Invalid certificate, need to install an intermediate certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: certbot --apache -d -d

It produced this output: It appears to work correctly, it generated these files -
lrwxrwxrwx 1 root root 55 Jun 28 09:52 cert.pem -> ../../archive/
lrwxrwxrwx 1 root root 56 Jun 28 09:52 chain.pem -> ../../archive/
lrwxrwxrwx 1 root root 60 Jun 28 09:52 fullchain.pem -> ../../archive/
lrwxrwxrwx 1 root root 58 Jun 28 09:52 privkey.pem -> ../../archive/

The works correctly, it's an alias to the the domain.

My web server is (include version): Apache 2.4.53

The operating system my web server runs on is (include version): RHEL 9.1

My hosting provider, if applicable, is: state government

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.6

The issued on date shows April 18, 2023. I've been struggling with this issue so deleted all the certificates and created new ones on June 28, 2023. Certbot certificates shows this:

Certificate Name:
Serial Number: 31f0d4ca258910b64cc135ba2b383f96843
Key Type: ECDSA
Expiry Date: 2023-09-26 13:52:15+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/

I've restarted Apache multiple times, even rebooted the server. I'm hoping by updating the issued date it will work correctly.

Hello @lmm61, welcome to the Let's Encrypt community. :slightly_smiling_face:

Yes the domain looks good

However the domain is using a self-signed certificate

Likely a configuration issue with Apache.
Here details on Apache can be found in documentation and forums:


Thanks Bruce. I'm not sure how that explains the date discrepancy. The original certificate was created on April 18, 2023 but has since been deleted. The new certificates are dated yesterday (June 28, 2023).

Here's what the Apache config looks like:

<VirtualHost *:443>
     DocumentRoot /home/web
     Redirect permanent /
     RewriteEngine on

     SSLCertificateFile /etc/letsencrypt/live/
     SSLCertificateKeyFile /etc/letsencrypt/live/
     Include /etc/letsencrypt/options-ssl-apache.conf
1 Like

Two things:

  • Your ServerAlias is the same as ServerName, which is kinda (very) unnecessary
  • Secondly you've generated a redirect loop in this virtualhost: it's already the port 443 HTTPS VirtualHost and it's redirecting to the same hostname as itself with the https:// protocol: i.e.: to itself

The fact we don't actually GET a redirect loop suggests to me that your Apache configuration has TWO VirtualHost sections for one with the self signed certificate, but without the redirect and a second one with Let's Encrypt certs configured, but which should fail with a redirect loop to itself.

Please show the output of the command: sudo apachectl -t -D DUMP_VHOSTS


Thank you, here you go:

httpd -t -D DUMP_VHOSTS
[Thu Jun 29 12:00:53.510335 2023] [so:warn] [pid 20786:tid 20786] AH01574: module fcgid_module is already loaded, skipping
VirtualHost configuration:
*:80 is a NameVirtualHost
default server (/etc/httpd/conf/httpd.conf:404)
port 80 namevhost (/etc/httpd/conf/httpd.conf:404)
port 80 namevhost (/etc/httpd/conf/httpd.conf:409)
*:443 is a NameVirtualHost
default server (/etc/httpd/conf.d/ssl.conf:40)
port 443 namevhost (/etc/httpd/conf.d/ssl.conf:40)
port 443 namevhost (/etc/httpd/conf/httpd.conf:392)
port 443 namevhost (/etc/httpd/conf/httpd.conf:415)

1 Like

And thirdly:

  • RewriteEngine on

It's turned on and never used - remove that line.

But as noted, this isn't the vhost config that is being served to the public.

Two files with same name:port
This is well-known defect in Apache - it allows for such without any warning.


Here are lists of issued certificates

1 Like

I originally created two different certificates for each of the domains and then was trying to force renewals after some tinkering, hoping to resolve the problem. I came across a discussion saying multiple domains should be in one certificate. That was when I deleted the certificates and created a new one, yesterday. This isn't reflected in the page.

Please show the conflicting file:

Listen 443 https

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300

SSLCryptoDevice builtin

<VirtualHost _default_:443>

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on

SSLHonorCipherOrder on


SSLCertificateFile /etc/pki/tls/certs/localhost.crt

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars

BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"


What's the hostname of that server? I.e., the output of the command hostname.

1 Like

OK. you can't remove that file.
You need to change the ServerName in the main host config file.
One should never call the host server by a name it will be serving content from.


Yes, it is, will rename it.

1 Like

Sweet, that took care of it. Thank you!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.