Question

SSL Certbot Certificate Expired -> Appearance of 502 Gateway Error when trying to renew

Posted September 26, 2019 754 views
NginxDNSLet's Encrypt

Today my site broke as the SSL Certificate expired. The certbot setup was setup to automatically renew, however that did not execute, and manually trying to renew/reinstall the certificate comes back with a 502 Gateway Error for the HTML Verification pages it works through.

Since this may be related to a NGINX Configuration error, here are my nginx files. Feel free to critique what I should change in order to optimize it.

I’ve also included some commands to certify that services are in proper working order, despite the 502 Gateway error.

Thank you for any support you can give.

sudo certbot --nginx -d xevion.dev -d www.xevion.dev

GitHub Gist

The only thing I can point out is that it’s working on HTTP and not HTTPS, which I can’t seem to find a specific reason for? I don’t remember needing to type in any special arguments to get it to work on HTTPS only. Additionally, I ran it with multiple arguments and some not at all to make sure that it had no effect and that it was using HTTP autonomously. I believe this might be the source of the problem, somehow.

nginx -t

xevion@ubuntu-s-1vcpu-1gb-lon1-01:/var/log$ sudo nginx -t
nginx: [warn] conflicting server name "xevion.dev" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "www.xevion.dev" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "xevion.dev" on [::]:80, ignored
nginx: [warn] conflicting server name "www.xevion.dev" on [::]:80, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

I’m not sure of the fix for the first couple of warns, perhaps they’re for HTTP IPv4 & IPv6, which is completely impossible with the HSTS policy in place. But business as usual, it has always been that way.

systemctl status nginx;systemctl status xeviondev

GitHub Gist

cat nginx.conf

GitHub Gist

cat /sites-available/xeviondev

GitHub Gist

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer

Hello,

The Nginx config looks correct. Can you confirm if your AAAA record actually matches the IPv6 that you have assigned on your server?

Also what I could suggest is:

  • Check your Nginx error log:
tail -100 /var/log/nginx/error.log

This should give you some more information for further troubleshooting.

Let me know how it goes.

Regards,
Bobby

  • Accidentally replied with an answer and it hasn’t shown up yet, so I’ll reply properly to see if it gets here faster.

    Includes requested tail command and empty journalctl of Nginx.

    GitHub Gist

    :/

    • Hello @xevioni

      I can see that the site is working again with a valid SSL. Would you mind sharing here how did you fix the problem?

      Thanks and regards,
      Bobby

      • Site was fixed by running sudo rm /etc/nginx/sites-enabled/default. For some reason, the default nginx webserver was still enabled, and despite me never removing it, including whenever I initially created my SSL certificate. I’m not sure how, but when it was created, it didn’t appear to care about the default webserver being enabled, and thus the confusion that occurred in this thread when a renewal attempt was started.

        I asked on the Let’s Encrypt forum here for help following inadequate support by DigitalOcean.

Submit an Answer