Just installed Let's Encrypt and got untrusted certificate

My domain is:
www.mezasoft.com

I ran this command:
sudo certbot --apache -d www.domain.com -d domain.com

It produced this output:
$ sudo certbot --apache -d www.mezasoft.com -d mezasoft.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/www.mezasoft.com.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Created an SSL vhost at /etc/apache2/sites-available/wordpress-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/wordpress-le-ssl.conf

We were unable to find a vhost with a ServerName or Address of mezasoft.com.
Which virtual host would you like to choose?

1: wordpress.conf | www.mezasoft.com | | Enabled
2: wordpress-le-ssl.conf | www.mezasoft.com | HTTPS | Enabled

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Deploying Certificate to VirtualHost /etc/apache2/sites-available/wordpress-le-ssl.conf
Enhancement redirect was already set.
Enhancement redirect was already set.

Congratulations! You have successfully enabled https://www.mezasoft.com and
https://mezasoft.com

IMPORTANT NOTES:

• Some rewrite rules copied from
  /etc/apache2/sites-enabled/wordpress.conf were disabled in the
  vhost for your HTTPS site located at
  /etc/apache2/sites-available/wordpress-le-ssl.conf because they
  have the potential to create redirection loops.

• If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
  Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

My web server is (include version):
Apache2

The operating system my web server runs on is (include version):
Debian 11

My hosting provider, if applicable, is:
None

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.12.0

PROBLEM:

After installing and rebooting trying to access my Wordpress site I'm getting:

NET::ERR_CERT_INVALID

When I open Chrome by clicking on the left side of address, in red, I get "This root certificate is untrusted"

Any ideas of what's causing this?

Hi @renato.mendes, and welcome to the LE community forum

Yes, I have one:

Let's have a look at:
sudo apachectl -t -D DUMP_VHOSTS

Or maybe nginx ?

curl -I www.mezasoft.com
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0
Location: https://www.mezasoft.com/

$ sudo apachectl -t -D DUMP_VHOSTS

VirtualHost configuration:
*:443 www.mezasoft.com (/etc/apache2/sites-enabled/wordpress-le-ssl.conf:2)
*:80 www.mezasoft.com (/etc/apache2/sites-enabled/wordpress.conf:1)

@renato.mendes Do you know why an nginx server responds to requests to your domain?

Your DNS points to the IP 15.204.188.52 is that the correct IP?

Here is the cert returned by your domain. Does this help identify it for you?

subject= /C=BR/ST=Rio de Janeiro/L=Petr\xC3\x83\xC2\xB3polis/O=Quadfloor
issuer= /C=BR/ST=Rio de Janeiro/L=Petr\xC3\x83\xC2\xB3polis/O=Quadfloor
notBefore=Jul 20 18:24:14 2022 GMT
notAfter=Jul 20 18:24:14 2023 GMT

Yes. It's me.The web server is behing a NGINX reverse proxy:

WEB <====> REVERSE PROXY (NGINX) <====> WEBSERVER (DEBIAN, WORDPRESS, APACHE2)

The request goes to the proxy (NGINX) and then to the Wordpress site (Apache2).

Here is the reverse proxy's NGINX configuration:

#
# Default server configuration
#
server {
	listen 80 default_server;
	listen [::]:80 default_server;
	listen 443 ssl;
	listen [::]:443 ssl;
	ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
	ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name _;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}
}

server {
        server_name     mezasoft.com www.mezasoft.com *.mezasoft.com;
        location / {
                proxy_pass      $scheme://10.0.0.150;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }

	location ~ ^/(images/|img/|javascript/|js/|css/|stylesheets/|flash/|media/|static/|robots.txt|humans.txt|favicon.ico) {
	    root $scheme://10.0.0.150;
	    access_log off;
	    expires max;
	}

	client_max_body_size 2000M;
}

Is there a chance that the proxy is sending its certificate, not the Apache2 one?

Btw: How do you know NGINX is answering you, not Apache2?

I see this:

image1170×629 14 KB

image602×582 14.7 KB

image1170×1039 25.2 KB

You should be seen my site, not the proxy's default page. My site is accessible with pure http at www.mezasoft.com.

Also, there are two websites behind the proxy: www.mezasoft.com and www.quadfloor.com

Should I remove the certificate from the proxy?

Using Redirect Checker | Check your Statuscode 301 vs 302 I see a redirect to https

image1076×965 32.5 KB

Using SSL Checker - Check SSL Certificate I see this for the returned Certificate

image1276×927 28.7 KB

And SSL Server Test: www.mezasoft.com (Powered by Qualys SSL Labs)

NO. The nginx proxy is the one that needs a Let's Encrypt cert. It "terminates" the SSL connection so needs a cert that the browser will verify.

If your Apache and nginx are on same local network you don't even need to use a cert between them.

This is for sure a proxy issue.... I'm confusing then on how to setup this...

Should only the site node return its certificate, right?

How can I tell proxy not to use it's certificate and at the same time relay 443 traffic to the website node?

Tried to remove those lines:

ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

But still getting an error as nginx -t does not validade:

nginx: [emerg] a duplicate default server for 0.0.0.0:80 in /etc/nginx/sites-enabled/default.save:5
nginx: configuration file /etc/nginx/nginx.conf test failed

Browser->nginx via https so needs cert

nginx->Apache on local network via http so does not need cert

Your nginx config is wrong. You need an http server block (listen 80) just to redirect to https (port 443). Then, in your https server block you have the proxy statement using http (not scheme) to your apache. The port 443 server block needs the ssl certificate and config lines.

I don't have time right now to walk you through the details. And, this isn't a general server advice site anyway. Some other volunteer still may choose to help or you should visit the nginx.org website docs

Great, thanks. I understand.
But how can NGINX will serve certificate for different domains, as I have 2 domains behind it? Add then to certbot in NGINX: -d mezasoft.com -d quadfloor.com -d www.mezasoft.com -d www.quadfloor.com ?

That's well covered in nginx docs but like this:

server
server_name mezasoft ...;
listen 80;
redirect to https://mezasoft

server
server_name quadfloor ...;
listen 80:
redirect to https://quadfloor

server
server_name mezasoft ...;
listen 443 ssl;
proxy to Apache or whatever with http (or https if you must) ...
ssl cert stuff

and same for quadfloor

THAT SAID, I'm not certain you even need nginx. If the same Apache instance has all your other stuff you can just do a similar thing there with multiple VirtualHosts. Then Apache has the certs and such. Figuring this out is part of general server design.

Oh, and I knew nginx was responding from the server: nginx header I showed in post #3

Doing HTTP (80) and HTTPS (443) in the same server block is extremely difficult to get done correctly.
I'd recommend that you split that in two.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.