Net::err_cert_date_invalid

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.dimsum.dk

I ran this command: Using a Mac or Apple device I accessed https://www.dimsum.dk and received the error. The error can only be reproduced from Mac or Apple device. I got the error stating that the website is not private.

It produced this output:

NET::ERR_CERT_DATE_INVALID
Subject: www.dimsum.dk

Issuer: R3

Expires on: 29. dec. 2021

Current date: 30. sep. 2021

PEM encoded chain:
-----BEGIN CERTIFICATE-----
MIIFIDCCBAigAwIBAgISBFTpIRdz8BnEJ1HmwjjelP48MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA5MzAwMzQ0NDNaFw0yMTEyMjkwMzQ0NDJaMBgxFjAUBgNVBAMT
DXd3dy5kaW1zdW0uZGswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDs
ld4yzvlDBswuVvdfyuhz/biGfgpPTaD8vD/kLrudtCBChI4S94xAFl1u3KemECo8
p8OdJLSqgl/GMijlsisNRfW4gNggW6vc6ZpecnvVEjwWH+nNpL9/B0PejVvWfa71
297B5qPejBMvxhRFE8huOzDvK45nKiYtLyQbpWlwrQYwR+iomECUhNykkrvaALby
zWL5vedXuLwprA5ehQwjK8Sc1vEnF2SQ7F54Ede6RX4kQDE1ga2Zzf/SaPyUxTUu
Dby//jWSRhlG2yikdfEVUDzU863k66u7GZnk9cjbRCMxEwez1f5BsHnVzah7LwoO
zIMZ7uXj3LZdf1isShbdAgMBAAGjggJIMIICRDAOBgNVHQ8BAf8EBAMCBaAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O
BBYEFKgYduUe8+w197TiCqj2IqO0VHWNMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJ
QOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3Iz
Lm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcv
MBgGA1UdEQQRMA+CDXd3dy5kaW1zdW0uZGswTAYDVR0gBEUwQzAIBgZngQwBAgEw
NwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5j
cnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdQBc3EOS/uarRUSxXprU
VuYQN/vV+kfcoXOUsl7m9scOygAAAXw1BN0ZAAAEAwBGMEQCIGJv0dBdTLKAXBkw
1Wo0RPjEwUd/+PLZ8JaT3cDaADhtAiAfwg9+G9gow+3LhPcdyLc7i6EdEJTsZUY2
FqOkreHx+AB3AH0+8viP/4hVaCTCwMqeUol5K8UOeAl/LmqXaJl+IvDXAAABfDUE
3TIAAAQDAEgwRgIhALumwLxtVcvItDPw2CWH1UmFU1vB+iVF3leLWrcZVVOnAiEA
gk+AxFpuAbmp0T5Xk4aDfBu8YIbYROnBzr50DHBlzWowDQYJKoZIhvcNAQELBQAD
ggEBAIW9jZPFwTBxoKlsXFtbpGtmju/aCjkctVjz05ywn1A7zChT1bP8QDk2bVMc
nwDmdqd4Zxh/cOz3UEvfpEPloGWi0Vv2qNza/TqZ14cc2wsd05EPMFwdCNlS7KAC
uqAPMZszHdSEMBobSP1fgKicutKH4PvuBRPcAgzOb3Mc+nTSDTzl3vwRuHGAcJKw
pOik/WFQhnqEU5bZjnMVSzsmbq+0f//vLvven36BbdxJlbKUP+jkWicKxAdRewmE
3c9Baqdr8ZHfRJkC7RczJKyKc9cREHeyM1gGnqR16BDguGhoYE6E47PHGkhWYIk6
GWjksODOm3vblUBhcgfrBuBMpFE=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

Certificate Transparency: No clue what this means.

SCT DigiCert Yeti2021 Log (Embedded in certificate, Verified)

SCT Google 'Xenon2021' log (Embedded in certificate, Verified)

My web server is (include version): Apeche2

The operating system my web server runs on is (include version): Ubuntu 20.04 LTS

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.19.0

Your server is not sending any intermediate certificate.

You need to change your Apache to serve the fullchain.pem certificate file provided by certbot instead of cert.pem.

