Let's Encrypt showing invalid on nginx redhat

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: web.ksbc.co.in

I ran this command: certbot --nginx -d web.ksbc.co.in

It produced this output:

#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

events {
    worker_connections  1024;

http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    server {
        #server_name  localhost;
	server_name web.ksbc.co.in;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   html;
            index  index.html index.htm;

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;

        # proxy the PHP scripts to Apache listening on
        #location ~ \.php$ {
        #    proxy_pass;

        # pass the PHP scripts to FastCGI server listening on
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #location ~ /\.ht {
        #    deny  all;
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/web.ksbc.co.in/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/web.ksbc.co.in/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


    # another virtual host using mix of IP-, name-, and port-based configuration
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }

    # HTTPS server
    #server {
    #    listen       443 ssl;
    #    server_name  localhost;

    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }

    server {
    if ($host = web.ksbc.co.in) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

        listen       80;
	server_name web.ksbc.co.in;
    return 404; # managed by Certbot

2024-01-27 10:41:53,822:DEBUG:certbot._internal.display.obj:Notifying user: Congratulations! You have successfully enabled HTTPS on https://web.ksbc.co.in
2024-01-27 10:41:53,822:DEBUG:certbot._internal.display.obj:Notifying user: If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le

My web server is (include version):nginx version: nginx/1.14.1

The operating system my web server runs on is (include version): Redhat 8

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.22.0

Hi @shajiaksbc, and welcome to the LE community forum :slight_smile:

Let's have a look at the files in this directory, with:
ls -l /etc/letsencrypt/live/web.ksbc.co.in/

Also, this version is a bit outdated:

Try updating it with these instructions:
Certbot Instructions | Certbot (eff.org)

1 Like

ls -l /etc/letsencrypt/live/web.ksbc.co.in/
lrwxrwxrwx. 1 root root 38 Jan 18 14:16 cert.pem -> ../../archive/web.ksbc.co.in/cert5.pem
lrwxrwxrwx. 1 root root 39 Jan 18 14:16 chain.pem -> ../../archive/web.ksbc.co.in/chain5.pem
lrwxrwxrwx. 1 root root 43 Jan 18 14:16 fullchain.pem -> ../../archive/web.ksbc.co.in/fullchain5.pem
lrwxrwxrwx. 1 root root 41 Jan 18 14:16 privkey.pem -> ../../archive/web.ksbc.co.in/privkey5.pem

Try updating it with these instructions:
Certbot Instructions | Certbot (eff.org)

Followed this instruction but still showing the error

looks like Fortinet is configed inside out: it's showing insternal certificate to internat.
and it has wrong time, if it thinks Apr 26 09:06:24 2024 GMT is already expired


could you recommend any solution, the firewall managed by network team

You could try getting a certificate using DNS-01 authentication, it you have control of the external DNS zone.
[can you place a TXT record in the external DNS zone?]


Hes already got certificate and fortigate sees that from server, but some reason forigates DPI inspect traffic to that server and reterminate it with internal certificate:
You can see fortigate cerificate given when connected have SCT copied and it match with real LE certificate from crt.sh


Ask network team to move that server to DMZ, outside of packet inspection area


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.