Successful install however still not valid certificate?

My domain is:
cytojer.com
I ran this command:
sudo certbot renew --dry-run

It produced this output:

sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/cytojer.com-0001.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate


new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/cytojer.com-0001/fullchain.pem



Processing /etc/letsencrypt/renewal/cytojer.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Dry run: skipping deploy hook command: systemctl reload nginx
nginx: [warn] duplicate MIME type “text/html” in /etc/nginx/nginx.conf:34


new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/cytojer.com/fullchain.pem



Processing /etc/letsencrypt/renewal/www.cytojer.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
nginx: [warn] duplicate MIME type “text/html” in /etc/nginx/nginx.conf:34


new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/www.cytojer.com/fullchain.pem



** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/cytojer.com-0001/fullchain.pem (success)
/etc/letsencrypt/live/cytojer.com/fullchain.pem (success)
/etc/letsencrypt/live/www.cytojer.com/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


My web server is (include version):
nginx version: nginx/1.16.1

The operating system my web server runs on is (include version):
Ubuntu 1804.4 LTS
My hosting provider, if applicable, is:
Digital Ocean
I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 0.31.0


I am using the following installation process and here is the title and link

How To Use Certbot Standalone Mode to Retrieve Let’s Encrypt SSL Certificates on Ubuntu 18.04

[https://www.digitalocean.com/community/tutorials/how-to-use-certbot-standalone-mode-to-retrieve-let-s-encrypt-ssl-certificates-on-ubuntu-1804]

I still don’t know what else I have to do to get the SSL to Test as ok per following test.

SSL Report: www.cytojer.com (167.99.174.180)

Assessed on: Wed, 13 May 2020 05:32:07 UTC | Hide | Clear cache

Assessment failed: Unable to connect to the server

Can you advise?

Thank you.

You have certificates.
Try:
certbot certificates
to see them, their location, and the domain names they cover.

Try:
nginx -T | grep server_name
to quickly see the domain names you are serving in your web server.

Ok. Should my domains redirect to https now?

image0.png

Can you advise?

You haven’t shown the output of the commands I posted, so, I don’t know.
But I can guess the answer is NO.
You don’t seem to understand how web servers operate.

Yes, start by showing the output of the two commands I posted.
Then we can both better understand how your system is configured and we can go from there.

As requested here is the output from the two commands.

$ certbot certificates

Certificate Name: cytojer.com-0001
Domains: cytojer.com
Expiry Date: 2020-08-11 00:48:16+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/cytojer.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/cytojer.com-0001/privkey.pem
Certificate Name: cytojer.com
Domains: cytojer.com www.cytojer.com
Expiry Date: 2020-08-10 13:31:06+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/cytojer.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/cytojer.com/privkey.pem
Certificate Name: www.cytojer.com
Domains: www.cytojer.com
Expiry Date: 2020-08-10 17:03:44+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.cytojer.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.cytojer.com/privkey.pem

$ nginx -T | grep nginx
nginx: [warn] duplicate MIME type “text/html” in /etc/nginx/nginx.conf:34
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx
/nginx.conf test is successful

Should I have this to include my server host name?

Maybe this is why https cannot be directed to?

/etc/nginx/sites-available# ls
default

NOT

This looks “messy”…
You have three certs to cover just two names:

Certificate Name: cytojer.com-0001
Domains: cytojer.com

Certificate Name: cytojer.com
Domains: cytojer.com www.cytojer.com

Certificate Name: www.cytojer.com
Domains: www.cytojer.com

curl -Iki https://167.99.174.180/
curl: (7) Failed to connect to 167.99.174.180 port 443: Connection refused

curl -Iki https://www.cytojer.com/
curl: (7) Failed to connect to www.cytojer.com port 443: Connection refused

curl -Iki https://cytojer.com/
curl: (7) Failed to connect to cytojer.com port 443: Connection refused

You need to open port 443.
Allow it to reach your web server.
OR, if already open, you need to enable TLS(HTTPS) on port 443
and use one of those certs (and delete the other two).

OK. I will do that. Thank you. How do I enable TLS on port 443 - I have that port open already.

It is much like any port 80 vhost config.
Except that it will instead listen on port 443.
And use certificates to encrypt the traffic.

At least two such lines are required for encryption:

ssl_certificate /path/to/fullchain.cert;
ssl_certificate_key /path/to/key.file;

And there are “other things”…
Like setting the acceptable TLS protocols and ciphers.

But that conversation is an nginx web server specific topic and kinda outside the scope of this forum.

Complete. Thank you very much.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.