Let’s Encrypt Upgrade: Error during SSL Handshake with remote server

Recently, I had to upgrade a LetsEncrypt SSL certificate. I issued the commands:

sudo service apache2 stop
./certbot-auto renew # Assumes you are in the correct directory of 'certbot-auto'
sudo service apache2 start

I tested the site and everything seemed to be working correctly. Unfortunately, a little while later, I got this error message:

Proxy Error

The proxy server could not handle the request GET /.
Reason: Error during SSL Handshake with remote server

Apache/2.4.7 (Ubuntu) Server at {my_web_site} Port 443

I retraced my steps and I forgot to recreate {my_web_site}’s keystore file. This site was a Spring Boot application and was utilizing a .p12 file. Here are the steps to regenerate this file:

cd /etc/letsencrypt/live/{my_domain_name}/ # Changes directory to Let's Encrypt directory.
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out keystore.p12 -name tomcat -CAfile chain.pem -caname root # Generates keystore.p12 file
# At this point, you will be prompted to give a password. It makes sense to give the same password as the one located in your config files so you don't have to update the 
# config file. If you choose to use a new password, you will have to update your app's config file to the new password. 

At this point, the new keystore file has been generated and the next step is to simply replace the old keystore file and republish the application.

If Spring Boot is being utilized, and you are not comfortable overwriting the old keystore file, simply go to your configuration file and find the "server.ssl.key-store={value}" key-value pair and replace the value with the new keystore location. You may need to update the "server.ssl.key-store-password={value}" key-value pair if you changed the keystore’s password when the openssl command prompted a password. It is easiest to avoid these updates sticking to the same keystore location and password.

Leave a Reply

Your email address will not be published. Required fields are marked *