---
Certificate chain
 0 s:/CN=www.dimsum.dk
   i:/C=US/O=Let's Encrypt/CN=R3
---

Below is how my current apache2 configuration looks like. I am already using fullchain.pem

<IfModule mod_ssl.c>
<VirtualHost *:443>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	
	ServerName www.dimsum.dk
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

	Alias /static /home/jianwu/HD_website/website/productionStatic
	<Directory /home/jianwu/HD_website/website/productionStatic>
		Require all granted
	</Directory>

	Alias /media /home/jianwu/HD_website/website/media  
        <Directory /home/jianwu/HD_website/website/media>
                Require all granted
        </Directory>	

	<Directory /home/jianwu/HD_website/website/website>
		<Files wsgi.py>
			Require all granted
		</Files>	
	</Directory>

	WSGIScriptAlias / /home/jianwu/HD_website/website/website/wsgi.py
	WSGIDaemonProcess django_app python-path=/home/jianwu/HD_website/website python-home=/home/jianwu/HD_website/website/env
	WSGIProcessGroup django_app
 


SSLCertificateFile /etc/letsencrypt/live/www.dimsum.dk/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.dimsum.dk/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

In that case you're probably running a very old version of Apache (less than 2.4.8). If this is the case, you need additional configuration (SSLCertificateChainFile):

For your setup:

Change:

SSLCertificateFile /etc/letsencrypt/live/www.dimsum.dk/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.dimsum.dk/privkey.pem

to

SSLCertificateFile /etc/letsencrypt/live/www.dimsum.dk/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.dimsum.dk/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.dimsum.dk/privkey.pem

Edit: Wait, you're saying you run Ubuntu 20.04? The Apache on that Ubuntu shouldn't be that old?

my apeche2 version is

(env) **jianwu@django-hdserver** : **~/HD_website/website** $ apache2 -v

Server version: Apache/2.4.41 (Ubuntu)

Server built: 2021-09-28T11:00:45

Let's confirm some of the details starting with:
sudo apachectl -t -D DUMP_VHOSTS

I tried to change

SSLCertificateFile /etc/letsencrypt/live/www.dimsum.dk/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.dimsum.dk/privkey.pem

to

SSLCertificateFile /etc/letsencrypt/live/www.dimsum.dk/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.dimsum.dk/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.dimsum.dk/privkey.pem

In my apache2 configuration file. It didn't solve the issue

sudo apachectl -t -D DUMP_VHOSTS
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 139.162.163.35. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443                  www.dimsum.dk (/etc/apache2/sites-enabled/django_project-le-ssl.conf:2)
*:80                   www.dimsum.dk (/etc/apache2/sites-enabled/django_project.conf:1)

That seems quite simple...
Please show the entire file:
/etc/apache2/sites-enabled/django_project-le-ssl.conf

(env) jianwu@django-hdserver:~/HD_website/website$ cat /etc/apache2/sites-enabled/django_project-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	
	ServerName www.dimsum.dk
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

	Alias /static /home/jianwu/HD_website/website/productionStatic
	<Directory /home/jianwu/HD_website/website/productionStatic>
		Require all granted
	</Directory>

	Alias /media /home/jianwu/HD_website/website/media  
        <Directory /home/jianwu/HD_website/website/media>
                Require all granted
        </Directory>	

	<Directory /home/jianwu/HD_website/website/website>
		<Files wsgi.py>
			Require all granted
		</Files>	
	</Directory>

	WSGIScriptAlias / /home/jianwu/HD_website/website/website/wsgi.py
	WSGIDaemonProcess django_app python-path=/home/jianwu/HD_website/website python-home=/home/jianwu/HD_website/website/env
	WSGIProcessGroup django_app
 


#SSLCertificateFile /etc/letsencrypt/live/www.dimsum.dk/fullchain.pem
#SSLCertificateKeyFile /etc/letsencrypt/live/www.dimsum.dk/privkey.pem
SSLCertificateFile /etc/letsencrypt/live/www.dimsum.dk/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.dimsum.dk/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.dimsum.dk/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Switch those and restart.

After editing my configuration looks like below. Which command should I use to restart the server?

(env) jianwu@django-hdserver:~/HD_website/website$ cat /etc/apache2/sites-enabled/django_project-le-ssl.conf 
<IfModule mod_ssl.c>
<VirtualHost *:443>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	
	ServerName www.dimsum.dk
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

	Alias /static /home/jianwu/HD_website/website/productionStatic
	<Directory /home/jianwu/HD_website/website/productionStatic>
		Require all granted
	</Directory>

	Alias /media /home/jianwu/HD_website/website/media  
        <Directory /home/jianwu/HD_website/website/media>
                Require all granted
        </Directory>	

	<Directory /home/jianwu/HD_website/website/website>
		<Files wsgi.py>
			Require all granted
		</Files>	
	</Directory>

	WSGIScriptAlias / /home/jianwu/HD_website/website/website/wsgi.py
	WSGIDaemonProcess django_app python-path=/home/jianwu/HD_website/website python-home=/home/jianwu/HD_website/website/env
	WSGIProcessGroup django_app
 


