[solved] All my websites down after installing certificate for one website only

Help
1

Hi everyone!

I am so discouraged right now… Every time I try to use certbot, it seems I am doing it all wrong… Sometimes it does automatically update the certificates but it does not reload nginx, sometimes it does not update at all, …

This time, I had a perfectly fine running server (serving multiple websites), and when I tried to update the certificates manually, it told me that the challenge failed: for domain static.amore.education it was giving me a app.amore.education/.well-known/... url (what the hell?)

I decided to remove the certificates and try again from a clean slate.

Everything went fine. I updated my nginx vhost to serve ssl on 443 instead of 80. I tested the configuration using nginx -t and it went fine… Yay, victory! …

…Until I finally restarted nginx to update the vhost, and then all my hosted websites went down.

On Firefox I get Secure Connection Failed An error occurred during a connection to app.amore.education. PR_END_OF_FILE_ERROR

On Chrome I get ERR_CONNECTION_CLOSED (and sometimes “reset”)

On SSLLabs I get Assessment failed: No secure protocols supported

On Edge I get Ce site utilise peut-être des paramètres de sécurité TLS obsolètes ou non sécurisés. (this site may be using obsolete or unsecured TLS security parameters)

And all my other SSL-served websites are now down (I still have a 80-served website and it works fine)

Even when I switched my amore.education website back to non-secure 80, my other websites were still failing (e.g. https://www.chacomdif.fr)

Last but not least, I just removed certbot and used certbot-auto with version 1.3.0 and I generated the certificates again, but it still does not work

I checked the vhost file 50 times (see below) and I don’t see what’s wrong… (heck, it was working fine, before I tried to update the certificates in the first place)

My domain is: {app,static,api}.amore.education

I ran this command: certbot certonly --webroot
(and then certbot-auto certonly --webroot)

It produced this output:

root@toto-paris-01:/etc/nginx/sites-available# certbot certonly --webroot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): app.amore.education api.amore.education static.amore.education
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for api.amore.education
http-01 challenge for app.amore.education
http-01 challenge for static.amore.education
Input the webroot for api.amore.education: (Enter 'c' to cancel): /var/www/amore/public/webhost

Select the webroot for app.amore.education:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Enter a new webroot
2: /var/www/amore/public/webhost
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Select the webroot for static.amore.education:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Enter a new webroot
2: /var/www/amore/public/webhost
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Input the webroot for static.amore.education: (Enter 'c' to cancel): /var/www/amore/public/static
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/app.amore.education/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/app.amore.education/privkey.pem
   Your cert will expire on 2020-07-12. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

My web server is (include version):
nginx 1.10.3

The operating system my web server runs on is (include version):
debian 9.11 (SMP Debian 4.9.110-3+deb9u6 (2018-10-08) x86_64 GNU/Linux)

My hosting provider, if applicable, is:
vultr

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.28.0
(and then certbot 1.3.0)

Exerpt of my vhost file:

server {
        listen 80;
        server_name amore.education;
        return 301 https://app.$server_name$request_uri;
}

server {
        listen 443 ssl http2;
        server_name amore.education;
        return 301 https://app.$server_name$request_uri;
}

server {
        listen 80;
        server_name app.amore.education api.amore.education static.amore.education;
        return 301 https://$server_name$request_uri;
}

server {
        include snippets/ssl.conf;

        #rewrite_log on;

        server_name app.amore.education;

        root /var/www/amore/public/webhost;
        index webapp.php;

        error_log /var/log/nginx/amore-webapp.error.log; # debug;
        access_log /var/log/nginx/amore-webapp.access.log;

        include snippets/restrictions.conf;

        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|eot|ttf|otf|woff|woff2)$ {
                try_files $uri =404;

                fastcgi_hide_header Set-Cookie;

                add_header 'Access-Control-Allow-Origin' '*';
                add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
                add_header 'Access-Control-Max-Age' 86400;

                expires 1y;
                log_not_found off;
                access_log off;

                include snippets/preflight_204.conf;
        }

        location ~ \.php$ {
                # fastcgi_param MY_COUNTRY zt;
                include snippets/myfastcgi.conf;
        }

        location / {
                try_files $uri @app; # /webapp.php?_url=$request_uri;
        }

        location @app {
                rewrite ^ /webapp.php?_url=$request_uri last;
        }
}

And snippets/ssl.conf:

listen 443 ssl http2;

ssl_certificate /etc/letsencrypt/live/app.amore.education/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/app.amore.education/privkey.pem;

include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

ssl_trusted_certificate /etc/letsencrypt/live/app.amore.education/chain.pem;
ssl_stapling on;
ssl_stapling_verify on;

Does someone understand what’s the elephant in the room that I am not seeing right now?

Please help :pray:

Thanks, and take care of you all,

Renaud

2

That server block also needs a complete SSL configuration, just like your other one.

(Nginx will be happy even if you use the wrong certificate, as long as it's a certificate.)

(Or comment out or delete the block.)

2 Likes
3

Owww… I am sorry that it was such a silly error on my end.

Indeed I followed your advice and it works fine again! I really thought that nginx/browsers would not need to read the certificate information just for a redirect, but I was wrong.

Thank you so much for pointing that out! :pray::smiley:

2 Likes
4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.