Webinoly is just the perfect tool for NGINX experts. Give it a try!
0 votes
154 views
by Talented
I have 4 sites on my server and the SSL certificate expired on one of them.

When I type the command site example.com -ssl=renew the result is:

[ERROR] Invalid value for SSL command!

I was able to renew the cert with site example.com -ssl=force-renewal

I am wondering if there is any log I can check to see why the renewal failed? I don't see anything in /var/log/letsencrypt/letsencrypt.log.

The other 3 sites have been renewing successfully.

I was running Webinoly version 1.13.2. I just updated to 1.14.3.

Is there any way to confirm whether the next renewal will fail or not without waiting for 3 months?

After updating to version 1.14.3 the site -ssl=renew command is still not working. It returns the same error as the previous version 1.13.2.

[ERROR] Invalid value for SSL command!
by Talented

After more investigation, here is what I found.

I found some entries in the letsencrypt archived log from May 3, 2021 where it appears that the certificate was renewed successfully.

Further, checking in the /etc/letsencrypt/archive/example.com.

ls -l

total 52

-rw-r--r-- 1 root root 1887 Mar  4 16:25 cert1.pem

-rw-r--r-- 1 root root 1887 May  3 18:52 cert2.pem

-rw-r--r-- 1 root root 1887 Jun 25 14:23 cert3.pem

-rw-r--r-- 1 root root 1586 Mar  4 16:25 chain1.pem

-rw-r--r-- 1 root root 1586 May  3 18:52 chain2.pem

-rw-r--r-- 1 root root 3750 Jun 25 14:23 chain3.pem

-rw-r--r-- 1 root root 3473 Mar  4 16:25 fullchain1.pem

-rw-r--r-- 1 root root 3473 May  3 18:52 fullchain2.pem

-rw-r--r-- 1 root root 5637 Jun 25 14:23 fullchain3.pem

-rw------- 1 root root 1704 Mar  4 16:25 privkey1.pem

-rw------- 1 root root 1704 May  3 18:52 privkey2.pem

-rw------- 1 root root 1704 Jun 25 14:23 privkey3.pem

I initially enabled SSL for this site on Mar 4 and it appears that it was in fact renewed on May 3. However, it was somehow still using the initial cert that expired on June 3 until I did the site ssl=force-renewal today (June 25).

Any idea what could have happened here or what else I can check to further investigate?

by Talented

I found many entries like the ones below in the nginx error logs, which have stopped since I did the site -ssl=force-renew today.

2021/06/16 03:41:14 [error] 27666#27666: recv() failed (110: Connection timed out) while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.10:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/16 03:41:14 [error] 27666#27666: OCSP responder prematurely closed connection while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.10:80, certificate:"/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/16 03:41:22 [error] 27666#27666: recv() failed (110: Connection timed out) while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.74:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/16 03:41:22 [error] 27666#27666: OCSP responder prematurely closed connection while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.74:80, certificate:"/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/16 03:41:22 [error] 27666#27666: connect() to [2600:1406:1400::b81c:cb20]:80 failed (101: Network is unreachable) while requesting certificate status, responder: r3.o.lencr.org,peer: [2600:1406:1400::b81c:cb20]:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/16 03:41:22 [error] 27666#27666: connect() to [2600:1406:1400::b81c:cb13]:80 failed (101: Network is unreachable) while requesting certificate status, responder: r3.o.lencr.org,peer: [2600:1406:1400::b81c:cb13]:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

by Talented

This is really weird. Looking at the NGINX error logs in more detail I can see that another one of my sites (example2.com) was giving the same errors.

