codema.in

Poddery server certificates recreated

RD Ravi Dwivedi Sat 11 Oct 2025 3:29PM Public Seen by 39

A week ago, I ran `sudo certbot` to renew certificates for the `poddery.com` domain. However, the renewal failed.

Then I tried `sudo certbot certonly --standalone -d poddery.com` and the renewal failed again. @Pirate Praveen mentioned in the Poddery group chat that I should stop nginx before renewing the certificates. So I ran `sudo systemctl stop nginx` followed by `sudo certbot certonly --standalone -d poddery.com -v`.

After renewing the certificates, Nginx failed to start (`sudo systemctl start nginx`) which was later started by Kannan.

Praveen hinted at starting the workers and I tried to get the full logs. Those logs were in `/var/log/poddery/matrix-synapse`. (If you want to debug anything related to `matrix-synapse`, start by looking up the config file `/etc/matrix-synapse/homeserver.yaml`. Look for a line with `log_file` in that file.)

On the other hand, https://federationtester.matrix.org was warning about certificate issues.

I figured out that the SSL certificates on the Poddery server were a mess. To fix this, Praveen suggested me to delete all the certificates and start all over again.

On the server, I ran the following command to delete all the certificates:

sudo certbot delete

and confirm deleting all the certificates

I followed it by deleting the `/etc/letsencrypt` folder:

sudo rm -rf /etc/letsencrypt

When I ran certbot to generate new certiicates, it failed because nginx configs were misconfigured:
certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running nginx -c /etc/nginx/nginx.conf -t.
2025/10/11 14:33:59 [emerg] 2208765#2208765: no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/sites-enabled/fund.poddery.com:16
nginx: configuration file /etc/nginx/nginx.conf test failed
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.

Therefore, I ran the following command to issue certificates:

certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running nginx -c /etc/nginx/nginx.conf -t.
2025/10/11 14:36:11 [emerg] 2208984#2208984: no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/sites-enabled/fund.poddery.com:16
nginx: configuration file /etc/nginx/nginx.conf test failed
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Nginx Web Server plugin (nginx) [Misconfigured]
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 2

In the above-mentioned prompt, I entered 2 to get the certificates. After this, `certbot` asked me to enter all the domain names for which to obtain the SSL certificates for.

Please enter the domain name(s) you would like on your certificate (comma and/or space separated) (Enter 'c' to cancel): poddery.com fund.poddery.com chat.poddery.com www.poddery.com

Requesting a certificate for poddery.com and 3 more domains
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/poddery.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/poddery.com/privkey.pem
This certificate expires on 2026-01-09.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

After this, I went to `/etc/nginx` and changed the locations of all the SSL certificates in all the config files. I followed this by running

nginx -t

which told me that the syntax is okay.

Next, I restarted nginx by running:

sudo systemctl restart nginx

I followed up by restarting `matrix-synapse`

sudo systemctl restart matrix-synapse


The Federation tester website at https://federationtester.matrix.org indicated that the certificate issues got fixed after this.

This fixed the issues with poddery and recreated all the SSL certificates. @Kannan V M fixed the issue with workers.

PP

Pirate Praveen Sat 11 Oct 2025 4:11PM

Thanks @Ravi Dwivedi for your efforts to fix this. Please make sure the documentation is correct so next time someone trying to renew certificates don't face this issue. Document exact commands used / sub domains to include. Also we need to make sure certificates will be auto renewed. This means making sure nginx plugin will work or making sure nginx is stopped before renewal and started again after renewal if using stand alone option. There are certbot hooks you can use for this.