Let's Encrypt- empty *.cer files

Mark_Schmucker · December 6, 2019, 8:52am

I can’t connect to a new standard 30-minute install. AWS Lightsail, 2GB memory, Ubuntu 18.04 LTS x64 with :443 open. The problem is that the Let’s Encrypt *.cer files are empty. Why?

nginx logs

root:/var/log/nginx# ls -ltrh
-rw-r–r-- 1 www-data www-data 0 Dec 6 05:45 error.letsencrypt.log
-rw-r–r-- 1 www-data www-data 0 Dec 6 05:45 access.letsencrypt.log
-rw-r–r-- 1 www-data www-data 1.8M Dec 6 08:19 error.log

tail error.log
PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)

The certificate files on the non-working site. Note zero-size files.

ls /shared/ssl/ -ltrh
-rw------- 1 root root 3.2K Dec 6 08:16 test.example.com.key
-rw-r–r-- 1 root root 0 Dec 6 08:16 test.example.com.cer
-rw------- 1 root root 302 Dec 6 08:16 test.example.com_ecc.key
-rw-r–r-- 1 root root 0 Dec 6 08:16 test.example.com_ecc.cer

Compare to the certificate files on a working site

ls /shared/ssl/ -ltrh
-rw-r–r-- 1 root root 3.2K Nov 25 07:41 forum.working.com.key
-rw-r–r-- 1 root root 3.9K Nov 25 07:41 forum.working.com.cer
-rw------- 1 root root 302 Nov 29 00:11 forum.working.com_ecc.key
-rw-r–r-- 1 root root 3.3K Nov 29 00:11 forum.working.com_ecc.cer

I’ve rebuilt, rebooted, and tried a different email in LETSENCRYPT_ACCOUNT_EMAIL in app.yml.

pfaffman · December 6, 2019, 12:27pm

I had this happen yesterday and I believe that the problem was that the domain name didn’t resolve to the server (I was using the wrong hostname). discourse-setup does a test that should catch that, though.

Delete the ssl and let’s encrypt directories from /var/discourse/shared/standalone after you fix the dns problem.

Mark_Schmucker · December 6, 2019, 11:21pm

Thanks @pfaffman, this fixed it. In my case, when I first ran discourse-setup, I did not have DNS set up yet, so the test failed. At that point I fixed the DNS and hit “n” to retry; this time the test passed and the build continued, but with zero-sized cert files.

I believe this is a bug and will try to repro when I have time. Perhaps the setup just tests whether the cert files exist, but should check whether they are valid, or at least not zero-sized.

system · January 5, 2020, 11:30pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Installation produced broken, zero byte certificate Installation letsencrypt	10	2088	September 14, 2022
SSL zero length .cer file Installation	3	411	August 10, 2024
PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) Installation	5	13080	January 31, 2021
Lets Encrypt Certificate - Issuing Problem Installation	2	566	November 6, 2023
Unable to renew Let's encrypt certificate Installation letsencrypt	8	475	February 7, 2024

Let's Encrypt- empty *.cer files

Related topics