Invalid certificate in a domain using certbot


Have two domains: and, need make separated certificates.

Make certificates:
$ certbot certonly --standalone -d --debug
$ certbot certonly --standalone -d --debug

The two certificates are created succefuly.

I implement this in httpd over centos 7 using virtual host, works fine but does not works :frowning2:

The virtual host for each vhost:

<VirtualHost *:443>
    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/
    SSLCertificateKeyFile /etc/letsencrypt/live/
    SSLCertificateChainFile /etc/letsencrypt/live/

How to verify the generated certificates from files.pem and httpd? Howto verify if the problem is of the cert or web server?


#2 is serving a self-signed certificate, not one from Let’s Encrypt. My best guess would be that there’s a second vhost in your configuration with different SSL* directives. Try grep -r "SSLCertificateFile" /etc/httpd/ to find that file.

[root@oznet ~]# grep -r "" /etc/httpd/
/etc/httpd/sites-available/cl.oznet.mail.conf:        ServerAlias
/etc/httpd/sites-available/cl.oznet.mail.conf:        ServerAlias
/etc/httpd/sites-available/cl.oznet.mail.conf:    SSLCertificateFile /etc/letsencrypt/live/
/etc/httpd/sites-available/cl.oznet.mail.conf:    SSLCertificateKeyFile /etc/letsencrypt/live/
/etc/httpd/sites-available/cl.oznet.mail.conf:    SSLCertificateChainFile /etc/letsencrypt/live/
[root@oznet ~]# ll /etc/httpd/sites-enabled/cl.oznet.mail.conf lrwxrwxrwx 1 root root 37 dic 19 11:52 /etc/httpd/sites-enabled/cl.oznet.mail.conf -> ../sites-available/cl.oznet.mail.conf
[root@oznet ~]# grep -r "etc/pki" /etc/httpd/
/etc/httpd/sites-available/000-default.conf:    SSLCertificateFile /etc/pki/tls/certs/ca.crt
/etc/httpd/sites-available/000-default.conf:    SSLCertificateKeyFile /etc/pki/tls/private/ca.key
[root@oznet ~]# ll /etc/letsencrypt/live/
total 0
lrwxrwxrwx 1 root root 37 dic 19 11:55 cert.pem -> ../../archive/
lrwxrwxrwx 1 root root 38 dic 19 11:55 chain.pem -> ../../archive/
lrwxrwxrwx 1 root root 42 dic 19 11:55 fullchain.pem -> ../../archive/
lrwxrwxrwx 1 root root 40 dic 19 11:55 privkey.pem -> ../../archive/

In total have more than 10 virtual host with ssl using letsencript, your command have a long result for each vhost in server.


Using grep -r "SSLCertificateFile" /etc/httpd/, look for values that don’t point to a certificate in /etc/letsencrypt. That will in all likelihood be the self-signed certificate apache decided to use for the mail subdomain.

This is assuming the files in /etc/letsencrypt were not somehow manually replaced by a self-signed certificate. You can quickly verify this using openssl x509 -in /etc/letsencrypt/live/ -noout -text | grep Issuer:
The output should be “Issuer: C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3”.


I found the solution, my virtual host says: ServerAlias but is Servername Its a Apache bug, works all virtual host but not execute the ssl path when the name of virtualhost is not correctely setting, it is a part of error tolerance of apache.



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.