The certificate that protects the connection between CloudFront and the www subdomain has expired.
Perhaps you do not have a renewal cronjob, or perhaps the renewal failed because you switched to CloudFront, which would break the tls-sni-01 verification method.
Log into your server with a shell and run sudo certbot renew. If that renews your certificates without error you just need to add a daily cronjob to stop it from happening again.
[Edited to remove an incorrect alternate command.]
So I’d like to ask again if you have any recollection of how you have this certificate and what you did in order to get the certificate. Did you follow some kind of tutorial to get your certificate?
what they say is SSL you instal is not good and need instal deferent one
As discussed, your origin configured with cloud-front does not have SSL certificate for www.shanishemer.com. It has certificate for shanishemer.com from Let's encrypt. Please go ahead and request another one from for www.shanishemer.com as well.
Once certificate for www.shanishemer.com has been installed, we can debug other issues later on.
You had a certificate issued for www in the past, but looking more closely at the CT logs I see it wasn’t renewed in March when the apex domain was renewed. So it appears that you moved servers back in March and this wasn’t set back up correctly, and that’s when your problems started.
Unfortunately the CT logs haven’t caught up yet so I can’t confirm the domain set in the certificate that apparently was recently renewed, and I can’t directly check your server because CloudFront is in the middle.
You most likely just need to expand your current certificate to include the www form of your website to fix your problem. The following command will generate the new certificate you need:
sudo /opt/letsencrypt/certbot-auto run --cert-name shanishemer.com --expand -d www.shanishemer.com
Depending on how your certificate was initially issued, you may also need to run sudo service apache2 reload afterward for Apache to start serving the new certificate, but certbot will most likely do this for you.
@Patches, also, this command will not work with a CDN if the original certificate was obtained using --apache or something, because it will try to use TLS-SNI-01, which can’t work behind a CDN.
@DuongTuGiang, you should also show us the output of cat /etc/letsencrypt/renewal/shanishemer.com.conf so that we can see how the certificate was originally obtained.