2021/06/25 02:23:07 [error] 27666#27666: recv() failed (110: Connection timed out) while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.10:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/25 02:23:07 [error] 27666#27666: OCSP responder prematurely closed connection while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.10:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/25 02:23:14 [error] 27666#27666: recv() failed (110: Connection timed out) while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.74:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/25 02:23:14 [error] 27666#27666: OCSP responder prematurely closed connection while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.74:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/25 02:23:14 [error] 27666#27666: connect() to [2600:1406:1400::b81c:cb20]:80 failed (101: Network is unreachable) while requesting certificate status, responder: r3.o.lencr.org, peer: [2600:1406:1400::b81c:cb20]:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/25 02:23:14 [error] 27666#27666: connect() to [2600:1406:1400::b81c:cb13]:80 failed (101: Network is unreachable) while requesting certificate status, responder: r3.o.lencr.org, peer: [2600:1406:1400::b81c:cb13]:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/25 02:31:56 [error] 27666#27666: recv() failed (110: Connection timed out) while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.10:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/25 02:31:56 [error] 27666#27666: OCSP responder prematurely closed connection while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.10:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/25 02:32:03 [error] 27666#27666: recv() failed (110: Connection timed out) while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.74:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/25 02:32:03 [error] 27666#27666: OCSP responder prematurely closed connection while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.74:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/25 02:32:03 [error] 27666#27666: connect() to [2600:1406:1400::b81c:cb20]:80 failed (101: Network is unreachable) while requesting certificate status, responder: r3.o.lencr.org, peer: [2600:1406:1400::b81c:cb20]:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/25 02:32:03 [error] 27666#27666: connect() to [2600:1406:1400::b81c:cb13]:80 failed (101: Network is unreachable) while requesting certificate status, responder: r3.o.lencr.org, peer: [2600:1406:1400::b81c:cb13]:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/25 03:18:33 [error] 27666#27666: recv() failed (110: Connection timed out) while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.10:80, certificate: "/etc/letsencrypt/live/example2.com/fullchain.pem"

2021/06/25 03:18:33 [error] 27666#27666: OCSP responder prematurely closed connection while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.10:80, certificate: "/etc/letsencrypt/live/example2.com/fullchain.pem"

2021/06/25 03:18:41 [error] 27666#27666: recv() failed (110: Connection timed out) while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.74:80, certificate: "/etc/letsencrypt/live/example2.com/fullchain.pem"

2021/06/25 03:18:41 [error] 27666#27666: OCSP responder prematurely closed connection while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.74:80, certificate: "/etc/letsencrypt/live/example2.com/fullchain.pem"

2021/06/25 03:18:41 [error] 27666#27666: connect() to [2600:1406:1400::b81c:cb20]:80 failed (101: Network is unreachable) while requesting certificate status, responder: r3.o.lencr.org, peer: [2600:1406:1400::b81c:cb20]:80, certificate: "/etc/letsencrypt/live/example2.com/fullchain.pem"

2021/06/25 03:18:41 [error] 27666#27666: connect() to [2600:1406:1400::b81c:cb13]:80 failed (101: Network is unreachable) while requesting certificate status, responder: r3.o.lencr.org, peer: [2600:1406:1400::b81c:cb13]:80, certificate: "/etc/letsencrypt/live/example2.com/fullchain.pem"

The logs are filled with these errors for these 2 sites multiple times every day. There are only 15 days of NGINX error logs available so I don't know how long this has been going on but at least 15 days.
Here is the weird part. Since I manually renewed the cert for example.com yesterday, these NGINX errors have completely stopped (for both sites even though I didn't renew the cert for example2.com).
I also have another site example3.com with no entries at all in the NGINX error log.
example.com and example2.com both have an additional site set up on a subdomain, while example3.com does not.
dev.example.com (no ssl)
dev.example2.com (ssl)
These dev sites also don't have any entries in the NGINX error log.
It could be a coincidence, but the only 2 sites with entries in the error log are the 2 domains that have an additional site on the same domain.
The other thing I noticed is that all of these log entries are trying to connect to IPv6 addresses but my VPS does not have IPv6 networking.

Please log in or register to answer this question.

Welcome to the Community site for Webinoly.

Our Optimized LEMP Web Server is a powerful set of commands for doing just about anything you could wish.

With Webinoly you can set up your NGINX web server in just one step.

* * * * * * *

To report a bug, please create a new issue on GitHub or ask a question here with the bug tag.
Webinoly Support Paypal Donations

PayPal · GitHub Sponsors · Bitcoin

It is very important that any visitor to the site read the disclaimer, terms of use and privacy and legal statement before start browsing.

...