Introduction
Updating SSL certificates can be messy. PEM files won’t work, Nginx cannot find the certificate, and the green light does not turn on no matter what you do. However, you are not alone.
Hundreds of Nginx owners face SSL certificate renewal issues every day, but today we will discuss how to quickly resolve them.
Let’s look at the top 5 issues reported by Nginx users, and how to solve them.
1. Let's Encrypt Renewal Command Breaks
Many Nginx server owners today use Let’s Encrypt as a certificate provider.
Let's Encrypt provides a way to renew SSL certificates using various command line tools, such as CertBot.
Here are some reasons why a CertBot based update fails:
- Wrong WebRoot specified in renew command
CertBot uses a command line parameter called WebRoot to know where it should store the new certificates.
On recently migrated websites or recently updated websites, this parameter may be incorrect, causing the renewal to fail.
To correct this error, configure the CertBot settings according to the current website configuration.
- .well-known folder deleted or wrong permissions set
CertBot uses the .well-known folder in the root document directory of the website to authenticate the request.
If this folder has incorrect permissions or is missing altogether (possibly due to a security cleanup or a migration error), restoring this folder quickly fix this problem.
- HTTP authorization set for .well-known folder
Some sites set up an additional level of security by protecting the “.well-known” folder with .htaccess authentication.
This will disrupt the command-line update process. Thus, on these sites, disable HTTP authentication until the renewal is complete.
Of course, there are other errors associated with the CertBot based renewal.
This is due to the fact that the renewal process goes through a complex sequence of steps, which includes automatically generating a CSR, establishing contact with LE servers using ACME protocol, passing the authentication test using the .well-known folder, setting up the certificates in the right folder, and restarting the Nginx servers.
If for any reason any step in this sequence fails, the renewal is not performed.
So, there is no one solution for all issues. Instead, collect evidence from the LetsEncrypt log file (/var/log/letsencrypt/letsencrypt.log), and systematically rule out every possibility to focus in on the root cause.
2. Old SSL Shows Up Even After Update
Of course, extending your SSL lease can be tricky, but the most confusing of all is when, after a successful renewal, the browser still shows the old expired SSL certificate.
You might think Nginx is doing that out of spite, but there are perfectly logical reasons for that.
Here are some common reasons:
- Cert uploaded to the wrong location
Administrators sometimes use old or incompatible renewal steps to upload new certificates.
This usually happens after a recent application update, site migration or server update.
In these cases, new certificates are stored in a folder that is not in Nginx’s certificate path.
To resolve this error, look in the Nginx configuration files for the path to the certificate, and then check whether the new files are uploaded to this location.
– New certificate not uploaded in gateway server
In some web configurations, the Nginx server is behind a load-balancer or a caching server.
Thus, it is not enough to upload a new certificate to the Nginx server. It must also be uploaded to the external servers.
Many site owners skip this step, which leads to errors when renewing their SSL certificates.
– Nginx reloads fail
There are times when Nginx does not restart completely. The old process continues to serve the old certificate from memory.
If you suspect that a rogue Nginx process is running, forcefully kill it and restart the service to fix this problem.
3. Intermediate Certificates Built Wrong or Corrupted
The main annoyance for Nginx users is the inability of Nginx to recognize intermediate certificates (aka certificate bundles, aka certificate chain).
Instead, users must place their site certificate and all intermediate certificates in one file in the correct order, and then specify it in the ssl_certificate configuration parameter.
Yes, it sounds difficult, and it certainly difficult for those who are not used to working with the server back-end.
That is why many webmasters see a “Site Not Trusted” error even after an apparently successful update.
Almost all these errors are caused by an incorrect copy-paste of the certificate data into the files. Some characters may be missing, or the certificates will be pasted on top of another.
All this corrupts the certificate file and connecting browsers will not be able to successfully validate.
Correct this by programmatically combining the site certificate and chain certificate so that there are no manual errors.
4. Forbidden Errors While Running Certificate Renewal
These days you can’t be too paranoid.
That is why some server administration panels, such as Plesk, provide a way to block any access to hidden directories (those that start with a period [ . ] ).
This is a measure to protect confidential information that some applications store in hidden directories.
Unfortunately, automatic certificate installers, such as CertBot from Let’s Encrypt, use hidden folders (/path/to/docroot/.well-known) to verify the user.
Such verification measures will not be performed if hidden folder protection is enabled.
Therefore, when you see a “403 Forbidden” error message in the certificate renewal log files, find for such security restrictions and remove them until the new certificate is installed.
5. Nginx Crashes After Certificate Renewal
The most urgent problems are often associated with crashed Nginx servers after an unsuccessful update.
Some auto-installers can change configuration entries, but if for some reason the installer fails, it will break the Nginx configuration file.
In such cases, restore the Nginx configuration file from a backup to quickly bring the site back online.
If a backup is not available, you can get the site back online by resetting the SSL configuration section that most automated tools target.
Once the site is online again, make changes manually to bring the new certificate online.
Conclusion
Renewing certificates can be a hassle, but we discussed 5 main problems reported by Nginx users when updating SSL, and how to fix them.
If you any questions or thoughts on the tutorial, feel free to reach out in the comments below.