Invalid certificate browser error inspite of valid date/time


I have installed new certificate based on support link (

I have 2 queries in this regard

  1. THe certificate created is only for 30 days actually it has to be 90 duration. pls suggest
  2. All browsers are throwing the error (Unable to communicate securely with peer: requested domain name does not match the server’s certificate)
    pls suggest

FYI: certificate on the browser side

SSL Server Certificate

Common Name (CN)
Organisation (O)
Organisational Unit (OU)
Common Name (CN) Let’s Encrypt Authority X3
Organisation (O) Let’s Encrypt
Organisational Unit (OU)
Issued On Thursday, 15 February 2018 at 20:17:00
Expires On Wednesday, 16 May 2018 at 20:17:00
SHA-256 Fingerprint E8 62 EB 82 EB 39 08 AC E3 B1 AD A9 44 5D 8B DD
71 8A 00 F8 21 5A CF 4F AE 5F 73 E3 BC 15 43 FE
SHA-1 Fingerprint 35 B7 BD FB E3 82 82 A0 C6 F8 AA 15 64 E5 C9 C7
3C 0F BF A3


Hi @vijaysagi1,

Perhaps you've misread "May" as "Mar" here? The certificate expires on May 16, which is indeed 90 days from now.

Your server setup is not right, although I don't know exactly how this happened.

When connecting to (port 80 of, it generates a redirect to the URL (port 443 of This is a separate server entirely. The browser follows this redirect, but since the destination server is referred to by IP address instead of by name, the browser regards the certificate as invalid. (Since many sites can share the same IP address, the browser considers which name the site was accessed under in the URL in determining whether the certificate is correct. Hence, a certificate can be considered correct for one site hosted on a certain IP address, yet incorrect for another site, depending on the domain name through which the browser was told to access that site.)

In order for the certificate to be considered correct by the browser, the redirect would have to point to (by name instead of by IP address). But, as I mentioned earlier, these are two different servers.

Currently, the server at is not listening to connections on port 443 at all. Therefore, a browser can't load and instead times out.

If you need to use both of these servers for different functions, they should be given two different names, perhaps via a subdomain, and then certificates should be issued for both names, not just one.

Let's Encrypt never issues certificates that are valid for a bare IP address. If you need to refer to a server by IP address in the browser for some reason, a Let's Encrypt certificate can't protect that connection.

1 Like

Thanks schoen yur points were really helpful

Q1) point taken, i misread the month details

to generate certificate on i tried with the command sudo certbot --apache -d -d
error was:

  • An error occurred and we failed to restore your config and restart
    your server. Please submit a bug report to
    Congratulations! Your certificate and chain have been saved at:
    Your key file has been saved at:

I restarted the server but i could not generate the certificate on

can u suggest the steps/doc i need to follow for the redirection from http to https
pls suggest

Hi @vijaysagi1,

What version of Certbot are you using? Perhaps the inability to edit your Apache configuration is due to using an older version.

Your certificate has definitely been issued, is valid, and is present on the machine—Apache just hasn’t been told to use it for HTTPS connections yet!

Thanks schoen…
my certbot version is 0.21.1

pls let me know the apache configuration to be done

Well, Certbot should be able to do this for you, so you may have found a bug. If you’re interested in helping figure that out, could you share your logs from /var/log/letsencrypt with us somehow?

The basic steps for editing your Apache configuration yourself are something like

(here the certificate file is /etc/letsencrypt/live/, the key file is /etc/letsencrypt/live/, and the chain file is /etc/letsencrypt/live/

When Certbot does this for you, it sets a few other settings as well, which can improve security for people connecting to your site in some ways.

If you have Apache 2.4.8 or later, you should use fullchain.pem instead of cert.pem for the certificate file, and then you don’t need to specify a chain file at all.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.