"SSL_ERROR_BAD_CERT_DOMAIN" OR "SSL_ERROR_RX_RECORD_TOO_LONG" error After add a domain with ACME


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.searchintegral.com

I ran this command: https://www.searchintegral.com

It produced this output:
SSL_ERROR_BAD_CERT_DOMAIN
SSL_ERROR_RX_RECORD_TOO_LONG

My web server is (include version):
nginx 1.10.3

The operating system my web server runs on is (include version):
ubuntu server 16.04

My hosting provider, if applicable, is:
inhouse

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

Detail staus is as below:

  1. Before
    https://www.searchintegral.com ok without any problem

  2. After

  • but the key file lenght is zero
    -rw-rw-r-- 1 remote remote 1648 Mar 1 17:50 router.searchintegral.com.cer
    -rw-rw-r-- 1 remote remote 846 Mar 1 17:50 router.searchintegral.com.conf
    -rw-rw-r-- 1 remote remote 1005 Mar 1 16:56 router.searchintegral.com.csr
    -rw-rw-r-- 1 remote remote 220 Mar 1 16:56 router.searchintegral.com.csr.conf
    -rw-rw-r-- 1 remote remote 0 Mar 1 17:50 router.searchintegral.com.key
  1. Error status

  2. Action

    • remove certificate with acme.sh
      remote@elasticSearch:~/.acme.sh$ ./acme.sh --remove -d router.searchintegral.com
      [Mon Mar 5 11:09:31 CST 2018] router.searchintegral.com is removed, the key and cert files are in
      /home/remote/.acme.sh/router.searchintegral.com
      [Mon Mar 5 11:09:31 CST 2018] You can remove them by yourself.

    • delete the TXT record from DNS

    • check the certificate status from
      https://crt.sh/?q=router.searchintegral.com Certificates
      crt.sh ID Logged At ⇧ Not Before Issuer Name
      344591435 2018-03-01 2018-03-01 C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3

      https://crt.sh/?q=router.searchintegral.com
      crt.sh ID Logged At ⇧ Not Before Issuer Name
      337059996 2018-02-21 2018-02-21 C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
      285614082 2017-12-23 2017-12-23 C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
      238974599 2017-10-24 2017-10-24 C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
      190032535 2017-08-14 2017-08-14 C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
      154477173 2017-06-15 2017-06-15 C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3

  3. Current staus

Are there anything that I forget ?
Thanks for your help …


#2

I’m not sure what your router.~ experiments have anything to do with your www.~ hostname, but I do know your webserver for www.searchintegral.com is speaking HTTP on port 443 and not HTTPS. Looks like a webserver misconfiguration with not enabeling TLS on port 443.


#3

Indeed.

You need to have this in your nginx:

listen 443 ssl http2;

whereas you currently probably just have:

listen 443;

#5

Hi, nginx 's ssl server block is as follow:

server {
# SSL configuration
#
listen 443 ssl default_server;
listen [::]:443 ssl default_server;


}

and it used to work before.

Although I modified my nginx config from above to
server {
# SSL configuration
#
listen 443 ssl http2;
listen [::]:443 ssl http2;


}

and reload nginx service, but still with no luck …


#6

Hi Osiris,

  1. I used Mirkrotik router as firewall.
  2. regarding “but I do know your webserver for www.searchintegral.com is speaking HTTP on port 443 and
    not HTTPS”, how can I know ? via browser, it tell me that certificate is valid for www.searchintegral.com
    and throws me “SSL_ERROR_BAD_CERT_DOMAIN” error. As you can see from above post, this LE
    has been running from 2017/06/15 without any problems, and I am sure the nginx’s config is there not
    modified from that time.

anything I need to check ? Thanks,


#7

problem solved, as Osiris said, I checked again the 80 port from the firewall and found:

  1. firewall’s NAT rules change, just forward the 80, 443 port to internet web server’s 80

so I changed inteernal web server to accept all the port from the NAT and now it is OK.

Thank you ~


#8

You forwarded external port 443 to internal port 80? :astonished:

Or am I misinterpreting something?


#9

typing error when combine firewall rule.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.