SSL Certificate is not trusted (certbot/Centos)

My domain is:

I ran this command: Checking SSL certificate via online checkers, or just hitting ""

It produced this output: “The certificate is no signed by a trusted authority”

My web server is (include version): Apache latest

The operating system my web server runs on is (include version): Centos 7

My hosting provider, if applicable, is: Dedicated server

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.35.1

I am also using Virtual Hosts like this:

<VirtualHost *:443>
    DocumentRoot /var/www/
    SSLEngine on
    ErrorLog /var/www/
    CustomLog /var/www/ combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/
SSLCertificateChainFile /etc/letsencrypt/live/

I followed this instructions. I also tried haproxy, but then reversed that because it didn't help. I'd like to add it once SSL is working.

Thank you!!

Hi @gravitt8460

checking your domain you have created two certificates ( ):

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-08-05 2019-11-03 - 1 entries duplicate nr. 2
Let's Encrypt Authority X3 2019-08-03 2019-11-01 - 1 entries duplicate nr. 1

So that part has worked.

You don't use one of these, instead, there is a self signed certificate:,, 
OU=SomeOrganizationalUnit, O=SomeOrganization, L=SomeCity, 
S=SomeState, C=--
expires in 363 days	

Looks like the default vHost is used.

Your server block is wrong.

ServerAlias with the same name as ServerName is duplicated. Looks like that vHost isn't used.

  • Remove the ServerAlias - row, restart your Apache
  • recheck your domain

If that doesn't help: What says

apachectl -S

or (CentOS)

httpd -S 

Thank you for the instruction. I removed ServerAlias since it was a duplicate of ServerName, then I restarted apache. I checked the results again and they were the same (still untrusted).

I ran a grep to make sure I removed all duplicates:

I also ran httpd -S and I got the following results:

-bash-4.2$ httpd -S
VirtualHost configuration:
*:80          (/etc/httpd/sites-enabled/
*:443                  is a NameVirtualHost
         default server (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost (/etc/httpd/sites-available/
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
PidFile: "/run/httpd/"
User: name="apache" id=48 not_used
Group: name="apache" id=48 not_used

Finally, this server will primarily be an API server and I hope to put haproxy on to manage traffic. Will that make a difference or is the first step to get the cert working through apache?

Here is the haproxy.cfg file that I think I will need to use (although haproxy is not running currently).

    bind *:80

    # This is our new config that listens on port 443 for SSL connections
    bind *:443 ssl crt /etc/ssl/

    # Test URI to see if its a letsencrypt request
    acl letsencrypt-acl path_beg /.well-known/acme-challenge/
    use_backend letsencrypt-backend if letsencrypt-acl

    default_backend backend-web

# LE Backend
backend letsencrypt-backend
    server letsencrypt

# Normal (default) Backend
# for web servers
backend backend-web
    server self 

thank you!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.