28lfngpAz1CaxKRSXymnqJ9uOwx3f4HalHiFw6zx6Tys0VAYP0+4KT+j9sG
xjPqr/MCI7XSlCipEtM355qzaYLpA6QvJaQRVhhK/22lRg==
-----END CERTIFICATE-----
subject=CN = dragonosman.dynu.net

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1955 bytes and written 415 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 6869A22BC6FA266A93C7E90376DCCC570B226BE1F23C38944859C89A7D2BFAB3
    Session-ID-ctx:
    Master-Key: 4D927E9D2183ED6DC99208B67C81F24A48897C39D8EA3EFE6D5801CFCDA0B1F4D59F18862BFC54BC79013C30E92F4107
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 3c 7e 45 e5 7f 1f b3 c3-72 5d 6c 23 26 d3 d9 c2   <~E.....r]l#&...
    0010 - c6 50 fd 7c 18 16 83 bd-9e aa d9 9e a6 83 60 0a   .P.|..........`.
    0020 - 60 ec 9c d0 f3 7e 65 4f-08 2d c2 3c d5 f9 bc 46   `....~eO.-.<...F
    0030 - 54 00 fb a1 d9 98 ed b3-46 84 f1 3e 09 f8 4f 44   T.......F..>..OD
    0040 - b8 a3 53 b0 8b e1 2c 03-7e a4 1a 56 67 73 6c 5e   ..S...,.~..Vgsl^
    0050 - b8 e0 e5 b3 ca 4a 90 84-fd bd b4 96 3d de ce e4   .....J......=...
    0060 - cd fa 66 6e d7 7c 14 d0-3b fc 7c 97 ad 40 bf b6   ..fn.|..;.|..@..
    0070 - 12 9b e9 be c2 73 18 cf-4e 46 28 49 4e 0c 20 ba   .....s..NF(IN. .
    0080 - 1b 56 bd 40 42 4c 6d 3a-5d d0 a8 bb 29 29 bb 9a   .V.@BLm:]...))..
    0090 - 76 f5 3a 77 30 e6 29 c3-56 8d 23 c6 74 1d b9 4f   v.:w0.).V.#.t..O

    Start Time: 1657977081
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: yes
---

It's stopped for now but it hasn't exited. I'll try waiting for it to exit for now.

that wouldn't exit by itself: its lowlevel shell to write request by hand.

The Certificate chain is missing the intermediates. Your fullchain.cer looks like it had 3 certs in it. Your server is only sending out the first 1. Don't ask me why I didn't study your code.

I can't tell why it did that either because this is my server_certificate.hpp file:

#ifndef SERVER_CERTIFICATE_H
#define SERVER_CERTIFICATE_H

#include <boost/asio/buffer.hpp>
#include <boost/asio/ssl/context.hpp>
#include <fstream>

/*
	Load a signed certificate into the ssl context, and configure
	the context for use with a server.
*/

inline void load_server_certificate(boost::asio::ssl::context& ctx)
{
	const std::string cert_filename = "C:/Users/Osman/.acme.sh/dragonosman.dynu.net/fullchain.cer";
	ctx.use_certificate_file(cert_filename, boost::asio::ssl::context_base::file_format::pem);

	const std::string dh =
		"-----BEGIN DH PARAMETERS-----\n"
		"MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n"
		"+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n"
		"87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n"
		"YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n"
		"7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n"
		"ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==\n"
		"-----END DH PARAMETERS-----\n";

	ctx.set_password_callback(
		[](std::size_t, boost::asio::ssl::context::password_purpose)
		{
			return "test";
		});

	ctx.set_options(boost::asio::ssl::context::default_workarounds |
		boost::asio::ssl::context::no_sslv2 |
		boost::asio::ssl::context::single_dh_use);

	const std::string key_filename = "C:/Users/Osman/.acme.sh/dragonosman.dynu.net/dragonosman.dynu.net.key";
	std::ifstream ifs_key{ key_filename };
	std::string key{ (std::istreambuf_iterator<char>(ifs_key)), (std::istreambuf_iterator<char>()) };

	ctx.use_rsa_private_key(boost::asio::buffer(key.data(), key.size()), boost::asio::ssl::context::file_format::pem);

	ctx.use_tmp_dh(boost::asio::buffer(dh.data(), dh.size()));
}

#endif

It should be taking the fullchain.cer file as is. I don't know what's going on. It couldn't be anything to do with the root certificates either, right? Since it's only about the server certificates.