Net::err_cert_authority_invalid

My domain is: americandecency.org

I ran this command: certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?


1: americandecency.org
2: www.americandecency.org


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1,2
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/americandecency.org.conf)

What would you like to do?


1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/httpd/conf.d/ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.


1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Created redirect file: le-redirect-americandecency.org:443.conf
Created redirect file: le-redirect-www.americandecency.org:443.conf
Rollback checkpoint is empty (no changes made?)


Congratulations! You have successfully enabled https://americandecency.org and
https://www.americandecency.org

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=americandecency.org
https://www.ssllabs.com/ssltest/analyze.html?d=www.americandecency.org


IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/americandecency.org/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/americandecency.org/privkey.pem
    Your cert will expire on 2020-04-22. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

My web server is (include version): Apache/2.4.41

The operating system my web server runs on is (include version): Fedora 31

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.0.0

I have been using letsencrypt for years. All of the sudden, using the same steps, the ssl cert does not work. whynopadlock.com says invalid intermediate. ssllabs says not trusted but doesn’t say why. Here is my ssl.conf

<VirtualHost *:443>
DocumentRoot “/var/www/html/amdec”
ServerName americandecency.org:443
DirectoryIndex home.php
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
<FilesMatch “.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars

<Directory “/var/www/html/amdec”>
SSLOptions +StdEnvVars

BrowserMatch "MSIE [2-5]"nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x “%r” %b”
ServerAlias americandecency.org
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/americandecency.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/americandecency.org/privkey.pem

<VirtualHost *:443>
DocumentRoot “/var/www/html/amdec”
ServerName www.americandecency.org:443
DirectoryIndex home.php
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
<FilesMatch “.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars

<Directory “/var/www/html/amdec”>
SSLOptions +StdEnvVars

BrowserMatch "MSIE [2-5]"nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x “%r” %b”
ServerAlias www.americandecency.org
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/americandecency.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/americandecency.org/privkey.pem

Thanks in advance for help.

Can you post the output of “sudo certbot certificates” and “sudo httpd -t -D DUMP_VHOSTS”?

https://www.americandecency.org/ seems to be configured correctly.

https://americandecency.org/ is not using a Let’s Encrypt certificate.

Did you intentionally make separate sites for those very similar names?

Hi @letsencrypter

your ServerName is

ServerName www.americandecency.org

without a port. So both vHosts may not be used.

Then

is duplicated.

sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: americandecency.org
Domains: americandecency.org www.americandecency.org
Expiry Date: 2020-04-23 03:45:54+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/americandecency.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/americandecency.org/privkey.pem


[root@americandecency ~]# sudo httpd -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443 is a NameVirtualHost
default server americandecency.org (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost americandecency.org (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost americandecency.org (/etc/httpd/conf.d/ssl.conf:220)
alias americandecency.org
port 443 namevhost www.americandecency.org (/etc/httpd/conf.d/ssl.conf:245)
alias www.americandecency.org
*:80 is a NameVirtualHost
default server 138.197.230.203 (/etc/httpd/conf/httpd.conf:368)
port 80 namevhost 138.197.230.203 (/etc/httpd/conf/httpd.conf:368)
alias 159.65.217.7
port 80 namevhost www.americandecency.org (/etc/httpd/conf/httpd.conf:383)
alias americandecency.org
port 80 namevhost www.fremontopc.org (/etc/httpd/conf/httpd.conf:403)
alias fremontopc.org

The duplicate ServerAlias was added automatically by certbot --apache

I removed the :443 and combined the two into one but the problem remains.

<VirtualHost *:443>
DocumentRoot “/var/www/html/amdec”
ServerName americandecency.org
ServerAlias www.americandecency.org
DirectoryIndex home.php
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
<FilesMatch “.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars

<Directory “/var/www/html/amdec”>
SSLOptions +StdEnvVars

BrowserMatch "MSIE [2-5]"nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x “%r” %b”
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/americandecency.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/americandecency.org/privkey.pem

new command outputs:

[root@americandecency conf.d]# sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: americandecency.org
Domains: americandecency.org www.americandecency.org
Expiry Date: 2020-04-23 03:45:54+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/americandecency.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/americandecency.org/privkey.pem


[root@americandecency conf.d]# sudo httpd -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443 is a NameVirtualHost
default server americandecency.org (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost americandecency.org (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost americandecency.org (/etc/httpd/conf.d/ssl.conf:220)
alias www.americandecency.org
*:80 is a NameVirtualHost
default server 138.197.230.203 (/etc/httpd/conf/httpd.conf:368)
port 80 namevhost 138.197.230.203 (/etc/httpd/conf/httpd.conf:368)
alias 159.65.217.7
port 80 namevhost www.americandecency.org (/etc/httpd/conf/httpd.conf:383)
alias americandecency.org
port 80 namevhost www.fremontopc.org (/etc/httpd/conf/httpd.conf:403)
alias fremontopc.org

That's again a duplicate. Merge these two in one vHost.

Every combination port + domain name should be unique.

1 Like

Thanks. Works now. :slight_smile:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.