I migrated my sites to another server, with ip and different machines, ERR_CERT_AUTHORITY_INVALID occurs


Yesterday, August 2, 2018, I migrated all my sites to another VPS, with different IP.
I am trying to reinstall the certificates, all attempts are giving ERR_CERT_AUTHORITY_INVALID.
If I continue trying I will exhaust all 5 attempts to renew the certificate.
I do not know what to try anymore.
Can you help me please?


Oh, I’m using nginx and CENTOS7


Bom dia @Perret,

How did you migrate the sites? What are you doing to reinstall the certificates?


Wow, thank you so much for the quick response.
I am using the command
sudo certbot --nginx


Hi @Perret

there are two certificates created today:


www.lopesperret.com.br has one certificate created today.


What says

certbot certificates


Yes, I think it was from the attempts I made to make the certificate, all of these were in an attempt to activate the certificate.
But of this yesterday, when I made the first attempt (in www.marceloperret.com.br), I am having the same error when accessing in any browser, chrome or firefox


Ah, I do not know if it helps, but in the previous VPS, everything worked perfectly, with the same configuration, nginx, etc …
When I migrated yesterday to the new VPS, everything is working normally, no problems, just the script is giving this error, in chrome or in forefox


I’d like to know whether you copied files related to your certificates from the old VPS to the new VPS. And also, when you ran Certbot, what was the output?


I actually did not copy any certificate files, just installed certboot and rode to create new certificates, option 2: Renew & replace the cert (limit ~ 5 for 7 days).
I was not sure what to do.
I do not know now what to do to correct.


What was the output when you ran Certbot on the new VPS?

How did that happen if there was no existing certificate on the new VPS?


I did it again
Here’s the result:

[root@server1 ~]# sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?

1: base-dados-cep.com
2: www.base-dados-cep.com
3: cathplast.com.br
4: www.cathplast.com.br
5: legisperitis.com.br
6: sistema.legisperitis.com.br
7: www.sistema.legisperitis.com.br
8: www.legisperitis.com.br
9: lopesperret.com.br
10: www.lopesperret.com.br
11: marceloperret.com.br
12: www.marceloperret.com.br
13: perret.com.br
14: www.perret.com.br
15: servergear.com.br
16: server1.servergear.com.br
17: www.servergear.com.br

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 12
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/www.marceloperret.com.br.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.marceloperret.com.br
Waiting for verification…
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/marceloperret.com.br.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Traffic on port 80 already redirecting to ssl in /etc/nginx/conf.d/marceloperret.com.br.conf

Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains:

You should test your configuration at:


  • Congratulations! Your certificate and chain have been saved at:
    Your key file has been saved at:
    Your cert will expire on 2018-11-01. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

[root@server1 ~]#


There is a self signed certificate - MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

Looks like there is a missing reload / restart - command.


Forgive my lack of knowledge, what would that be and how do I resolve it?


If the reload or restart you are referring to is related to nginx, I have done this several times, even restarting the server itself (exaggeration, but I have already tried this too).


I think this is not the solution, I did restart nginx, server and the problem continues.
I do not know what’s going on.


Can you post your relevant configuration from /etc/nginx/conf.d?

