Let's Encrypt- empty *.cer files

I can’t connect to a new standard 30-minute install. AWS Lightsail, 2GB memory, Ubuntu 18.04 LTS x64 with :443 open. The problem is that the Let’s Encrypt *.cer files are empty. Why?

nginx logs

root:/var/log/nginx# ls -ltrh
-rw-r–r-- 1 www-data www-data 0 Dec 6 05:45 error.letsencrypt.log
-rw-r–r-- 1 www-data www-data 0 Dec 6 05:45 access.letsencrypt.log
-rw-r–r-- 1 www-data www-data 1.8M Dec 6 08:19 error.log

tail error.log
PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)

The certificate files on the non-working site. Note zero-size files.

ls /shared/ssl/ -ltrh
-rw------- 1 root root 3.2K Dec 6 08:16 test.example.com.key
-rw-r–r-- 1 root root 0 Dec 6 08:16 test.example.com.cer
-rw------- 1 root root 302 Dec 6 08:16 test.example.com_ecc.key
-rw-r–r-- 1 root root 0 Dec 6 08:16 test.example.com_ecc.cer

Compare to the certificate files on a working site

ls /shared/ssl/ -ltrh
-rw-r–r-- 1 root root 3.2K Nov 25 07:41 forum.working.com.key
-rw-r–r-- 1 root root 3.9K Nov 25 07:41 forum.working.com.cer
-rw------- 1 root root 302 Nov 29 00:11 forum.working.com_ecc.key
-rw-r–r-- 1 root root 3.3K Nov 29 00:11 forum.working.com_ecc.cer

I’ve rebuilt, rebooted, and tried a different email in LETSENCRYPT_ACCOUNT_EMAIL in app.yml.

1 Like

I had this happen yesterday and I believe that the problem was that the domain name didn’t resolve to the server (I was using the wrong hostname). discourse-setup does a test that should catch that, though.

Delete the ssl and let’s encrypt directories from /var/discourse/shared/standalone after you fix the dns problem.


Thanks @pfaffman, this fixed it. In my case, when I first ran discourse-setup, I did not have DNS set up yet, so the test failed. At that point I fixed the DNS and hit “n” to retry; this time the test passed and the build continued, but with zero-sized cert files.

I believe this is a bug and will try to repro when I have time. Perhaps the setup just tests whether the cert files exist, but should check whether they are valid, or at least not zero-sized.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.