Net::err_cert_authority_invalid

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: 2b2b.site

I ran this command: certbot

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?


1: 2b2b.site


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/2b2b.site.conf)

What would you like to do?


1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Renewing an existing certificate
Deploying Certificate to VirtualHost /etc/httpd/conf/httpd-le-ssl.conf
Enhancement redirect was already set.


Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://2b2b.site

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=2b2b.site


IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/2b2b.site/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/2b2b.site/privkey.pem
    Your cert will expire on 2020-10-07. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

My web server is (include version): Apache/2.4.6 (CentOS)

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: CentOS Linux release 7.8.2003 (Core)

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.5.0

certbot gives me selfsigned certificate… I don’t now why.
in config there is
SSLCertificateFile /etc/letsencrypt/live/2b2b.site/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/2b2b.site/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/2b2b.site/chain.pem

I have read other topics with this problem - there is no solution.

I\ve made such sertificate before on pricelinpro.site - it works good. Can not understand what happens…
Please help me.

Hi @66078

checking your site you have already created some certificates - https://check-your-website.server-daten.de/?q=2b2b.site#ct-logs

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2020-07-09 2020-10-07 2b2b.site - 1 entries duplicate nr. 4
Let's Encrypt Authority X3 2020-07-09 2020-10-07 2b2b.site - 1 entries duplicate nr. 3
Let's Encrypt Authority X3 2020-07-09 2020-10-07 2b2b.site - 1 entries duplicate nr. 2
Let's Encrypt Authority X3 2020-07-08 2020-10-06 2b2b.site - 1 entries duplicate nr. 1
Let's Encrypt Authority X3 2020-07-01 2020-09-29 2b2b.site - 1 entries
Let's Encrypt Authority X3 2020-06-21 2020-09-19 2b2b.site - 1 entries

Don't create a new, there is a rate limit.

So the installation doesn't work.

What says

apachectl -S

Good day JuergenAuer
Imade duplicates because of this error.

apachectl -S says:
VirtualHost configuration:
*:80 2b2b.site (/etc/httpd/conf/httpd.conf:354)
*:443 is a NameVirtualHost
default server 2b2b.site (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost 2b2b.site (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost 2b2b.site (/etc/httpd/conf/httpd-le-ssl.conf:2)
ServerRoot: “/etc/httpd”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/etc/httpd/logs/error_log”
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
PidFile: “/run/httpd/httpd.pid”
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“apache” id=48
Group: name=“apache” id=48

There you see the problem, that's always bad.

Merge these two in one vHost. Or disable all port 443 vHosts and use certbot with --reinstall.

Thankyou, JuergenAuer!
Now ot works!
Does it means there is an issue with certbot?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.