Maybe run

egrep -r '(server_name|ssl_cert)' /etc/nginx


/etc/nginx/scgi_params:scgi_param SERVER_NAME $server_name;
/etc/nginx/conf.d/marceloperret.com.br.conf:server_name marceloperret.com.br www.marceloperret.com.br;
/etc/nginx/conf.d/marceloperret.com.br.conf: ssl_certificate /etc/letsencrypt/live/www.marceloperret.com.br/fullchain.pem; # managed by Certbot
/etc/nginx/conf.d/marceloperret.com.br.conf: ssl_certificate_key /etc/letsencrypt/live/www.marceloperret.com.br/privkey.pem; # managed by Certbot
/etc/nginx/conf.d/marceloperret.com.br.conf:server_name marceloperret.com.br www.marceloperret.com.br;
/etc/nginx/conf.d/sistema.legisperitis.com.br.conf:server_name sistema.legisperitis.com.br www.sistema.legisperitis.com.br;
/etc/nginx/conf.d/sistema.legisperitis.com.br.conf: ssl_certificate /etc/letsencrypt/live/sistema.legisperitis.com.br/fullchain.pem; # managed by Certbot
/etc/nginx/conf.d/sistema.legisperitis.com.br.conf: ssl_certificate_key /etc/letsencrypt/live/sistema.legisperitis.com.br/privkey.pem; # managed by Certbot
/etc/nginx/conf.d/sistema.legisperitis.com.br.conf:server_name sistema.legisperitis.com.br www.sistema.legisperitis.com.br;
/etc/nginx/conf.d/lopesperret.com.br.conf:server_name lopesperret.com.br www.lopesperret.com.br;
/etc/nginx/conf.d/lopesperret.com.br.conf: ssl_certificate /etc/letsencrypt/live/www.lopesperret.com.br/fullchain.pem; # managed by Certbot
/etc/nginx/conf.d/lopesperret.com.br.conf: ssl_certificate_key /etc/letsencrypt/live/www.lopesperret.com.br/privkey.pem; # managed by Certbot
/etc/nginx/conf.d/lopesperret.com.br.conf:server_name lopesperret.com.br www.lopesperret.com.br;
/etc/nginx/conf.d/legisperitis.com.br.conf:server_name legisperitis.com.br www.legisperitis.com.br;
/etc/nginx/conf.d/legisperitis.com.br.conf: ssl_certificate /etc/letsencrypt/live/www.legisperitis.com.br/fullchain.pem; # managed by Certbot
/etc/nginx/conf.d/legisperitis.com.br.conf: ssl_certificate_key /etc/letsencrypt/live/www.legisperitis.com.br/privkey.pem; # managed by Certbot
/etc/nginx/conf.d/legisperitis.com.br.conf:server_name legisperitis.com.br www.legisperitis.com.br;
/etc/nginx/conf.d/server1.servergear.com.br.conf:server_name server1.servergear.com.br;
/etc/nginx/conf.d/server1.servergear.com.br_ssl.conf:server_name server1.servergear.com.br;
/etc/nginx/conf.d/server1.servergear.com.br_ssl.conf:ssl_certificate /etc/pki/tls/certs/server1.servergear.com.br.cert;
/etc/nginx/conf.d/server1.servergear.com.br_ssl.conf:ssl_certificate_key /etc/pki/tls/private/server1.servergear.com.br.key;
/etc/nginx/conf.d/servergear.com.br.conf:server_name servergear.com.br www.servergear.com.br;
/etc/nginx/conf.d/cathplast.com.br.conf:server_name cathplast.com.br www.cathplast.com.br;
/etc/nginx/conf.d/perret.com.br.conf:server_name perret.com.br www.perret.com.br;
/etc/nginx/conf.d/perret.com.br.conf: ssl_certificate /etc/letsencrypt/live/www.perret.com.br/fullchain.pem; # managed by Certbot
/etc/nginx/conf.d/perret.com.br.conf: ssl_certificate_key /etc/letsencrypt/live/www.perret.com.br/privkey.pem; # managed by Certbot
/etc/nginx/conf.d/perret.com.br.conf:server_name perret.com.br www.perret.com.br;
/etc/nginx/conf.d/base-dados-cep.com.conf:server_name base-dados-cep.com www.base-dados-cep.com;
/etc/nginx/nginx.conf: server_names_hash_max_size 10240;
/etc/nginx/nginx.conf: server_names_hash_bucket_size 1024;
/etc/nginx/uwsgi_params:uwsgi_param SERVER_NAME $server_name;
/etc/nginx/fastcgi_params:fastcgi_param SERVER_NAME $server_name;


Did you get any idea?


https://www.marceloperret.com.br/ has a self signed certificate of server1.servergear.com.br - so

isn’t used.

server1.servergear.com.br has a certificate not from /etc/letsencrypt/live/

So this may be the private certificate. Looks like your configuration is buggy.


Well, how could I fix this?