SSL certificate is invalid after renewal

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain

I ran this command:sudo certbot renew --no-self-upgrade

It produced this output:congratulations all renewals succeeded : /etc/letsencrypt/live/

My web server is (include version): httpd

The operating system my web server runs on is (include version):amazon linux2

My hosting provider, if applicable, is:route53

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.11.0

Please describe your situation with more information. For example, what is the exact error message? In what situation? With what software? Et cetera et cetera.

Hi @srikanth welcome to the LE community forum :slight_smile:

Is there a reason for using "--no-self-upgrade" ?
Please show the output of:
certbot certificates

As far as I know, that option was used by the now discontinued certbot-auto wrapper script. Probably a left over from that.

1 Like

@srikanth I think you have mixed up your certs for the apex domain and your

See your certificates here: |

The apex domain cert is from Amazon. The www domain from Lets Encrypt.

The cert returned by your server is the www cert:

openssl s_client -connect -servername -trusted_first
Certificate chain
 0 s:/
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

You might want to combine both names in one LE cert and use that.

please tell me the exact solution

@srikanth I could give more exact advice if you give more info. Please post the results of the nginx -T command I described. Also, show the Certbot command you used to create (not renew) the cert.

@srikanth Sorry, I was mixing up your thread with another that is similar.

Please run sudo nginx -T and post the results. Use three backticks before and after the output to have it nicely formatted. Or, save the output to a file and upload it.

Yes, see the openssl request is for but the cert returned is for I now provided the sample nginx command above

sudo nginx -T
nginx:command not found

Yes, very sorry. I was confused again with yours and another. I see you are using Apache. Can you upload your Apache config which defines your servers?

could you please me give the command
i donot find any apache config fille in /etc

@srikanth I am sorry but I must be away for a while. Perhaps someone else can continue and review the info from my post #5 earlier:

Please show the output of:
sudo apachectl -t -D DUMP_VHOSTS

1 Like

VirtualHost configuration:
*:80 is a NameVirtualHost
default server (/etc/httpd/conf/httpd.conf:44)
port 80 namevhost (/etc/httpd/conf/httpd.conf:44)
port 80 namevhost (/etc/httpd/conf.d/vhost.conf:1)
*:443 is a NameVirtualHost
default server (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost (/etc/httpd/conf/httpd-le-ssl.conf:2)

That part looks good.
Please show te output of:
certbot certificates

EDIT: name:port conflict found