SEcurity certificate not trusted by your computer's operating system

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: (www.)robinboardman.me.uk

I ran this command: cerbot --apache

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.

1: robinboardman.me.uk
2: www.robinboardman.me.uk

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/www.robinboardman.me.uk.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Deploying certificate
Successfully deployed certificate for robinboardman.me.uk to /etc/apache2/sites-enabled/000-default.conf
Successfully deployed certificate for www.robinboardman.me.uk to /etc/apache2/sites-enabled/default-ssl.conf
Failed redirect for www.robinboardman.me.uk
Unable to set the redirect enhancement for www.robinboardman.me.uk.

My web server is (include version): apache 2?

The operating system my web server runs on is (include version): Raspberry Pi

My hosting provider, if applicable, is: me

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 4.0.0

The above output seems to be saying a certificate is in place for my site but I cannot access it with https://, the browser saying that the security certificate is not trusted by your computer's operating system. I wonder if the problem is apache configuration?

These are two different files, that's suspect.

Do you remember how you configured Apache?

HTTPS requests are seeing a certificate with a common name of !!NOT_SET!!.icotera

A response header says your server is mini_httpd/1.19 19dec2003

Do you recognize those?

Because the --apache option is intended for standard installs of Apache. The system that replies is something else. Possibly even running in a firewall. Or, maybe your local port forwarding (NAT) is going to the wrong server?

See: SSL Checker

Thank you for answering. I do not recognise either the certificate name or server. I have run SSL checker whose main repsonse is that the end-certificate is self-signed. Do you think it would help to re-install apache. After Google searches, I have made amendments to config files which may not be correct.

Thank you for answering. No, I do not remember how I configured apache. I have made amendments to config files after making Google searches. Do you think a re-install of apache would help?

If you're clear on what you need, check ssl-config.mozilla.org

Do you have Icotera as your ISP? Because my guess is that "mini_httpd" is running in a router. And, the router has an admin panel accessed using HTTPS. So, it does not pass through HTTPS requests from the public internet to your intended Apache server.

My ISP is not Icotera (it is brsk.co.uk) but they have supplied me with an Icotera i4850-31 router. Is there a way round this?

Well, you'd need to refer to your Icotera router user guide. Or ask your ISP how to do what you want.

Generally, some brands of routers allow you to assign their admin panel to using a different port. Or to disable HTTPS access for it altogether which frees port 443 for other uses (like the one you want it for). There is not one single way for all.

You then likely need to setup NAT or port forwarding in your router so incoming requests on port 443 reach your Apache server.

You should also check that your ISP allows inbound connections to you on port 80 and 443. Some residential ISP do not.

I don't fully understand your description of the workings of the admin panel (my lack of knowledge, not your explanation). I will need to explore this further and probably have to contact my ISP for their input, although I am paying for a static IP address which they must have assumed was to host a website.
Thanks again for your feedback. If https://www.robinboardman.me.uk ever works, I will post here!!

When anything contacts your IP address the first thing it encounters is your router. The router then decides which ports (https is TCP port 80, https is TCP port 443) will do what. If you are hosting a web server on a home machine you would setup "port forwarding" (under the "Services" menu of your router according to Icotera i4850 Router Port Forwarding Instructions). You then say port 80 forwards to .

Do not run a public website from the home machine that you work from that has all your files on it. Occasionally there are ways to break security and get to the other files on the machine. In general, self hosting at home is not recommended because automated systems will attack it for profit.

Thank you. I understand your advice and will follow.

Before this thread closes, I would like to ask a question. Is it possible to host a secure (https) website on a self-hosted computer, a Raspberry Pi Zero 2W computer sat on my desk at home? I ask because for several years I have hosted my personal website in that way but as an http site. As documented above, coinciding with a change of broadband provider, I decided the time had come to update to an https site but it is not proving possible. With the new broadband provider came a new Icotera router so whether it is a certificate issue or a hardware issue, I am not sure. I have contacted my broadband provider of course who have tried to help but with no effect. I am now beginning to think that I am over reaching myself in the goal of a self-hosted secure site, an oft read error message that the certificate is self-signed being one reason. Can anyone tell me if it is possible? If it is, then I am happy to soldier on but if not, I may need a plan B.

Sure, lots of people do it. But, whether it can work with your particular router and/or ISP is a different question.

HTTPS requests to your domain are being intercepted by your router. Since you can't figure out how to pass HTTPS on port 443 to your Apache server you could use an alternate port.

You probably already have a VirtualHost in Apache for port 443. Copy that and make an identical one but for, say, port 8443.

After restarting Apache you then need to specify this alternate port for EVERY request to your domain. Like:

https://robinboardman.me.uk:8443

HTTP port 80 reach your Apache just fine so will be able to maintain your certs. It is only this problem with your local gear and the way your router handles port 443. It is too bad you could not find a way to modify your router to pass through port 443 requests to Apache. Most routers do have a way but maybe it really is not possible with yours.

Thank you for your reply. Your advice is useful and encouraging and let's me know that there is light at the end of the tunnel. Again, if I get my website running, I will post back.