#SSLCertificateFile /etc/letsencrypt/live/www.dimsum.dk/fullchain.pem
#SSLCertificateKeyFile /etc/letsencrypt/live/www.dimsum.dk/privkey.pem
SSLCertificateFile /etc/letsencrypt/live/www.dimsum.dk/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.dimsum.dk/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.dimsum.dk/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

I just reboot the Ubuntu and started the server again. The issue persists. Below is how my configuration file look like

(env) jianwu@django-hdserver:~/HD_website/website$ cat /etc/apache2/sites-enabled/django_project-le-ssl.conf 
<IfModule mod_ssl.c>
<VirtualHost *:443>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	
	ServerName www.dimsum.dk
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

	Alias /static /home/jianwu/HD_website/website/productionStatic
	<Directory /home/jianwu/HD_website/website/productionStatic>
		Require all granted
	</Directory>

	Alias /media /home/jianwu/HD_website/website/media  
        <Directory /home/jianwu/HD_website/website/media>
                Require all granted
        </Directory>	

	<Directory /home/jianwu/HD_website/website/website>
		<Files wsgi.py>
			Require all granted
		</Files>	
	</Directory>

	WSGIScriptAlias / /home/jianwu/HD_website/website/website/wsgi.py
	WSGIDaemonProcess django_app python-path=/home/jianwu/HD_website/website python-home=/home/jianwu/HD_website/website/env
	WSGIProcessGroup django_app
 


#SSLCertificateFile /etc/letsencrypt/live/www.dimsum.dk/fullchain.pem
#SSLCertificateKeyFile /etc/letsencrypt/live/www.dimsum.dk/privkey.pem
SSLCertificateFile /etc/letsencrypt/live/www.dimsum.dk/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.dimsum.dk/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.dimsum.dk/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

It hasn't changed.

Make them:

SSLCertificateFile /etc/letsencrypt/live/www.dimsum.dk/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.dimsum.dk/privkey.pem
#SSLCertificateFile /etc/letsencrypt/live/www.dimsum.dk/cert.pem
#SSLCertificateChainFile /etc/letsencrypt/live/www.dimsum.dk/chain.pem
#SSLCertificateKeyFile /etc/letsencrypt/live/www.dimsum.dk/privkey.pem

Ah sorry I misunderstood. I will switch them now and report back.

They have been switched back (see file below). The problem still persists

(env) jianwu@django-hdserver:~/HD_website/website$ cat /etc/apache2/sites-enabled/django_project-le-ssl.conf 
<IfModule mod_ssl.c>
<VirtualHost *:443>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	
	ServerName www.dimsum.dk
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

	Alias /static /home/jianwu/HD_website/website/productionStatic
	<Directory /home/jianwu/HD_website/website/productionStatic>
		Require all granted
	</Directory>

	Alias /media /home/jianwu/HD_website/website/media  
        <Directory /home/jianwu/HD_website/website/media>
                Require all granted
        </Directory>	

	<Directory /home/jianwu/HD_website/website/website>
		<Files wsgi.py>
			Require all granted
		</Files>	
	</Directory>

	WSGIScriptAlias / /home/jianwu/HD_website/website/website/wsgi.py
	WSGIDaemonProcess django_app python-path=/home/jianwu/HD_website/website python-home=/home/jianwu/HD_website/website/env
	WSGIProcessGroup django_app
 


SSLCertificateFile /etc/letsencrypt/live/www.dimsum.dk/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.dimsum.dk/privkey.pem
#SSLCertificateFile /etc/letsencrypt/live/www.dimsum.dk/cert.pem
#SSLCertificateChainFile /etc/letsencrypt/live/www.dimsum.dk/chain.pem
#SSLCertificateKeyFile /etc/letsencrypt/live/www.dimsum.dk/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

@JianDk
Did you restart the service?
Is there any load-balancer or proxy involved in this equation?

I restarted by running the below bash script

(env) **jianwu@django-hdserver** : **~/HD_website/website** $ cat start_modwsgi.sh

#!/bin/sh

#Configuration on how to start the server

python manage.py runmodwsgi \

--server-root /etc/wsgi-port-80 \

--user www-data --group www-data \

--port 80 --setup-only \

--https-only \

--https-port 443 \

--ssl-certificate-file "/etc/letsencrypt/live/www.dimsum.dk/cert.pem" \

--ssl-certificate-key-file "/etc/letsencrypt/live/www.dimsum.dk/privkey.pem" \

--server-name 'www.dimsum.dk'

#Starting the server

sudo /etc/wsgi-port-80/apachectl restart

I do not know if there is a load-balancer or proxy involved

I found your problem:

The script has betrayed you! - LOL

[that needs to be "fullchain.pem"]