Site Can't Be Reached - Connection Was Reset for all SSL sites after LetsEncrypt renewal


I renewed my letsencrypt certificates this week. They renewed successfully but since then I can’t load any SSL/HTTPS pages on the server. I can telnet to the server on port 443 and I verified the firewall rules and 443 is allowed.


I have a clone of the server with the same certificates and SSL is working there. I upgraded to the latest Easy Engine as well.

This is my ssl.conf

listen 443 ssl http2; ssl on; ssl_certificate /etc/letsencrypt/live/; ssl_certificate_key /etc/letsencrypt/live/;

I don’t have any force ssl conf files for this domain so there should be no redirection.

No entries appear in the log files (error or access) for https connections. So far I haven’t found any log file that tells me there’s a problem. I’ve even gone as far as removing the SSL configuration and updating the site for letsencrypt but I still can’t get the site (or any site) to load via https.

Any help or direction for where to look would be great. A domain with the issue is



One more bit of info, if I use curl I get this error.

curl -I curl: (35) Server aborted the SSL handshake

These are my settings. I’ve tried some changes, but nothing has worked.

# SSL Settings

ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.1 TLSv1.2;


How did you renew your certificates? Manually, which command did you use? Or you have EE do it for you automatically?


I ran this to renew. The auto renew hasn’t really worked. But I started using letsencrypt early on and they changed the cron command and I haven’t gone back to add the correct one manually.

cd /opt/letsencrypt/ sudo -H ./letsencrypt-auto renew


Looks OK, anyway, try a different cipher and protocol just to be sure:


The following command shows that you have no cipher and no protocol:

sudo openssl s_client -connect -showcerts
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 305 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
    Protocol  : TLSv1.2
    Cipher    : 0000
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1470575917
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

And see if it helps.

I also think something went wrong during the certificate renewal process.

Try this:

sudo apt-get update
sudo apt-get upgrade
service nginx stop
/opt/letsencrypt/letsencrypt-auto renew 
service nginx start


I tried what you suggested.

The certs won’t renew. It says…

The following certs are not due for renewal yet: /etc/letsencrypt/live/ (skipped) No renewals were attempted.

So I disabled letsencrypt on the site

ee site update --letsencrypt=off

Deleted all the cert files and conf files for that domain from /etc/letsencrypt/live | renewals | archive

I removed the ssl.conf


and enabled letsencrypt all over again

ee site update --letsencrypt

I even put the SSL ciphers in the ssl.conf file

listen 443 ssl http2; ssl on; ssl_certificate /etc/letsencrypt/live/; ssl_certificate_key /etc/letsencrypt/live/; ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

It’s so strange. Thanks for your suggestions. Any others?


Here’s the current output of the command:

curl -Iv
* Rebuilt URL to:
* Hostname was NOT found in DNS cache
*   Trying
* Connected to ( port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS Unknown, Unknown (22):
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to 
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to 

It complains about the protocol. Can you try just this single one:

ssl_protocols TLSv1.2;

And then run

curl -Iv

and report back with output.


Sorry, I’ve been traveling and couldn’t run any of these tests, but I’m back now.

I made that change and ran the command.

`curl -Iv


What OS and EE versions are you using? Can you try to uninstall and then re-install letsencrypt?


I’m running Ubuntu 14.04.

Here are my versions.

sudo ee --version EasyEngine v3.7.2 Copyright (c) 2016 rtCamp Solutions Pvt. Ltd.

sudo -H ./letsencrypt-auto --version letsencrypt 0.8.1

Haven’t had a chance to research how to remove letsencrypt. Should I just install certbot? It’s not clear to me yet if that replaces /opt/letsencrypt or not.



Try to disable it first:

ee site update --letsencrypt=off

and then re-enable it back:

ee site update --letsencrypt=on

what does this command outputs after you run these commands?

ee site info



`sudo ee site info

Information about

Nginx configuration wpsubdir basic (enabled)

PHP Version 5.5

HHVM disabled

SSL enabled


SSL EXPIRY DATE Sat Nov 5 19:42:00 EDT 2016


after disabling letsencrypt

`sudo ee site update --letsencrypt=off

sudo ee site info

Information about

Nginx configuration wpsubdir basic (enabled)

PHP Version 5.5

HHVM disabled

SSL disabled`


After turning back on.

`sudo ee site update --letsencrypt=on

sudo ee site info Information about

Nginx configuration wpsubdir basic (enabled)

PHP Version 5.5

HHVM disabled

SSL enabled


SSL EXPIRY DATE Sat Nov 5 19:42:00 EDT 2016`


OK so what is the problem now? It looks like the SSL is enabled on your site.


The problem is that it still doesn’t load in the browser.

`curl -Iv

It’s so weird.


So I built an entirely new server, moved my configs and certs over and SSL still didn’t work.

Then I cleaned up some extra files in nginx and tried again. No luck

Next I removed my cert files and created a new site and it SSL worked.

I almost feel like it’s a permissions issue on /etc/letsencrypt but I can’t find any differences between servers that work and don’t work.

After trying to add my certs back and test again after the first site installed fine I can’t get any certs to install. It just hangs. Even on the one that succeeded the first time.

`sudo ee site create --letsencrypt

Running pre-update checks, please wait…

Setting up NGINX configuration [Done]

Setting up webroot [Done]

Reload : nginx [OK]

Successfully created site

Letsencrypt is currently in beta phase.

Do you wish to enable SSl now for

Type “y” to continue [n]:y

Please Wait while we fetch SSL Certificate for your site.

It may take time depending upon network.`


Does it get stuck connecting by using other commands, like apt-get update as well?


It was only getting stuck on lets encrypt. I ended up deleting the /etc/letsencrypt folder and trying to request a cert again and it created a new folder and the request succeeded. Far as I can tell the permissions on old and new folders were the same. Doesn’t make any sense, but I can issue new certs now.