AWS EC2 : Certificate issued against internal IP



I used certbot-auto to create ssl certificate for my web server running on AWS EX2 Fedora 23 server. When I access the https site, the browser is showing the following error: uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for Error code: SEC_ERROR_UNKNOWN_ISSUER

So, it looks like the certificate is issued against the private IP. When I do the nslookup on the server, it is showing the same private IP, and the public IP is visible only through metadata.

How can I get the certificate issued against the public IP? Is there any way I can change the configuration?

PS: the command I used is: sudo ./certbot-auto --authenticator standalone --installer apache -w /var/www/html -d www…


The certificate will have been issued for the domain name you specified on the command line ( not for a specific IP address )

Has the certificate been installed correctly ?

We can check more easily if you could provide your domain name please ( it’s made public as soon as a certificate is issued anyway )


That’s not your Let’s Encrypt certificate. You say you used certbot to create a certificate, but did you actually install it?


Thanks for the responses.

The domain is

I thought the command when used along with --installer will take care of the installation as well. Am I missing something?


It looks like your using a self signed cert. If you have a cert that’s issued by Lets Encrypt your not using it.


You are right! it is using the self signed certificate. Thanks a lot!

Server Certificate:

Point SSLCertificateFile at a PEM encoded certificate. If

the certificate is encrypted, then you will be prompted for a

pass phrase. Note that a kill -HUP will prompt again. A new

certificate can be generated using the genkey(1) command.

SSLCertificateFile /etc/pki/tls/certs/localhost.crt

Server Private Key:

If the key is not combined with the certificate, use this

directive to point at the key file. Keep in mind that if

you’ve both a RSA and a DSA private key you can configure

both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key


Thanks lart, tialaramex. Installing the certificate solved the problem.

Thanks to the user guide for no-nonsense information as well.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.