Root domain not trusted

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: sundru.net

I ran this command: certbot certificates

It produced this output:

Found the following certs:
Certificate Name: sundru.net
Key Type: ECDSA
Domains: sundru.net app.sundru.net blog.sundru.net www.sundru.net
Expiry Date: 2025-04-18 07:39:25+00:00 (VALID: 71 days)

My web server is (include version): Apache

The operating system my web server runs on is (include version): Red Hat Enterprise Linux release 9.5

My hosting provider, if applicable, is: No

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.11.0

the root certificate shows as not trusted aka vendor signed. but the https://blog.sundru.net loads fine can anyone point me in the right direction to fix the root domain https://sundru.net

Hello @sight01, welcome to the Let's Encrypt community.

Please show the output of sudo apachectl -t -D DUMP_VHOSTS and sudo certbot certificates.

I find all 4 domain names are supplying this certificate crt.sh | 16299832170

1. https://decoder.link/sslchecker/sundru.net/443
2. https://decoder.link/sslchecker/www.sundru.net/443
3. https://decoder.link/sslchecker/blog.sundru.net/443
4. https://decoder.link/sslchecker/app.sundru.net/443

AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.50.66. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server app.sundru.net (/etc/httpd/conf.d/app.sundru.net.conf:1)
         port 80 namevhost app.sundru.net (/etc/httpd/conf.d/app.sundru.net.conf:1)
         port 80 namevhost blog.sundru.net (/etc/httpd/conf.d/blog.sundru.net.conf:1)
         port 80 namevhost sundru.net (/etc/httpd/conf.d/sundru.net.conf:1)
                 alias www.sundru.net
*:443                  is a NameVirtualHost
         default server app.sundru.net (/etc/httpd/conf.d/app.sundru.net.ssl.conf:2)
         port 443 namevhost app.sundru.net (/etc/httpd/conf.d/app.sundru.net.ssl.conf:2)
                 alias app.sundru.net
         port 443 namevhost blog.sundru.net (/etc/httpd/conf.d/blog.sundru.net.ssl.conf:1)
                 alias blog.sundru.net
         port 443 namevhost sundru.net (/etc/httpd/conf.d/sundru.net.ssl.conf:1)
                 alias www.sundru.net
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex lua-ivm-shm: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/etc/httpd/run/" mechanism=default
Mutex cache-socache: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
Mutex dav_fs-lockdb: using_defaults
PidFile: "/etc/httpd/run/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG

sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: sundru.net
Key Type: ECDSA
Domains: sundru.net app.sundru.net blog.sundru.net www.sundru.net
Expiry Date: 2025-04-18 07:39:25+00:00 (VALID: 71 days)
Certificate Path: /etc/letsencrypt/live/sundru.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/sundru.net/privkey.pem

That all looks fine. Where do you see the "Root domain not trusted" error?

Would you explain that in more detail?

Because as Bruce's post shows an SSL Checker site says your domains are working properly. The SSL Labs test site says it is working well too. SSL Server Test: sundru.net (Powered by Qualys SSL Labs)

thanks for the help !

my problem ended up something real simple / dumb.

My edge browser had secure dns setup. which was set to opendns
Apparently something is up with open dns using this path https://doh.opendns.com/dns-query{?dns} to resolve my domains. other secure dns providers works just fine.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.