Browsers and ssllabs disagree on certificate validity

My domain are:

and some others

Web server: Apache/2.4.18 (Ubuntu)

Operating system: Ubuntu 16.04.6 LTS

Hosting provider: Digital ocean

I can login to a root shell.

I do not use a control panel.

Certbot version: certbot 0.31.0

I have run into problems with letsencrypt certificates and browsers.

I have spend the last two days trying to figure out what the problem is.
It seems the problem is like this.

I have a number of domain names all as different virtual hosts
Until three days ago, I thought I had no problems. Everything seemed to work fine.

Friday I added a new domain with a virtual host and created a certificate.
Firefox decided that my new website was a security risk.

I checked the certificate with
According to ssllabs the certificate is good.
But Firefox does not trust it.
Chrome and Brave trust it, but not the script subdirectory.

I checked a certificate of with ssllabs.
Ssllabs stated, that the certificate was wrong.
But all the browsers have no problem with this website.
I deleted the certificate with

certbot delete

Then I created a new certificate with

certbot --apache -d

Then I checked that domain again with ssllabs
ssslabs thinks my certificate is good.
But the browsers (Firefox, Chrome, Brave) do not handle my site well.
Firefox says:

I deleted the new certificate and created again, this time with:

certbot --apache -d

(Difference: this time with www. )

Now ssllabs says:
Certificate name mismatch

But the browsers handle my site as they should.

When I tell ssllabs to ignore the name mismatch and proceed, ssllabs says:

Common name
Alternative names MISMATCH
Trusted no NOT TRUSTED

How can I find out what goes wrong?
Where can I find more information?
Is there a way to read the certificate?

Thanks for the help you can give me.

Hi @nulacomputers

you are doing something wrong.

If you use two domain names - main domain and www-subdomain -, the easiest solution: One certificate with both domain names.

So if you create only certificates with one domain name, that’s wrong.

See your certificates -

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2020-06-06 2020-09-04 - 1 entries duplicate nr. 1
Let’s Encrypt Authority X3 2020-06-06 2020-09-04 - 1 entries duplicate nr. 1
Let’s Encrypt Authority X3 2020-04-08 2020-07-07 - 1 entries

Create one certificate with both domain names and use that.

If this is done: Additional problem: You have mixed content, see the #html-content part.

Fix that - http links must be https links.

Thanks for your answer JurgenAuer.

I am not certain what I should do.
I just did an experiment with domain
(Since I can only ask five times for a new certificate per domain.)

I had two DNS A-records: and

I deleted
I deleted the certiciate
I created a new certificate with

certbot --apache -d

ssllabs says the certificate is good, but firefox and chrome say my website is a security risk.

I see three options.

One A record for (without www.)
and certificate with certbot --apache -d

This seems to be a problem.

One A record for (with www.)
and certificate with certbot --apache -d

Two A records for

and certificate with

certbot --apache -d -d

But I do not know what to choose. I opened a lot of pages found with google, but no clear answer.

What would you recommend?

I did some more testing.

When I use one A record like
and I type in the url in firefox
everything seem to work.
But when I type in the url in brave or chrome (without www. before domainname)
I get the message: “This site can’t be reached”.

For the moment I assume, that two A records for a domain is what is required.

So now I use two A records for each domain: and

and certificate with

certbot --apache -d -d

As far as I can see at the moment, that works the best.