Trouble with SSL after lots of rebuilds

3rd post in a row… because when I edit I think it doesn’t show up in new replies.

I have done all you said. I have imported everything. importer has been stopped, app has been started. But still can’t connect to my site :frowning:

firefox says: Hmm. We’re having trouble finding that site. We can’t connect to the server at [my discourse site]

…keeps fingers crossed in the hope anyone knows the answer

it’s difficult to have an answer with that little information. All we know is that your site isn’t reachable.

  • have you checked the logs? What do they say?
  • did you wait a few more moments after starting the app? it can take a while before the site becomes reachable.

With the amount of posts here specific to your case it would probably be worth splitting them into a separate topic as this only seems to be partly connected to the importer.

1 Like

Hi Helmi, thank you for your reply. Yes, I agree that this belongs maybe in another topic, but since the trouble started when I was importing, I put it in here first.

regarding your questions, I have self installed discourse on a DO droplet. All worked fine, also have imported already. But I needed to do a total new reimport because I had forgotten to set the smilies paths. Therefore needed to delete everything. But since then the troubles have started.

I have been able to connect to my board once to restore my backup of all my settings (theme etc) before doing the import. Then I had to abort my import because I had made an error in the location of the smilies, so I had to redo all from scratch again. Therefore, delete everything again, and then reimport. (I thought).

But since then I can’t connect to the site anymore. Discourse doctor says all is fine except it cant find the version of my discourse. regarding logs, please let me know the command for that and I can check. Yes, I have waited, and waited, and waited… still no connection.

I am really stumped into where I need to look to solve this one. If you have any ideas, please let me know :slight_smile:

edt: so I found out how to check the logs… and it is full with SSL errors. So I’m trying to reinstall a new certificate now with this Setting up HTTPS support with Let's Encrypt - i truly hope this will fix it.

1 Like

SSL errors most likely means you have tried requesting a LE certificate a bit too often already. Your domain might be blocked at LE for a while. Have a closer look and if so maybe use a subdomain in the meantime to get around this.

And for the rest: As you are on DO maybe for the future do a snapshot on DO every time you have reached a step that you wanna be able to get back to in case of any problems.

1 Like

thank you very much for the tip regarding snapshots. I will def keep that in mind for next time!

also, i have managed to fix it by copying back the SSL directory from the backup I made. Turns out somehow the certificates had been changed into files of 0kb? weird. When I put back the old files I was able to get in.

thank you everyone for your help and support. And I think now all my previous posts would fit more in support / SSL or something (But I didn’t know that at the time of posting ofcourse)

edit :update, after rebuilding app it seems the SSL is deleted somehow everytime. Does it request a LE certificate at each rebuild? if yes then I understand it may see I have requested it too often… I have rebuilt so often to figure out what was wrong.

1 Like

No. AFAIK, it checks the renewal date and renews when needed.

Apparently you can get five certificates in seven days:

1 Like

One of those errors sounds like you don’t have your domain name pointed at the right ip number.

Thank you JahDu, well then I find it even stranger that after a rebuild the SSL keys aren’t set properly.

@Jay, well it’s strange because it worked before, with same IP and everything. Domain is pointed to right IP.

Discourse is on subdomain of my main domain, both are on different servers, subdomain had different IP than main domain. But subdomain is entered in the SSL settings.

I would double check app.yml but it’s in the middle of rebaking 100K posts (for a plugin to work) and takes a while …

edit: double checked app.yml but nothing has changed since the time everything worked.
Where do I look now?

I have just done another re-import. This time without rebuilding app. I had restored a backup and then imported the phpbb3 database. After the import, again, the SSL keys were messed up. I haven’t rebuilt anything, just started, and stopped containers app.yml and import.yml.

I am stumped. Does restoring a backup through the admin CP mess up SSL ? I didn’t check the SSL directory until after the import so I don’t know when it happened.

Who oh who can shed light on this?

Any details on the SSL messup? like from the log? My assumption would still be your domain being blocked by LE but without details from the Log its difficult to tell.

1 Like

what happens is that the files in the SSL directory get overwritten somehow such that the .key and/or .cer files are 0kb instead of the 3k something they should be. It’s only one or 2 of them, not all of them that get ‘corrupted’ to 0k. I solve it by copying backed up files back on to it but that’s a workaround.

the logs (before I fix the files) are this error over and over:

nginx: [emerg] cannot load certificate “/shared/ssl/[mydomain]_ecc.cer”: BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(’/shared/ssl/[domain]_ecc.cer’,‘r’) error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: [emerg] cannot load certificate “/shared/ssl/[domain]_ecc.cer”: PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)

1 Like

Please take a look at /shared/letsencrypt/ inside the container to find out what’s going on.

1 Like

ahhh I didn’t know there were logs there too :slight_smile: thank you for the point-out!

lots going on there, seems it was renewing certificates with each rebuild? because there are a lot of renew things going on. And @helmi is right, I think this is the one you mean:

[Sat 25 Jan 2020 06:48:31 PM UTC] Create new order error. Le_OrderFinalize not found. {
“type”: “urn:ietf:params:acme:error:rateLimited”,
“detail”: "Error creating new order :: too many certificates already issued for exact set of domains: $
“status”: 429

so… how do I get past that?

edit: according to letsencrypt:

If you’ve hit a rate limit, we don’t have a way to temporarily reset it. You’ll need to wait until the rate limit expires after a week.

and then I found Rate Limits - Let's Encrypt - Free SSL/TLS Certificates

so… i think i’ll just have to wait a week then…

edit2: i checked on and I only see 10 certificates for the past week? no 50…

question: when does it consider a certificate a renewal? only when a rebuild app I suppose?

1 Like

Do you have a mixed case hostname? I thought that the code now converts to lower case, but that my only guess. I’m fairly certain that a rebuild does not usually request a new certificate if it’s valid.


you mean as defined in app.yml at DISCOURSE_HOSTNAME:?
no, that’s all lowercase.


The only way that I know that you’d hit that limit is if your cert requests were failing for some reason.

1 Like

Thank you :slight_smile: How/where can i check wether they fail? Do you know of the error i should be looking for in the logs?

1 Like

If you go to the LetsEncrypt forum, create a new topic in the Help category, and fill our the form you’re presented with, they can check your domain(s) and tell you what, if any, problem(s) there may be. They can also help you to correct any problem(s).
As an aside note: LE recommends using the “staging” modal to avoid hitting certificate limitations that you encounter in the production mode. A limit of 5 failed tries is refreshed after 1 hour. :wink:


thank you Jim, I’ll do that when the errors come back.
I have just done another rebuild and lo and behold there was no SSL error!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.