Renewed my certs but its working 50% of the time?


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://ultraarena.com

I ran this command: $ sudo ./path/to/certbot-auto --nginx

It produced this output: Successful renewed

My web server is (include version): nginx

The operating system my web server runs on is (include version): Ubuntu

My hosting provider, if applicable, is: nfoservers

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

So If you go to my website and check out my certs they are indeed updated. https://gyazo.com/e9f5fc541a660146bbb5c76ab0df2a58

But if you open on internet explorer and in some cases certain links, it says its not secure and has the old certs.

I dont know why…


#2

Hi @Nick12,

Your site is serving different certificates dependng on the domain used:

Using ultraarena.com to access your site (using SNI) it serves a valid certificate but is only covering ultraarena.com domain.

$ echo | openssl s_client -connect ultraarena.com:443 -servername ultraarena.com 2>/dev/null | openssl x509 -noout -text | grep -E '(Before:|DNS:)' | sed "s/^[ \t]*//"
Not Before: Mar 17 10:51:09 2018 GMT
DNS:ultraarena.com

Using www.ultraarena.com to access your site (using SNI) it serves an invalid (expired) certificate and is covering ultraarena.com and www.ultraarena.com domain.

$ echo | openssl s_client -connect ultraarena.com:443 -servername www.ultraarena.com 2>/dev/null | openssl x509 -noout -text | grep -E '(Before:|DNS:)' | sed "s/^[ \t]*//"
Not Before: Dec 17 19:23:51 2017 GMT
DNS:ultraarena.com, DNS:www.ultraarena.com

Using any domain without using SNI, your server returns the default certificate for your server and it is the invalid (expired) certificate.

$ echo | openssl s_client -connect ultraarena.com:443 2>/dev/null | openssl x509 -noout -text | grep -E '(Before:|DNS:)' | sed "s/^[ \t]*//"
Not Before: Dec 17 19:23:51 2017 GMT
DNS:ultraarena.com, DNS:www.ultraarena.com

If you only want a certificate covering ultraarena,com then you are done, there is no problem, if you want to cover also the www subdomain you should review how you issued the certificate and re-issue the certificate but selecting both domains (with and without www).

Cheers,
sahsanu


#3

Oh, I see, so when reissuing the certification when it asks for my domain instead of just ultraarena.com I would need to put www.ultraarena.com?


#4

The thing is I made it so that all traffic redirects to https, and when I try to reissue the cert it only lets me choose ultraarena.com it doesnt let me add www. and I cant quite find a guide


#5

I replied but forgot to tag you so Im doing this so you get the reply


#6

Hi @Nick12,

Sorry, I’m at work and I don’t have too much spare time now :frowning: .

Could you please show the ouput of these commands?

As root:

certbot-auto --version

nginx -T

The output of second command could be large so please, upload it to some service like https://pastebin.com/ or similar.

As I said, I’m a bit busy but some community buddy could take a look to the requested info, anyway, I’ll take a look but could be in a few hours.

Cheers,
sahsanu


#7

Please show also the output of the command certbot certificates.
I assume you issued multiple certificates covering one domain name and did not deploy them correctly in nginx.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.