SSL not working after updating letsencrypt cert

ooii · August 10, 2016, 7:42am

Please fill out the fields below so we can help you better.

My domain is:

I ran this command: curl https://plex.ooii.io

It produced this output: curl: (56) SSLRead() return error -9806

My operating system is (include version): OSX 10.11.5

My web server is (include version): Running among others a Plex Media Server behind nginx acting as reverse proxy

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I have nginx which I’m using mainly as a reverse proxy. I have many services running at home such as Plex. It is reachable through plex.mydomain.com for which I have created a letsencrypt certificate.
Everything was working perfectly until I have updated the letsencrypt certificates. Since then, only my desktop Chrome still works but I’m suspecting it is doing so because of its cache. Safari does not work, neither curl nor wget.

The nginx conf is the following

server {
        listen                  80 ;
        server_name  plex.ooii.io ;
        rewrite ^ https://$server_name$request_uri? permanent;
}
server {
        listen        443;
        server_name  plex.ooii.io ;
        satisfy any;
        allow 192.168.1.0/24; ##chez moi
        deny all;
        auth_basic "closed site";
        auth_basic_user_file /etc/nginx/certs/password;
        ssl_certificate /etc/letsencrypt/live/plex.mydomain.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/plex.ooii.io/privkey.pem;


        location / {
            proxy_pass        http://192.168.1.102:5000;
            proxy_redirect http:// $scheme://;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;

    }
}

If I run curl https://plex.ooii.io then I get curl: (56) SSLRead() return error -9806.

When I access plex.mydomain.com from Safari, Nginx logs give

2016/08/09 19:23:27 [alert] 52081#0: worker process 53076 exited on signal 11
2016/08/09 19:23:27 [notice] 52081#0: start worker process 53079
2016/08/09 19:23:27 [notice] 52081#0: signal 23 (SIGIO) received
2016/08/09 19:23:27 [notice] 52081#0: signal 23 (SIGIO) received

The letsencrypt certificate has been generated with the following command:

sudo certbot certonly --standalone -d plex.mydomain.com -d plex.myotherdomain.com

Any idea what am I doing wrong?
Thank you very much for your help.

serverco · August 10, 2016, 7:51am

The domain plex.mydomain.com can’t be reached.

Is this your real domain ? if not, could you provide your real domain please.

ooii · August 10, 2016, 8:26am

Sorry for that.
I corrected it.

serverco · August 10, 2016, 9:52am

Did you change anything else ? it’s working fine for me …

$ curl -I https://plex.ooii.io 
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Wed, 10 Aug 2016 09:50:03 GMT
Content-Length: 0
Connection: keep-alive
Location: https://plex.ooii.io/web/index.html
Cache-Control: public
X-Plex-Protocol: 1.0

$ curl -I https://plex.ooii.io/web/index.html
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 10 Aug 2016 09:50:22 GMT
Content-Type: text/html
Content-Length: 2752
Connection: keep-alive
Cache-Control: no-cache
Accept-Ranges: bytes
X-Plex-Protocol: 1.0

You have some week keys showing at https://www.ssllabs.com/ssltest/analyze.html?d=plex.ooii.io so it may be worth using https://mozilla.github.io/server-side-tls/ssl-config-generator/ to provide suitable config for your requirements.

ooii · August 10, 2016, 10:20am

Thank your for your time and your response.

It’s not working for me
curl -I https://plex.ooii.io/web/index.html curl: (52) Empty reply from server

while wget https://plex.ooii.io/ works fine. I cannot understand what’s going wrong.

I’ll check the link you provided.

ooii · August 10, 2016, 8:52pm

I ran openssl s_client -connect plex.mydomain.com:443 and figured out that it is the nas.mydomain.com cert which is provided by nginx. Actually, I have several services running, each with its own ssl certificate. And each service has its own server block for nginx conf and it seems nginx is serving the certificates by alphabetical order… If I delete the nas service, then nginx is serving owncloud certificate but if I disable owncloud too then it serves plex certificate for each ssl service.

sahsanu · August 10, 2016, 9:04pm

Hello @ooii,

As nginx uses SNI you should provide the server name in openssl command to get the right cert served by nginx.

openssl s_client -connect plex.mydomain.com:443 -servername plex.mydomain.com

Cheers,
sahsanu

ooii · August 11, 2016, 3:46pm

I fixed the issue by generating a new certificate where I mentioned the root domain name too.
The whole command is then certbot certonly --standalone -d mydomain.com -d myotherdomain.com -d plex.mydomain.com -d plex.myotherdomain.com

And now, it works like a charm.
Thank you guys for your help.

system · September 10, 2016, 3:46pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.