"This Connection is not Private"

Hello _az,

Even I am facing the same issue, also I have installed all the certificates using the stated command:

here is some of the needed information :

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.shareconomy.in

I ran this command: opened the page

**certificate installation done : **
./letsencrypt-auto certonly --cert-name www.shareconomy.in -d shareconomy.in -d acemicromatic.shareconomy.in -d it.shareconomy.in -d kailasengg.shareconomy.in -d tlc.shareconomy.in

It produced this output: “This Connection is not Private”,

  1. https://shareconomy.in

  1. https://www.shareconomy.in is working fine

My web server is (include version): Nginx

The operating system my web server runs on is (include version): Ubuntu 14.04

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

Before you do anything else, what’s the output of:

./letsencrypt-auto certificates

After running that command its states that there is no such file, the certificates were installed in the year 2016, when there was certonly method used:

-bash: ./letsencrypt-auto: No such file or directory

Try run the command from the same directory where you ran the above command.

root@shareconomy:/opt/letsencrypt# ./letsencrypt-auto certificates
/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a release (2.7.7+) that supports hmac.compare_digest as soon as possible.
  utils.PersistentlyDeprecated2018,
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: it.shareconomy.in
Serial Number: 38ed58fa4e756ae86e4da21a6dc219809c7
Domains: it.shareconomy.in
Expiry Date: 2020-05-04 06:33:56+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/it.shareconomy.in/fullchain.pem
Private Key Path: /etc/letsencrypt/live/it.shareconomy.in/privkey.pem
  Certificate Name: shareconomy.in-0001
Serial Number: 36e0a36276dc6dde570e09c2daa283ddba3
Domains: shareconomy.in www.shareconomy.in
Expiry Date: 2020-05-04 06:34:03+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/shareconomy.in-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/shareconomy.in-0001/privkey.pem
  Certificate Name: shareconomy.in-0002
Serial Number: 3bbe94d30fb0f212cebfcccfb14b4198646
Domains: shareconomy.in acemicromatic.shareconomy.in it.shareconomy.in kailasengg.shareconomy.in
Expiry Date: 2020-05-04 06:34:10+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/shareconomy.in-0002/fullchain.pem
Private Key Path: /etc/letsencrypt/live/shareconomy.in-0002/privkey.pem
  Certificate Name: shareconomy.in-0003
Serial Number: 38bb17cd47f3bce5418e2b8c8f9fc3a36a1
Domains: shareconomy.in
Expiry Date: 2020-05-04 06:34:18+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/shareconomy.in-0003/fullchain.pem
Private Key Path: /etc/letsencrypt/live/shareconomy.in-0003/privkey.pem
  Certificate Name: shareconomy.in
Serial Number: 356fbbdcee353b181062df8e5371288c33a
Domains: www.shareconomy.in acemicromatic.shareconomy.in it.shareconomy.in kailasengg.shareconomy.in tlc.shareconomy.in
Expiry Date: 2020-11-18 09:23:02+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/shareconomy.in/fullchain.pem
Private Key Path: /etc/letsencrypt/live/shareconomy.in/privkey.pem
  Certificate Name: www.shareconomy.in
Serial Number: 3833aded80ce8d9efc233cc751ec662ba2d
Domains: shareconomy.in acemicromatic.shareconomy.in it.shareconomy.in kailasengg.shareconomy.in tlc.shareconomy.in
Expiry Date: 2020-11-18 06:34:22+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.shareconomy.in/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.shareconomy.in/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Ignoring the expired certificates, these are the ones that matter.

Certificate #1 (the one that nginx is using right now):

and Certificate #2 (which contains a different set of domains, but nginx isn’t using it):

Because neither certificate contains the correct set of domains, you’re going to need to replace the first certificate with a new certificate that contains the correct set of domains.

You can do that like this:

./letsencrypt-auto certonly --cert-name shareconomy.in -d shareconomy.in \
-d www.shareconomy.in -d acemicromatic.shareconomy.in -d it.shareconomy.in \
-d kailasengg.shareconomy.in -d tlc.shareconomy.in \
-a nginx --post-hook "service nginx reload"

Once you run that, you should have a certificate that is valid for all your domains, and the error should be gone.

ohh understood the first parameter is the name of the certificate while rest are domain names that need to be included in the certificate, let me get that done

Hello @_az it worked,

Thanks.

