Certbot sec_error_unknown_issuer and wrong "--test-cert"


Hi friends,
On a Debian Jessie with certbot 0.8.1-2~bpo8+1,

This “/etc/letsencrypt/cli.ini”:

# Use a 4096 bit RSA key instead of 2048.
rsa-key-size = 4096
# Set email and domains.
email = admin@sio4.org
# domains = example.com, www.example.com
# Text interface.
text = True
# No prompts.
non-interactive = True
# Suppress the Terms of Service agreement interaction.
agree-tos = True
# Use the webroot authenticator.
authenticator = webroot
webroot-path = /var/www/letsencrypt

this /etc/apache2/sites-enabled/letsencrypt.conf:

Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/
<Directory "/var/www/letsencrypt/.well-known/acme-challenge/">
Options None
AllowOverride None
ForceType text/plain
# avoid access to anything not resembling a challenge
RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w­]{43}$)"

/etc/apache2/sites-enabled/cosmogonia.org.conf (ssl portion):

            SSLCertificateFile /etc/letsencrypt/live/www.cosmogonia.org/cert.pem
            SSLCertificateKeyFile /etc/letsencrypt/live/www.cosmogonia.org/privkey.pem
            SSLCertificateChainFile /etc/letsencrypt/live/www.cosmogonia.org/fullchain.pem


certbot certonly --webroot -w /var/www/letsencrypt -d www.cosmogonia.org -d cosmogonia.org --test-cert

(where “–test-cert” I’ve seen later useless,)

going to https://www.cosmogonia.org

Obtain this error:

Error code: sec_error_unknown_issuer

And the browser tell me:

www.cosmogonia.org uses an invalid security certificate.
and that the the certificate is not trusted because the issuer is unknown.

Where I’ve made mistake?

Many many thanks!


Using --test-cert instructs Certbot to use the Let’s Encrypt staging environment which produces certificates that are not valid/trusted out-of-box with web browsers.

Try removing --test-cert and using a certificate issued from the production environment.


Running again certbot, without “-test-cert” obtain:

Certificate not yet due for renewal; no action taken.




You might need --force-renewal in this case, but I admit my Certbot knowledge isn’t as great as others on the community forum. There might be another problem I’m overlooking.


You might point SSLCertificateChainFile at chain.pem instead of fullchain.pem.

The former includes the intermediary, while the later includes the intermediary and the leaf cert. You already send the leaf cert with the SSLCertificateFile so its a waste to send it twice.

Also, according to https://www.ssllabs.com/ssltest/analyze.html?d=www.cosmogonia.org&ignoreMismatch=on&latest the server is presenting the cert for server.sio4.org, sio4.org, and www.sio4.org. This doesn’t seem right.


You don’t want to use --force-renewal, it will just renew the test cert. If you don’t need the test cert, remove the directory for it under /etc/letsencrypt and remove the conf file for that particular certificate under /etc/letsencrypt/renewal. Once you do that, you can request a new certificate without the test flag and get a proper production certificate.


Ok, perfect! I’ve follow your help and now, without flag " --force-renewal" and (mostly) “-test-cert” the process goes on.

Many many thanks to @cpu, @heypete and @motoko!

I modify the title post to make it a little 'more comprehensible :wink:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.