SSL Renewal renewed but not activate You may need to install an Intermediate/chain certificate to link it to a trusted root certificate

THEN:
[restart/reload NGINX]
systemctl restart nginx

LAST:
[run this command]
/letsencrypt-auto delete --cert-name qa-ui.juvlon.in-0001

but web site name is qa-ui.juvlon.in

You asked for step by step instructions.
I gave you step by step instructions.
Please just follow the steps.

You have two cert [in letsencrypt-auto]

  1. Certificate Name: qa-ui.juvlon.in-0001
  2. Certificate Name: qa-ui.juvlon.in

The first is expired and should be deleted.
Use this command to delete it:
./letsencrypt-auto delete --cert-name qa-ui.juvlon.in-0001

thanks it working

i just replace below line

ssl_certificate /etc/letsencrypt/live/qa-ui.juvlon.in/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/qa-ui.juvlon.in/privkey.pem;

and restart nginx

Two out of three (steps) ainā€™t bad.

But there are even moreā€¦ steps.
There is a cert being applied to the IP [the default vhost config] that also has the same name.
But this cert, and the implemented use, makes NO sense to meā€¦
The only browsers that will ever see it, donā€™t support SNI.
[they take the DNS IP of the name and just connect https://IP.IP.IP.IP/]
But that ā€œsiteā€ returns a redirect to: https://qa-ui.juvlon.in/
Which will only cause that broser [incapable of SNI] to get stuck in loop:

  1. resolve name to IP
  2. go to https://IP.IP.IP.IP/
  3. get redirected to https://qa-ui.juvlon.in/
  4. resolve name to IP
  5. go to https://IP.IP.IP.IP/
  6. get redirected to https://qa-ui.juvlon.in/
    ā€¦.

That leaves anyone that has a newer browser [supporting SNI] and they go to https://IP.IP.IP.IP/
They are presented with the cert for qa-ui.juvlon.in
But that cert doesnā€™t match the ā€œnameā€ they are trying to reach ā€œIP.IP.IP.IPā€ and it fails to connect.

Soā€¦ no one can use that cert.

You should delete the EXPIRED and unused cert.
[I gave you that instruction like 4 times already]

You should review where/how the other cert is used.
Try using:
nginx -T
or a reduced output with:
nginx -T | grep -Ei 'server_name|virtual|default|\*|80|listen|return|rewrite'

i had deleted this certificate

1 Like

Good that is three out of three steps: DONE.
Now to step fourā€¦
[just like in life - when you think youā€™re doneā€¦ youā€™re not]

You should review where/how the other cert is used.
Try using:
nginx -T
or a reduced output with:
nginx -T | grep -Ei 'server_name|virtual|default|\*|80|listen|return|rewrite'

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

NOT:
nginx -t

use:
nginx -T

nginx -T | grep -Ei ----- same i had used got this output

hmmā€¦
maybe that version is too old for that command:
Server: nginx/1.9.10

Try:
grep -ERi 'server_name|virtual|default|\*|80|listen|return|rewrite' /etc/nginx/

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.