Remove cached certificate

[williampeterpaul]

I've set up a server to auto generate certificates using Let's Encrypt and lua-resty-auto-ssl. It's working as expected for all but one domain, for which I am getting a privacy error in browser:

NET::ERR_CERT_AUTHORITY_INVALID
Subject: sni-support-required-for-valid-ssl
Issuer: sni-support-required-for-valid-ssl
Expires on: 17 Nov 2031
Current date: 5 Mar 2024

In the past when I've had a similar error, for example due to an expired certificate I've been able to fix the problem by removing the certificate from the storage folder /etc/resty-auto-ssl/storage/file and restarting the openresty service with sudo service openresty restart to regenerate upon next visit.

In this case the above fix isn't working. I can't see any certificate for the domain under /etc/resty-auto-ssl/letsencrypt/certs and restarting the entire server hasn't worked, either.

It seems like the invalid certificate response has been cached and is being served, regardless of my attempts to remove it. Would anyone be able to point me in the right direction for why this might be occurring and how to resolve?

Can share my nginx.conf if needed.

[williampeterpaul]

Initially it looks like the issue started from the lua_shared_dict being too small, as per the logs:

2024/03/02 16:13:23 [error] 2006421#2006421: 154079 [lua] ssl_certificate.lua:33: convert_to_der_and_cache(): auto-ssl: 'lua_shared_dict auto_ssl' might be too small - consider increasing its configured size (old entries were removed while adding private key for example.com), context: ssl_certificate_by_lua, client: 213.230.127.224, server: 0.0.0.0:443

I've subsequently increased the size of the shared dict, but now any domains that requested certs in this period are now getting the invalid cert response described above. I thought perhaps purging the lua_shared_dict might be the solution, although I've tried ngx.shared.auto_ssl:flush_all() and this isn't having an effect.

Perhaps more related to Nginx/openresty?