ERR_CERT_AUTHORITY_INVALID Ubuntu 16.04 Apache 2.4

I have tried the search but didn't find anything very helpful quickly, I'll keep searching, but in the meantime - I'll post my newbie question here

My domain is:
hylif.cymru

I ran this command:
I ran many commands which I found from research, I can't remember the latest e.g.

sudo certbot certonly --webroot -w /var/www/hylif.cymru/htdocs -d www.hylif.cymru -d hylif.cymru

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt

It produced this output:
Too much to paste. Can you help debug from the public info on the server or this hyperlink

My web server is (include version):
Apache v2.4.37

The operating system my web server runs on is (include version):
Ubuntu 16.04.5

My hosting provider, if applicable, is:
It's my own EC2 host in AWS

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

Maybe this helps

VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server localhost (/opt/bitnami/apache2/conf/bitnami/bitnami.conf:43)
         port 443 namevhost localhost (/opt/bitnami/apache2/conf/bitnami/bitnami.conf:43)
         port 443 namevhost hylif.cymru (/opt/bitnami/apache2/conf/bitnami/bitnami-apps-vhosts.conf:43)
                 alias www.hylif.cymru
*:80                   is a NameVirtualHost
         default server localhost (/opt/bitnami/apache2/conf/bitnami/bitnami.conf:8)
         port 80 namevhost localhost (/opt/bitnami/apache2/conf/bitnami/bitnami.conf:8)
         port 80 namevhost jujuwings.com (/opt/bitnami/apache2/conf/bitnami/bitnami-apps-vhosts.conf:7)
                 alias www.jujuwings.com
         port 80 namevhost penchantmusic.com (/opt/bitnami/apache2/conf/bitnami/bitnami-apps-vhosts.conf:21)
                 alias www.penchantmusic.com
         port 80 namevhost hylif.cymru (/opt/bitnami/apache2/conf/bitnami/bitnami-apps-vhosts.conf:35)
                 alias www.hylif.cymru
         port 80 namevhost alleviatesecurities.com.au (/opt/bitnami/apache2/conf/bitnami/bitnami-apps-vhosts.conf:64)
                 alias www.alleviatesecurities.com.au
         port 80 namevhost serenitystaffing.com.au (/opt/bitnami/apache2/conf/bitnami/bitnami-apps-vhosts.conf:78)
                 alias www.serenitystaffing.com.au
ServerRoot: "/opt/bitnami/apache2"
Main DocumentRoot: "/opt/bitnami/apache2/htdocs"
Main ErrorLog: "/opt/bitnami/apache2/logs/error_log"
Mutex ssl-cache: using_defaults
Mutex default: dir="/opt/bitnami/apache2/logs/" mechanism=default 
Mutex proxy-balancer-shm: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
PidFile: "/opt/bitnami/apache2/logs/httpd.pid"


<VirtualHost *:443>
    ServerAdmin rhodridaviesconsulting@gmail.com
    ServerName hylif.cymru
    ServerAlias www.hylif.cymru
    DocumentRoot "/opt/bitnami/apps/hylif.cymru/htdocs"
    ErrorLog /opt/bitnami/apache2/logs/error-hylif-cymru.log
    CustomLog /opt/bitnami/apache2/logs/access-hylif-cymru.log combined
#    SSLEngine on
#    SSLCertificateFile /etc/letsencrypt/live/hylif.cymru/cert.pem
#    SSLCertificateChainFile /etc/letsencrypt/live/hylif.cymru/chain.pem
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
    SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
</VirtualHost>

You're generating a self-signed certificate using OpenSSL and use that self-signed certificate in your Apache configuration. The error you're getting is completely normal for your current setup. Were you expecting something else?

You can see the certificate that is presently being severed here https://decoder.link/sslchecker/hylif.cymru/443
As @Osiris said it is a self-signed certificate;
consider using one of the certificates you've crt.sh | hylif.cymru listed here crt.sh | hylif.cymru.

I strongly suggest using the commented out lines instead of the other lines if you wish to use Let's Encrypt issued certificates.

Thanks for the feedback so far.

My target is to have a securely served website over SSL without any cert errors

I tried the commented out lines but the symlinks cause the apache not to start, maybe because it's a pem.

Ok i'll have a another go working those pem keys instead... watch this space!

Your Apache config should look more like this for the cert lines

SSLCertificateFile    /etc/letsencrypt/live/hylif.cymru/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/hylif.cymru/privkey.pem

Comment out the two lines related to the self-signed cert and use the above instead.

See below site for guidance on configuring a VirtualHost. Do not enable HSTS or Stapling until you are an expert and know what those do.

No, pem are fine with Apache. Maybe they fail because they are wrong. You did not have a private key file to match your cert. See my previous post

Install it this way

Please see Mikes comment above about how to properly configure your Apache.

If you encounter any error from Apache, please show the actual error message. Without details we can't help you that well.

You guys helped me fix it! I think I was running an old version of certbot possibly. Or potentially I made a mistake with the key references in preivous attempts using the pem's. Either way it's fixed now and problem that's been on my mind for ages is resolved. Thank you!

Basically just followed these instructions step by step

Noted the output of the certbot command

sudo certbot --apache

Noticed apache failed to restart due to my specific stack, but took note of the location of the pem keys and updated my custom vhosts file.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.