Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://ligalc.ru/

I ran this command:

image1043×257 11.2 KB

It produced this output:

My web server is (include version):
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
The operating system my web server runs on is (include version):
centos 7
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
i use winscp
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot --version

certbot 2.9.0

I was given an expired certificate...

What did I do wrong?...

By whom?

What does certbot renew say?

You have gotten many certs recently but your Apache server is not using them

See your cert history: crt.sh | ligalc.ru

What do these commands show

sudo httpd -t -D DUMP_VHOSTS
sudo certbot certificates

No, you weren't. Your site is using an expired (for almost eight months) certificate. But since your images didn't work (and screen shots of the command you ran and its output aren't very helpful anyway), we have no idea why.

What most likely happened is that Let's Encrypt issued a valid cert for your domain (which it did yesterday, and the day before that, and three times more on Saturday, and four more times on Wednesday), but your web server software isn't configured to use that new cert. Stop wasting Let's Encrypt's resources issuing certs you don't need, and configure your server to use one of the certs you already have.

and what about certbot certificates?

Those links were somehow garbled with unnecessary spaces.
I've since corrected that original post [have another look].

[root@ligalc ~]# sudo httpd -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80 ligalc.ru (/etc/httpd/conf.d/vhosts.conf:1)
*:443 is a NameVirtualHost
default server host-109-171-25-22.bbcustomer.zsttk.net (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost host-109-171-25-22.bbcustomer.zsttk.net (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost ligalc.ru (/etc/httpd/conf.d/vhosts-le-ssl.conf:2)
alias www.ligalc.ru
port 443 namevhost ligalc.ru (/etc/httpd/conf/httpd.conf:354)

...and
[root@ligalc ~]# sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: ligalc.ru
Serial Number: 4fdcd44d62b034b2a916d13badf5d1e2e00
Key Type: ECDSA
Domains: ligalc.ru
Expiry Date: 2023-08-15 07:41:31+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/ligalc.ru/fullchain.pem
Private Key Path: /etc/letsencrypt/live/ligalc.ru/privkey.pem

These two files are trying to serve the same name on the same port:

line 2 in /etc/httpd/conf.d/vhosts-le-ssl.conf
<VirtualHost *:443>

completely like this after the line 2

<VirtualHost *:443>
    ServerAdmin admin@email.com
    ServerName ligalc.ru
    ServerAlias www.ligalc.ru
    DocumentRoot /var/www/html

SSLCertificateFile /etc/letsencrypt/live/ligalc.ru/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ligalc.ru/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/ligalc.ru/chain.pem
</VirtualHost>
</IfModule>

and 354 line in /etc/httpd/conf/httpd.conf
<VirtualHost *:443>

completely like this after the line 354

<VirtualHost *:443>
 SSLEngine on
 <Directory /var/www/vhosts/ligalc.ru/www>
 AllowOverride All
 </Directory>
   DocumentRoot /var/www/html
ServerName ligalc.ru
Include /etc/letsencrypt/options-ssl-apache.conf
 SSLCertificateFile /etc/letsencrypt/live/ligalc.ru/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ligalc.ru/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/ligalc.ru/chain.pem
 </VirtualHost>

and what to do?

/var/www/vhosts/ligalc.ru/www
there is no folder vhosts in folder /var/www/

Since they are doing almost the exact same thing, I would remove the one without the alias and include the line(s) therein into the remaining vhost section.

• Remove the section in the httpd.conf file.
• Add the four missing lines to the vhosts-le-ssl.conf file:

Yes, definitely update the DocumentRoot to point to where the site content is actually located.
Where is the site content?

in vhosts-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin admin@email.com
    ServerName ligalc.ru
    ServerAlias www.ligalc.ru
    DocumentRoot /var/www/html
    SSLEngine on
    <Directory /var/www/vhosts/ligalc.ru/www>
    AllowOverride All
    </Directory>
SSLCertificateFile /etc/letsencrypt/live/ligalc.ru/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ligalc.ru/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/ligalc.ru/chain.pem
</VirtualHost>
</IfModule>

I delete in /etc/httpd/conf/httpd.conf

<VirtualHost *:443>
~
~
 </VirtualHost>

and do it
[root@ligalc ~]# systemctl restart httpd
[root@ligalc ~]#
...

Is everything correct?

Where is the site content?
In
DocumentRoot /var/www/html

These two entries are no longer needed in that part of the httpd.conf file:

Then update the file accordingly.
And restart/reload the web service.

I saved the text changes of course
I restarted httpd, isn't that enough?
Or is it done differently?

It should be.
Test access to be sure.

I now see why you are using separate files for cert and chain:
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16

You really should update that to a newer version.