SSL Certificates invalid?

My domain is:

I ran this command:
Commands all ran OK its the using of the certificate thats failing but for ref
sudo certbot -d --manual --preferred-challenges dns certonly
Using info supplied setup DNS TXT record
next ran
sudo certbot --nginx
Reinstalled certs all OK

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):
Raspbian GNU/Linux 10 (buster)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

When I access the website run by nginx it shown as not secure. Forcing https with URL thats on my local network (i.e. ipv4 =

Looking at the result of the htpps it says the Certificate is invalid. Info says the certificate is from letsencrypt

certbot certiicates
root@kodi:/home/pi# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name:
Expiry Date: 2020-05-14 12:44:15+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/


configuration file /etc/nginx/nginx.conf:

user www-data www-data;
worker_processes auto;
pid /var/run/;
include /etc/nginx/modules-enabled/*.conf;

events {
worker_connections 768;
# multi_accept on;

http {

# Basic Settings

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
    client_max_body_size 40m;

# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

# SSL Settings

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;

# Logging Settings

access_log off;
error_log /var/log/nginx/error.log crit;

# Gzip Settings

gzip on;

# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

# Virtual Host Configs

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;


#mail {

# See sample authentication script at:


# auth_http localhost/auth.php;

# pop3_capabilities “TOP” “USER”;

# imap_capabilities “IMAP4rev1” “UIDPLUS”;

server {

listen localhost:110;

protocol pop3;

proxy on;


server {

listen localhost:143;

protocol imap;

proxy on;



configuration file /etc/nginx/modules-enabled/50-mod-http-auth-pam.conf:

load_module modules/;

configuration file /etc/nginx/modules-enabled/50-mod-http-dav-ext.conf:

load_module modules/;

configuration file /etc/nginx/modules-enabled/50-mod-http-echo.conf:

load_module modules/;

configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf:

load_module modules/;

configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:

load_module modules/;

configuration file /etc/nginx/modules-enabled/50-mod-http-subs-filter.conf:

load_module modules/;

configuration file /etc/nginx/modules-enabled/50-mod-http-upstream-fair.conf:

load_module modules/;

configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:

load_module modules/;

configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:

load_module modules/;

configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:

load_module modules/;

configuration file /etc/nginx/mime.types:

types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;

text/mathml                           mml;
text/plain                            txt;
text/      jad;
text/vnd.wap.wml                      wml;
text/x-component                      htc;

image/png                             png;
image/tiff                            tif tiff;
image/vnd.wap.wbmp                    wbmp;
image/x-icon                          ico;
image/x-jng                           jng;
image/x-ms-bmp                        bmp;
image/svg+xml                         svg svgz;
image/webp                            webp;

application/font-woff                 woff;
application/java-archive              jar war ear;
application/json                      json;
application/mac-binhex40              hqx;
application/msword                    doc;
application/pdf                       pdf;
application/postscript                ps eps ai;
application/rtf                       rtf;
application/         m3u8;
application/              xls;
application/         eot;
application/         ppt;
application/vnd.wap.wmlc              wmlc;
application/  kml;
application/      kmz;
application/x-7z-compressed           7z;
application/x-cocoa                   cco;
application/x-java-archive-diff       jardiff;
application/x-java-jnlp-file          jnlp;
application/x-makeself                run;
application/x-perl                    pl pm;
application/x-pilot                   prc pdb;
application/x-rar-compressed          rar;
application/x-redhat-package-manager  rpm;
application/x-sea                     sea;
application/x-shockwave-flash         swf;
application/x-stuffit                 sit;
application/x-tcl                     tcl tk;
application/x-x509-ca-cert            der pem crt;
application/x-xpinstall               xpi;
application/xhtml+xml                 xhtml;
application/xspf+xml                  xspf;
application/zip                       zip;

application/octet-stream              bin exe dll;
application/octet-stream              deb;
application/octet-stream              dmg;
application/octet-stream              iso img;
application/octet-stream              msi msp msm;

application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

audio/midi                            mid midi kar;
audio/mpeg                            mp3;
audio/ogg                             ogg;
audio/x-m4a                           m4a;
audio/x-realaudio                     ra;

video/3gpp                            3gpp 3gp;
video/mp2t                            ts;
video/mp4                             mp4;
video/mpeg                            mpeg mpg;
video/quicktime                       mov;
video/webm                            webm;
video/x-flv                           flv;
video/x-m4v                           m4v;
video/x-mng                           mng;
video/x-ms-asf                        asx asf;
video/x-ms-wmv                        wmv;
video/x-msvideo                       avi;


configuration file /etc/nginx/conf.d/proxy.conf:

proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache off;
proxy_buffering off;

configuration file /etc/nginx/sites-enabled/default:

server {
listen 80;
listen [::]:80;
root /var/www;

    index index.html index.php index.htm;
    error_page 403 = @denied;
    #Below enter IP address or block to allow, eg LAN and/or VPN blocks
    deny all;

    location @denied {
           return 301 https://$host$request_uri;
    location / {
           try_files $uri $uri/ =404;

    location /rutorrent {
           auth_basic "Restricted";
           auth_basic_user_file /etc/nginx/.htpasswd;
           include /etc/nginx/conf.d/php;
           include /etc/nginx/conf.d/cache;

    #include /etc/nginx/sites-available/dload-loc;

    location ~ /\.ht {
            deny all;


server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;


    root /var/www/;
    index index.html index.php index.htm;

    client_max_body_size 40m;
ssl_certificate /etc/letsencrypt/live/; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/; # managed by Certbot
    ssl_session_timeout 5m;
    location / {
           try_files $uri $uri/ =404;

    location /rutorrent {
           client_max_body_size 40m;
           auth_basic "Restricted";
           auth_basic_user_file /etc/nginx/.htpasswd;
           include /etc/nginx/conf.d/php;
           include /etc/nginx/conf.d/cache;

