Root certificate not trusted

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain

I ran this command: certbot certificates

It produced this output:
Found the following certs:
Certificate Name:
Serial Number: 4cb137e1bbeee630c3a416137ac5cef57cb
Expiry Date: 2021-02-07 16:04:38+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/
Certificate Name:
Serial Number: 4b8d5ecd742b29da3b22e6b53b4e83aa51c
Expiry Date: 2021-02-07 16:12:31+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/

My web server is (include version):Apache

The operating system my web server runs on is (include version):
CentOS 8

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.9

<VirtualHost *:433>
Redirect 301 /

<VirtualHost *:443>
    DocumentRoot /var/www/
    ErrorLog /var/www/
    CustomLog /var/www/ combined

    <Directory /var/www/>
        AllowOverride All

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/

When i check the www certificate it works fine but when i try to use the non www certificate it says not trusted.

Probably because you haven't got any certificate configured in your www VirtualHost.

Hm, weird, I'm getting a self signed certificate for both hostnames..

What's the output of apachectl -S?


I tried it and get nothing back

[root@EIUF ~]# apachectl -S
[root@EIUF ~]#

That's very weird.. Could be a CentOS thing.. Could you try /sbin/httpd -S?

1 Like

That did work:

[Mon Nov 09 18:16:37.090671 2020] [so:warn] [pid 150349:tid 140239128443200] AH01574: module wsgi_module is already loaded, skipping
VirtualHost configuration:
*:433 (/etc/httpd/sites-enabled/
*:443 is a NameVirtualHost
default server (/etc/httpd/conf.d/ssl.conf:40)
port 443 namevhost (/etc/httpd/conf.d/ssl.conf:40)
port 443 namevhost (/etc/httpd/sites-enabled/
*:80 is a NameVirtualHost
default server (/etc/httpd/sites-enabled/
port 80 namevhost (/etc/httpd/sites-enabled/
port 80 namevhost (/etc/httpd/sites-enabled/
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
Mutex lua-ivm-shm: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/etc/httpd/run/" mechanism=default
Mutex cache-socache: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
PidFile: "/etc/httpd/run/"
User: name="apache" id=48
Group: name="apache" id=48

Here's (part) of your problem: your hostname is configured in two configuration files. The ssl.conf probably has preference, but without the correct certificates used.

The other part which I already pointed out in a previous post is the lack of certificate configuration for your www subdomain to base domain redirect on port 443.


Thanks i just removed the ssl.conf and now everything is working fine.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.