Added SSL for a 2nd website, now 1st website giving Error 526 Invalid certificate

What is the name of the domain?

tanya-enderli.com

What is the issue you’re encountering

I had an active website on Cloudflare, with valid SSL. Then I added a 2nd website, which lives on the same device running Nginx. When I added an SSL for the website#2, it worked; but meanwhile website#1 is now showing “Error 526 Invalid Certificate” (although the browser says the website is secure and has a valid unexpired certificate).

What steps have you taken to resolve the issue?

I read Cloudflare’s documentation about SSL certificates and other Q&A but didn’t find anything about this particular situation. I thought maybe I need to get the certificate reissued but was afraid to try it lest it then invalidate Website #2

What is the current SSL/TLS setting?

Full (strict)

You have probably set the same certificate to be used for both sites. Can you share your nginx configurations for these sites?

You can find it here: Dropbox

There’s nothing obviously wrong there. Can you change the DNS record for that website to DNS-Only for a few minutes so I can see what the server actually does?

How do I do that?

Ok I figured it out. Set to DNS-only. And it is now displaying the wrong content.

I’ll be back home in ~2 hours andcan take a look at it then.

Ok, when I try to open https://tanya-enderli.com, your server presents the certificate for the other domain.

If you look at the certificate files, are the certs actually different?

/etc/ssl/certs/tanya-enderli_cert.pem;
/etc/ssl/certs/cloudflare_dynamicabatherapy_cert.pem;

Yes the certs are different. But both URLs are trying to display the same website. Maybe the certificate is ok, it’s just associating it with the wrong server name. I havent been able to figure out how to differentiate incoming requests

So, what usually happens is that the server picks the right certificate based on the server_name directive.

However, when the server can’t find the right name, it would instead take the certificate for the first site in alphabetic order. And it might be that this is what happens here (for whatever reason).

Can you try changing these lines for a test?

listen 443 ssl http2;
listen [::]:443 ssl http2;

→

listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;

This should be done in /etc/nginx/sites-enabled/tanya-enderl

And then restart the server.

Reload failed:
nginx: [emerg] no “ssl_certificate_key” is defined for the “ssl” directive in /etc/nginx/sites-enabled/dynamicabatherapy:25

Can you remove ssl on; from both config files? That parameter was removed some time ago and doesn’t do anything anymore.

Though I don’t think it should cause this error.

The error is definitely weird, though. You haven’t made any changes in that file, have you?
Could you just copy the content of these 2 files and share it ehre again in preformatted Text? (ctrl+e)

/etc/nginx/sites-enabled/tanya-enderli
/etc/nginx/sites-enabled/dynamicabatherapy

I have not made any changes to the other config file

server {
        listen 80;
        listen [::]:80;

        server_name dynamicabatherapy.com www.dynamicabatherapy.com;

        root /var/www/html/dynamicabatherapy.com;
        index index.html index.htm;

        location / {
                try_files $uri $uri/ =404;
        }

        return 302 https://$server_name$request_uri;
}

#ssl_certificate /etc/letsencrypt/live/dynamicabatherapy.com/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/live/dynamicabatherapy.com/privkey.pem;

server {
# SSL configuration

        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        ssl_certificate /etc/ssl/certs/cloudflare_dynamicabatherapy_cert.pem;
        ssl_certificate_key /etc/ssl/private/cloudflare_dynamicabatherapy_key.pem;
        #ssl_certificate /etc/letsencrypt/live/dynamicabatherapy.com/cert.pem;
        #ssl_certificate /etc/letsencrypt/live/dynamicabatherapy.com/chain.pem;
        #ssl_certificate /etc/letsencrypt/live/dynamicabatherapy.com/fullchain.pem;
        #ssl_certificate_key /etc/letsencrypt/live/dynamicabatherapy.com/privkey.pem;

        server_name dynamicabatherapy.com www.dynamicabatherapy.com;

        root /var/www/html/dynamicabatherapy.com;
        index index.html index.htm;

        location / {
                try_files $uri $uri/ =404;
        }
}

server {
        listen 80;
        listen [::]:80;
        server_name tanya-enderli.com www.tanya-enderli.com;
        return 302 https://$server_name$request_uri;

        root /var/www/html/tanya-enderli.com;
        index index.html index.htm;

        location / {
                try_files $uri $uri/ =404;
        }
}

server {
# SSL configuration

#       listen 443 ssl http2;
#       listen [::]:443 ssl http2;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;

        ssl_certificate /etc/ssl/certs/tanya-enderli_cert.pem;
        ssl_certificate_key /etc/ssl/private/tanya-enderli_key.pem;

        server_name tanya-enderli.com www.tanya-enderli.com;

        root /var/www/html/tanya-enderli.com;
        index index.html index.htm;

        location / {
                try_files $uri $uri/ =404;
        }
}

And it is still not starting without the ssl on; directive?

Ok no error on reload this time

URL is displaying the correct content now, but it’s not https

Can you check that both of these files have the same permissions and file owners? And maybe also for the certificates and key files? I’m really grasping at straws here…

Oh, and I have a (maybe) good idea: Did you download the certificate files to a Windows PC first and then uploaded it to a Linux host?