Site "Not Secure" / Certificate Invalid on fresh Wordpress site

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ttcjim.com

I ran this command: sudo certbot --expand -d ttcjim.com

It produced this output: “Not Secure”, Certificate: Invalid

My web server is (include version): Digital Ocean

The operating system my web server runs on is (include version): LEMP stack, Ubuntu 14.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): WordPress 4.9.1

Hi, I recently created a new Wordpress install for ttcjim.com in a server also used to host another website. When I first ran Let’s Encrypt (Using Certbot), I only added the certificate for the other website and all was well (I was getting Secure). I then added the new site ttcjim.com by using “sudo certbot --expand -d ttcjim.com”.

Actions taken after:
I did get a few “nginx: [warn] conflicting server name “www.ttcjim.com” on 0.0.0.0:80, ignored” warnings while running the above, so “to be safe” I ran the above with “www.ttcjim.com” as well.

When going to my site, I was getting “Not Secure” in the address bar and upon clicking it, Certificate: “Invalid”, while being issued to “www.ttcjim.com” (even though my website is at “ttcjim.com”).

While on the website, I pressed F12 in chrome and the only non-https link I see is “http://www.w3.org/1999/xhtml”, which I can’t figure out how to change, though in other threads, doesn’t seem to be a problem.

I’ve tried changing the Wordpress theme (to the preloaded ones), but still get the same Not Secure while logged in as admin and on the main site.

Afterward, I removed the www.ttcjim.com certificate using “certbot delete” thinking there was some kind of conflict with the ttcjim.com certificate (which I kept), but this didn’t solve anything.

Help?

I read somewhere that I’m supposed to have certificates for both www.ttcjim.com and ttcjim.com, and upon trying to readd the deleted certificate:

sudo certbot --expand -d www.ttcjim.com

I now get the following error:

nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/www.ttcjim.com/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(’/etc/letsencrypt/live/www.ttcjim.com/fullchain.pem’,‘r’) error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

I’m thinking of loading a backup of the server now, but I’d lose the private keys that I can’t seem to extract (if it’s even still there for the deleted “www.ttcjim.com”).

What should I do now?

delete doesn’t edit your web server configuration, so if you delete a certificate that’s in use, your web server configuration will become invalid.

You can find the references to the deleted certificate with

grep /etc/letsencrypt/live /etc/nginx

and edit the configuration file yourself to remove them.

In general, you can include all of the relevant domain names within a single certificate instead of obtaining multiple certificates, for example with -d www.ttcjim.com -d ttcjim.com.

Thanks for the reply Schoen and for bearing with me, I’m new at this. So if I edit the right configuration file, then I can get “Secure” instead of “Not Secure”? What is the name of this configuration file? I typed in grep /etc/letsencrypt/live /etc/nginx and got “grep: /etc/nginx: Is a directory”.

Sorry, I forgot -r. It should be

grep -r /etc/letsencrypt/live /etc/nginx

to find out where the remaining reference to the now-deleted certificate is.

Since I think you’ve deleted the certificate, you’ll need to deal with this before your site can work in HTTPS again.

I couldn’t find the certificate but I was able to reload a previous snapshot and use “-d www.ttcjim.com -d ttcjim.com” as you suggested - without the “–expand”, which worked!

Thanks a lot!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.