Everyone

Troubleshooting SSL

Common SSL certificate problems and how to fix them in Opterius Panel.

Last updated 1775606400
  • Next Steps

    • Diagnosis First

    Before trying fixes, get the actual Certbot error:

    # On the server, as root:
journalctl -u certbot -n 50 --no-pager
# or
tail -100 /var/log/letsencrypt/letsencrypt.log

    The log will tell you exactly what Let's Encrypt returned.

    Common Problems

    Certificate issuance fails immediately

    Symptom: Clicking "Issue Certificate" fails within a few seconds.

    Causes and fixes:

    Error message Cause Fix
    "Domain not found" Domain doesn't exist in panel Check the domain is actually created under the account
    "Agent unreachable" Agent is down systemctl status opterius-agent — restart if needed
    "License required" License is expired Renew at opterius.com

    "Connection refused" or "Timeout" from Let's Encrypt

    Symptom: Certbot says it couldn't connect to verify the challenge.

    Cause: Port 80 is blocked.

    Fix:

    # Check UFW status
ufw status

# Allow port 80 if missing
ufw allow 80

# If your VPS has a cloud firewall (Linode, DigitalOcean, etc.)
# Add port 80 there too — the server-side firewall can't control it

    Test that port 80 is reachable from outside:

    curl -v http://domain.com/.well-known/acme-challenge/test
# Should get 404, not "Connection refused"

    "Domain name does not point to this server"

    Symptom: Let's Encrypt completes the HTTP challenge but verifies you're not on the right server.

    Cause: The domain's A record doesn't point at this server's IP.

    Fix: Check what IP the domain resolves to:

    dig domain.com A +short
# Should return YOUR server's IP

    If it returns a different IP, update the DNS record at the registrar or in the Opterius DNS editor and wait for propagation (can take up to 1 hour with default TTL).

    "Too many certificates already issued"

    Symptom: Let's Encrypt returns a rate limit error.

    Cause: You've issued more than 5 certificates for the same domain within 7 days.

    Fix: Wait for the rate limit window to pass. Check when you can try again at https://crt.sh/?q=domain.com — look at the issued timestamps.

    Alternatively, upload a custom certificate temporarily.

    Certificate shows active but browser shows "Not Secure"

    Cause options:

    1. Nginx hasn't reloaded since the cert was issued
    2. The cert path in the vhost is wrong
    3. Mixed content — page loads HTTP resources over HTTPS

    Fix:

    # Force Nginx reload
nginx -t && systemctl reload nginx

# Check what cert Nginx is serving
openssl s_client -connect domain.com:443 -servername domain.com < /dev/null 2>/dev/null | openssl x509 -noout -dates

    For mixed content: the browser console (F12 → Console) will show which HTTP resources are triggering the warning.

    Certbot renewal fails silently

    Symptom: Certificate expires even though auto-renewal should be running.

    Check:

    systemctl status certbot.timer
systemctl list-timers certbot

    If the timer is inactive:

    systemctl enable certbot.timer
systemctl start certbot.timer

    Test that renewal would succeed (dry run):

    certbot renew --dry-run

    Behind Cloudflare proxy

    Symptom: Domain is proxied through Cloudflare (orange cloud in Cloudflare DNS). HTTP-01 challenge fails.

    Fix options:

    1. Temporarily disable the Cloudflare proxy (grey cloud) while issuing, then re-enable it
    2. Upload a custom certificate — use Cloudflare Origin CA certificates if you want end-to-end encryption

    Next Steps

    Previous
    ← SSL Overview (Bulk Re-check)