Is it possible for you to assist me with multiple redirects when I opt for forced https

You mean you have a redirect loop happening now? On what domain?

No I had commented them on my nginx config file, but when I uncomment it, I do get the error:

Here is the part of the config file when uncommented gives me the error :

If I uncomment return command it gives me error, trying to configure the server neatly

upstream shareconomy {
  server unix:/home/shrcnmy/sites/shareconomy/current/tmp/sockets/unicorn.sock;
}
server{
       listen 80;
	server_name shareconomy.in	www.shareconomy.in;	
#	return 301 https://www.shareconomy.in$request_uri; 

root   /home/shrcnmy/sites/shareconomy/current/public;
access_log   /var/log/nginx/share.access.log;
error_log    /var/log/nginx/share.error.log info;

try_files $uri/index.html $uri @shareconomy;
 
 location @shareconomy {
    proxy_set_header X-Forwarded-Proto https ;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect off;

    proxy_pass http://shareconomy;
  }

  error_page 500 502 503 504 /500.html;
  client_max_body_size 10M;
  keepalive_timeout 10;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/shareconomy.in/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/shareconomy.in/privkey.pem; # managed by Certbot
#    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
#    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server{
	listen 443 ssl;
#	listen 80;
	server_name shareconomy.in; 
#	www.shareconomy.in;
	
#ssl on;
#    ssl_certificate /etc/letsencrypt/live/shareconomy.in/fullchain.pem; # managed by Certbot
#    ssl_certificate_key /etc/letsencrypt/live/shareconomy.in/privkey.pem; # managed by Certbot

#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_prefer_server_ciphers on;

#ssl_ciphers 'ECDH.......; 

#ssl_stapling on; 
#ssl_stapling_verify on;

#ssl_trusted_certificate /etc/letsencrypt/live/sharec`:wqonomy.in/fullchain.pem;

#root   /home/shrcnmy/sites/shareconomy/current/public;
#access_log   /var/log/nginx/share.access.log;
#error_log    /var/log/nginx/share.error.log info;

#return 301 https://shareconomy.in$request_uri;

 location ~ ^/assets/ {
   gzip_static on;
   expires max;
   add_header Cache-Control public;
  }
#try_files $uri/index.html $uri @shareconomy;
  location @shareconomy {
#   proxy_set_header X-Forwarded-Proto https ;    
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;

proxy_pass http://shareconomy;
  }

  location ~ /.well-known {
root /home/shrcnmy/sites/shareconomy/current/public/letsencrypt;
allow all;
  }

  error_page 500 502 503 504 /500.html;
  client_max_body_size 10M;
  keepalive_timeout 10;

}


#proxy_set_header    Host              $host;
#proxy_set_header    X-Real-IP         $remote_addr;
#proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
#proxy_set_header    X-Forwarded-SSL on;
#proxy_set_header    X-Forwarded-Proto $scheme;



server{
#    if ($host = shareconomy.in) {
#        return 301 https://$host$request_uri;
#    } # managed by Certbot


listen 80;
server_name shareconomy.in www.shareconomy.in;
return 404; # managed by Certbot

}

If you’re allowing Certbot to configure nginx, then you need to keep your port 80 and port 443 virtual hosts separate.

Certbot doesn’t understand the configuration when both listen 80; and listen 443 ssl; are in the same server block.

Keep them separate.

server {
  listen 80;
  server_name shareconomy.in www.shareconomy.in;
  return 301 https://www.shareconomy.in$request_uri; 
}

server {
  listen 443 ssl;
  server_name shareconomy.in www.shareconomy.in;
  # rest of your normal config ...
}

I’m gonna file an issue against Certbot because this is the second time I’ve seen people get in trouble because of this. (Edit: Certbot handles this correct and splits the vhosts based on my tests. Nothing filed.)

Ok will do that, thanks and revert you, sorry I edited the above post multiple times so as to get it organised

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.