    #include /etc/nginx/sites-available/dload-loc;

    location ~ /\.ht {
            deny all;


configuration file /etc/nginx/conf.d/php:

location ~ .php$ {
fastcgi_split_path_info ^(.+.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
include fastcgi_params;

configuration file /etc/nginx/fastcgi_params:

fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;

fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;

fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;

fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;

PHP only, required if PHP was built with --enable-force-cgi-redirect

fastcgi_param REDIRECT_STATUS 200;

configuration file /etc/nginx/conf.d/cache:

location ~* .(jpg|jpeg|gif|css|png|js|woff|ttf|svg|eot)$ {
expires 30d;

If I could I would post pictures of the chrome warning screen but as a new user forum will not allow me to upload attachments

1 Like

As best I can tell, the problem may be with your client (not having LE root cert) or there may be some appliance (or MITM) interfering with your connection or it’s an IPv4/IPv6 problem.

Please show the outputs of:

curl -Iki6
curl -Iki4
openssl s_client -connect [fe80::d734:8929:6d4f:f09d]:443 -servername
openssl s_client -connect -servername
1 Like

pi@kodi:~ $ sudo su
root@kodi:/home/pi# curl -Iki6
curl: (7) Couldn’t connect to server
root@kodi:/home/pi# curl -Iki4
HTTP/2 404
server: nginx
date: Fri, 14 Feb 2020 15:44:33 GMT
content-type: text/html
content-length: 162

root@kodi:/home/pi# openssl s_client -connect [fe80::d734:8929:6d4f:f09d]:443 -servername
3069792272:error:02002016:system library:connect:Invalid argument:…/crypto/bio/b_sock2.c:110:
3069792272:error:2008A067:BIO routines:BIO_connect:connect error:…/crypto/bio/b_sock2.c:111:
root@kodi:/home/pi# openssl s_client -connect -servername
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
verify return:1
depth=0 CN =
verify return:1

Certificate chain
0 s:CN =
i:C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
1 s:C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3

Server certificate
subject=CN =

issuer=C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3

No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits

SSL handshake has read 3201 bytes and written 406 bytes
Verification: OK

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 6B79C055B1332AE00EE0E0C695655BFB84F46A9E2E7B09982BF932DCABA8B883
Master-Key: A254D5DE635A419010A9591402DB6EE601A911B39E5176BDA59E0CA7E8FFA6099214428904652FAC45774A1F648B01B7
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - f1 2b fc 7b 66 a9 51 16-7a 4b eb 08 ed b4 ce 40 .+.{f.Q.zK…@
0010 - bf 8d ec 7f 2a b5 38 c5-c1 15 c6 79 60 f6 88 f8 …*.8…y... 0020 - 81 b3 97 65 4e 25 91 12-6f 6d 34 4f 1b 3a a1 32 ...eN%..om4O.:.2 0030 - 90 d3 45 8c 81 7d cd 24-18 e1 62 ca c5 fd bb af ..E..}.$..b..... 0040 - f8 4c 99 40 3b 20 f3 e4-00 99 f7 4a 3a fe c9 d7 .L.@; .....J:... 0050 - ee d5 d9 01 22 38 6d aa-26 d4 f4 74 ab b1 66 07 ...."8m.&..t..f. 0060 - 3d e6 6c ba d1 f1 07 fa-e9 58 1a 31 8d b5 8d b3 =.l......X.1.... 0070 - 3c 21 48 60 b6 64 30 63-c2 6a e5 c6 09 1c dd 7b <!H.d0c.j…{
0080 - a4 5a 0d 07 52 1d 27 c9-44 ac b1 eb 6b 46 63 4d .Z…R.’.D…kFcM
0090 - a0 36 54 b4 88 2f 5f 1a-e8 71 51 be ff 5b 48 37 .6T…/_…qQ…[H7
00a0 - a7 ba 22 84 a1 86 24 e4-4b 43 f5 ee 3e 95 b5 50 …"…$.KC…>…P

Start Time: 1581695133
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes


1 Like

The IPv4 connects appear correct.
Global DNS shows (private) IPv4 and IPv6 addresses but the IPv6 address fails to connect.
You might want to remove the AAAA record from DNS:

Addresses:  fe80::d734:8929:6d4f:f09d

dig A @ +short
dig AAAA @ +short
1 Like

I have removed the AAAA record and no change

Non-authoritative answer:

I put in the IP6 address as when first trying to use certbot --nginx it said it authorised via IPV6 only. But even then it didnt work as my addresses as you say are private and I had to go the manual route.

I appreciate you helping me. Any other ideas.

Please show the error message.
[Feel free to post a screenshot via any online service.]

1 Like

In (re)reviewing…

Should probably work better as a name [not the IP.]

1 Like

Ahhhhh … now we seem to be getting there . Using I get a 404 error from nginx BUT its says the connection is secure. I guess this is because there is a redirect that I will need to sort out. So tried to without the rutorrent and also got a 404 but connection is secure . I guess when nginx and rutorrent was all installed it was under so will have to see if I can figure all this out.

Thanks for your help with this one I didnt know that using the ip address would cause an issue as I thought there was reverse lookup. But that was an assumption of a newbie


Thanks so much for the help all fixed now. My final act was to re run the install package that installed my server and it now picked up the correct domain as before the DN was blank in initial install. All works like a dream now