SSL not working after updating letsencrypt cert

Please fill out the fields below so we can help you better.

My domain is:

I ran this command: curl

It produced this output: curl: (56) SSLRead() return error -9806

My operating system is (include version): OSX 10.11.5

My web server is (include version): Running among others a Plex Media Server behind nginx acting as reverse proxy

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I have nginx which I’m using mainly as a reverse proxy. I have many services running at home such as Plex. It is reachable through for which I have created a letsencrypt certificate.
Everything was working perfectly until I have updated the letsencrypt certificates. Since then, only my desktop Chrome still works but I’m suspecting it is doing so because of its cache. Safari does not work, neither curl nor wget.

The nginx conf is the following

server {
        listen                  80 ;
        server_name ;
        rewrite ^ https://$server_name$request_uri? permanent;
server {
        listen        443;
        server_name ;
        satisfy any;
        allow; ##chez moi
        deny all;
        auth_basic "closed site";
        auth_basic_user_file /etc/nginx/certs/password;
        ssl_certificate /etc/letsencrypt/live/;
        ssl_certificate_key /etc/letsencrypt/live/;

        location / {
            proxy_redirect http:// $scheme://;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;


If I run curl then I get curl: (56) SSLRead() return error -9806.

When I access from Safari, Nginx logs give

2016/08/09 19:23:27 [alert] 52081#0: worker process 53076 exited on signal 11
2016/08/09 19:23:27 [notice] 52081#0: start worker process 53079
2016/08/09 19:23:27 [notice] 52081#0: signal 23 (SIGIO) received
2016/08/09 19:23:27 [notice] 52081#0: signal 23 (SIGIO) received

The letsencrypt certificate has been generated with the following command:

sudo certbot certonly --standalone -d -d

Any idea what am I doing wrong?
Thank you very much for your help.

The domain can’t be reached.

Is this your real domain ? if not, could you provide your real domain please.

Sorry for that.
I corrected it.

Did you change anything else ? it’s working fine for me …

$ curl -I 
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Wed, 10 Aug 2016 09:50:03 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: public
X-Plex-Protocol: 1.0

$ curl -I
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 10 Aug 2016 09:50:22 GMT
Content-Type: text/html
Content-Length: 2752
Connection: keep-alive
Cache-Control: no-cache
Accept-Ranges: bytes
X-Plex-Protocol: 1.0

You have some week keys showing at so it may be worth using to provide suitable config for your requirements.

Thank your for your time and your response.

It’s not working for me
curl -I curl: (52) Empty reply from server

while wget works fine. I cannot understand what’s going wrong.

I’ll check the link you provided.

I ran openssl s_client -connect and figured out that it is the cert which is provided by nginx. Actually, I have several services running, each with its own ssl certificate. And each service has its own server block for nginx conf and it seems nginx is serving the certificates by alphabetical order… If I delete the nas service, then nginx is serving owncloud certificate but if I disable owncloud too then it serves plex certificate for each ssl service.

Hello @ooii,

As nginx uses SNI you should provide the server name in openssl command to get the right cert served by nginx.

openssl s_client -connect -servername


I fixed the issue by generating a new certificate where I mentioned the root domain name too.
The whole command is then certbot certonly --standalone -d -d -d -d

And now, it works like a charm.
Thank you guys for your help.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.