Site Can't Be Reached - Connection Was Reset for all SSL sites after LetsEncrypt renewal

I renewed my letsencrypt certificates this week. They renewed successfully but since then I can’t load any SSL/HTTPS pages on the server. I can telnet to the server on port 443 and I verified the firewall rules and 443 is allowed.

Cloudup

I have a clone of the server with the same certificates and SSL is working there. I upgraded to the latest Easy Engine as well.

This is my ssl.conf

listen 443 ssl http2; ssl on; ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;

I don’t have any force ssl conf files for this domain so there should be no redirection.

No entries appear in the log files (error or access) for https connections. So far I haven’t found any log file that tells me there’s a problem. I’ve even gone as far as removing the SSL configuration and updating the site for letsencrypt but I still can’t get the site (or any site) to load via https.

Any help or direction for where to look would be great. A domain with the issue is https://network1.outsmarthosting.com/

Thanks

One more bit of info, if I use curl I get this error.

curl -I https://network1.outsmarthosting.com/ curl: (35) Server aborted the SSL handshake

These are my settings. I’ve tried some changes, but nothing has worked.

# SSL Settings
##

ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
#ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;";
ssl_protocols TLSv1.1 TLSv1.2;

How did you renew your certificates? Manually, which command did you use? Or you have EE do it for you automatically?

I ran this to renew. The auto renew hasn’t really worked. But I started using letsencrypt early on and they changed the cron command and I haven’t gone back to add the correct one manually.

cd /opt/letsencrypt/ sudo -H ./letsencrypt-auto renew

Looks OK, anyway, try a different cipher and protocol just to be sure:

ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

The following command shows that you have no cipher and no protocol:

sudo openssl s_client -connect network1.outsmarthosting.com:443 -showcerts
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1470575917
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

And see if it helps.

I also think something went wrong during the certificate renewal process.

Try this:

sudo apt-get update
sudo apt-get upgrade
service nginx stop
/opt/letsencrypt/letsencrypt-auto renew 
service nginx start

I tried what you suggested.

The certs won’t renew. It says…

The following certs are not due for renewal yet: /etc/letsencrypt/live/network1.outsmarthosting.com-0001/fullchain.pem (skipped) No renewals were attempted.

So I disabled letsencrypt on the site

ee site update network1.outsmarthosting.com --letsencrypt=off

Deleted all the cert files and conf files for that domain from /etc/letsencrypt/live | renewals | archive

I removed the ssl.conf

/var/www/network1.outsmarthosting.com/conf/nginx/ssl.conf

and enabled letsencrypt all over again

ee site update network1.outsmarthosting.com --letsencrypt

I even put the SSL ciphers in the ssl.conf file

listen 443 ssl http2; ssl on; ssl_certificate /etc/letsencrypt/live/network1.outsmarthosting.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/network1.outsmarthosting.com/privkey.pem; ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

It’s so strange. Thanks for your suggestions. Any others?

Here’s the current output of the command:

curl -Iv https://network1.outsmarthosting.com
* Rebuilt URL to: https://network1.outsmarthosting.com/
* Hostname was NOT found in DNS cache
*   Trying 54.85.12.43...
* Connected to network1.outsmarthosting.com (54.85.12.43) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS Unknown, Unknown (22):
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to network1.outsmarthosting.com:443 
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to network1.outsmarthosting.com:443 

It complains about the protocol. Can you try just this single one:

ssl_protocols TLSv1.2;

And then run

curl -Iv https://network1.outsmarthosting.com

and report back with output.

Sorry, I’ve been traveling and couldn’t run any of these tests, but I’m back now.

I made that change and ran the command.

`curl -Iv https://network1.outsmarthosting.com

What OS and EE versions are you using? Can you try to uninstall and then re-install letsencrypt?

I’m running Ubuntu 14.04.

Here are my versions.

sudo ee --version EasyEngine v3.7.2 Copyright (c) 2016 rtCamp Solutions Pvt. Ltd.

sudo -H ./letsencrypt-auto --version letsencrypt 0.8.1

Haven’t had a chance to research how to remove letsencrypt. Should I just install certbot? It’s not clear to me yet if that replaces /opt/letsencrypt or not.

Thanks

Try to disable it first:

ee site update example.com --letsencrypt=off

and then re-enable it back:

ee site update example.com --letsencrypt=on

what does this command outputs after you run these commands?

ee site info example.com

Before:

`sudo ee site info network1.outsmarthosting.com

Information about network1.outsmarthosting.com:

Nginx configuration wpsubdir basic (enabled)

PHP Version 5.5

HHVM disabled

SSL enabled

SSL PROVIDER Lets Encrypt

SSL EXPIRY DATE Sat Nov 5 19:42:00 EDT 2016

============

after disabling letsencrypt

`sudo ee site update network1.outsmarthosting.com --letsencrypt=off

sudo ee site info network1.outsmarthosting.com

Information about network1.outsmarthosting.com:

Nginx configuration wpsubdir basic (enabled)

PHP Version 5.5

HHVM disabled

SSL disabled`

=================================

After turning back on.

`sudo ee site update network1.outsmarthosting.com --letsencrypt=on

sudo ee site info network1.outsmarthosting.com Information about network1.outsmarthosting.com:

Nginx configuration wpsubdir basic (enabled)

PHP Version 5.5

HHVM disabled

SSL enabled

SSL PROVIDER Lets Encrypt

SSL EXPIRY DATE Sat Nov 5 19:42:00 EDT 2016`

OK so what is the problem now? It looks like the SSL is enabled on your site.

The problem is that it still doesn’t load in the browser.

`curl -Iv https://network1.outsmarthosting.com

It’s so weird.

So I built an entirely new server, moved my configs and certs over and SSL still didn’t work.

Then I cleaned up some extra files in nginx and tried again. No luck

Next I removed my cert files and created a new site and it SSL worked.

I almost feel like it’s a permissions issue on /etc/letsencrypt but I can’t find any differences between servers that work and don’t work.

After trying to add my certs back and test again after the first site installed fine I can’t get any certs to install. It just hangs. Even on the one that succeeded the first time.

`sudo ee site create v2.outsmarthosting.com --letsencrypt

Running pre-update checks, please wait…

Setting up NGINX configuration [Done]

Setting up webroot [Done]

Reload : nginx [OK]

Successfully created site http://v2.outsmarthosting.com

Letsencrypt is currently in beta phase.

Do you wish to enable SSl now for v2.outsmarthosting.com?

Type “y” to continue [n]:y

Please Wait while we fetch SSL Certificate for your site.

It may take time depending upon network.`

Does it get stuck connecting by using other commands, like apt-get update as well?

It was only getting stuck on lets encrypt. I ended up deleting the /etc/letsencrypt folder and trying to request a cert again and it created a new folder and the request succeeded. Far as I can tell the permissions on old and new folders were the same. Doesn’t make any sense, but I can issue new certs now.

Doug