DLG_FLAGS_INVALID_CA Alternative Names Invalid

After running certbot --apache, I am able to access my site. However, I am given a “Certificate error” page with DLG_FLAGS_INVALID_CA.
https://www.ssllabs.com/ssltest/analyze.html?d=ps4mousetocontroller.com shows “Alternative names: INVALID”

My domain is:

I ran this command:
certbot --apache

It produced this output:
Congratulations! You have successfully enabled https://ps4mousetocontroller.com
You should test your configuration at:

My web server is (include version):
Apache Tomcat 9

The operating system my web server runs on is (include version):
CentOS 7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.34.2

Running apachectl -S:
[root@server bin]# apachectl -S
VirtualHost configuration:
*:443 ps4mousetocontroller.com (/etc/httpd/conf.d/ps4mousetocontroller-le-ssl.conf:2)
*:80 ps4mousetocontroller.com (/etc/httpd/conf.d/ps4mousetocontroller.conf:1)
ServerRoot: “/etc/httpd”
Main DocumentRoot: “/opt/tomcat/webapps/ROOT/”
Main ErrorLog: “/etc/httpd/logs/error_log”
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: “/run/httpd/httpd.pid”
User: name=“apache” id=48
Group: name=“apache” id=48

Running certbot certificates:
[root@server bin]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: ps4mousetocontroller.com
Domains: ps4mousetocontroller.com
Expiry Date: 2019-09-25 19:48:28+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/ps4mousetocontroller.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/ps4mousetocontroller.com/privkey.pem

Running grep -Ri SSLCertificateFile /etc/httpd/:
[root@server bin]# grep -Ri SSLCertificateFile /etc/httpd/
Binary file /etc/httpd/modules/mod_ssl.so matches
/etc/httpd/conf.d/ps4mousetocontroller-le-ssl.conf:SSLCertificateFile /etc/letsencrypt/live/ps4mousetocontroller.com/cert.pem
/etc/httpd/conf.d/ssl.conf.rpmsave:# Point SSLCertificateFile at a PEM encoded certificate. If
/etc/httpd/conf.d/ssl.conf.rpmsave:# the referenced file can be the same as SSLCertificateFile
/etc/httpd/conf.d/ssl.conf.rpmsave:SSLCertificateFile /etc/letsencrypt/live/ps4mousetocontroller.com/cert.pem
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If
/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/pki/tls/certs/localhost.crt
/etc/httpd/conf.d/ssl.conf:# the referenced file can be the same as SSLCertificateFile

you are using self signed certs, edit Apache setting to use cert created by certbot.

Certificate Path: /etc/letsencrypt/live/ps4mousetocontroller.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/ps4mousetocontroller.com/privkey.pem

Where are the Apache settings for this?

/etc/httpd/conf.d/ps4mousetocontroller-le-ssl.conf contains the following:

SSLCertificateFile /etc/letsencrypt/live/ps4mousetocontroller.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ps4mousetocontroller.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/ps4mousetocontroller.com/chain.pem

And /etc/httpd/conf.d/ssl.conf contains:

SSLCertificateFile /etc/letsencrypt/live/ps4mousetocontroller.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ps4mousetocontroller.com/privkey.pem

Still, I am seeing the error message.

1 Like

did you reload the apache?

1 Like

Yes, I have. I also rebooted my system.

1 Like

Hi @HelloWorld

I don't use Tomcat. But there are additional steps required to use the certificate with Tomcat.

The "standard file names"

aren't relevant.

There is a check of your domain - https://check-your-website.server-daten.de/?q=ps4mousetocontroller.com

There is a self signed used.


Tomcat uses either Java keystore files or pfx files.

1 Like

Thank you, that link was very helpful.
It’s working now.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.