[solved] Server's certificates are not trusted


So I’ve spent about four or five hours looking through various forums attempting everything mentioned to get this fixed. In short I’m running openSUSE Leap 42.3 with Apache 2.4.23. I utilized the certbot tool to create the certificates for my domain, which seemingly went fine. However I can’t seem to get the actual certificates to become trusted. Below is my SSL virtual host config (the only vhost file I have). Ive checked through other various config files for any possible overwrite I maybe overlooked, but I can’t find anything.

<IfDefine SSL>
<IfDefine !NOSSL>

## SSL Virtual Host Context
Listen 443
<VirtualHost *:443>

        #  General setup for the virtual host
        DocumentRoot "/srv/www/htdocs"
        ServerName domain.com
        ServerAdmin email@email.com
        ErrorLog /var/log/apache2/error_log
        TransferLog /var/log/apache2/access_log

        #   SSL Engine Switch:
        #   Enable/Disable SSL for this virtual host.
        SSLEngine on

        #   You can use per vhost certificates if SNI is supported.
        SSLCertificateFile /etc/certbot/live/domain.com/fullchain.pem
        SSLCertificateKeyFile /etc/certbot/live/domain.com/privkey.pem
        #SSLCertificateChainFile /etc/certbot/live/domain.com/fullchain.pem

        #   Per-Server Logging:
        #   The home of a custom SSL log file. Use this when you want a
        #   compact non-error SSL logfile on a virtual host basis.
        CustomLog /var/log/apache2/ssl_request_log ssl_combined

        ServerAlias domain.com


Thanks in advance for the help everyone! Also, I understand this isn’t exactly an uncommon post. I promise I searched through this specific forum and tried various posts in an attempt to fix the problem. Posting is always the last thing I do as I try and not bother busy devs/people when I can try and fix a problem myself. Anyways, let me know if you need any more information from me.


certbot certificates

Yes, I changed it and took out ‘personal’ information before posting. It’s a placeholder for my actual domain. Same with the email

we don’t need your email.
but without the actual domain name (which is public information in the issued cert), it is very difficult to assist.

Found the following certs:
  Certificate Name: domain.com
    Domains: domain.com
    Expiry Date: 2018-01-02 00:48:12+00:00 (INVALID: TEST_CERT)
    Certificate Path: /etc/certbot/live/domain.com/fullchain.pem
    Private Key Path: /etc/certbot/live/domain.com/privkey.pem

that is the output of the command, unedited.

Please explain this statement more thoroughly.

Anytime I load the page it acts simlar to when I had a self-issued certificate, for basic SSL. When checking information on the SSL labs site, it points out that its simply not trusted. I read through the various options they listed and searched around to see what I could do about each one, but didn’t have much luck.

the cert in use is from the staging/test system
not from the production system

show the command you ran to get the cert

sudo certbot --apache -d domain.com

because it is…

I apologize for my ignorance. How should I go about removing what’s currently there and generating proper certificates then?

There is a file that saves the certbot parameters…
looking for that now.

did you happen to use the “–staging” flag at any point?

No I did not. I only executed the command I sent and the one you requested.

look in the
folder for the cert name folder
show those contents (you can exclude the account #)

# renew_before_expiry = 30 days
version = 0.15.0
archive_dir = /etc/certbot/archive/domain.com
cert = /etc/certbot/live/domain.com/cert.pem
privkey = /etc/certbot/live/domain.com/privkey.pem
chain = /etc/certbot/live/domain.com/chain.pem
fullchain = /etc/certbot/live/domain.com/fullchain.pem

# Options used in the renewal process
authenticator = apache
installer = apache
rsa_key_size = 4096
account = --
server = https://acme-staging.api.letsencrypt.org/directory

Ill remove it later, just in case someone else pops in. Didn’t think it was needed at first. I don’t mind having it up for a while.

change that to:
server = https://acme-v01.api.letsencrypt.org/directory

Alright I switched it over. And also the domain is still up in your picture :stuck_out_tongue:

rerun the
sudo certbot --apache -d domain.com

Should I renew & replace, or just reinstall existing certificates? I’m guessing the first option

What would you like to do?
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
You've asked to renew/replace a seemingly valid certificate with a test certificate (domains: domain.com). We will not do that unless you use the --break-my-certs flag!

Should I go ahead with that?

try 1 first
restart apache if needed