SSL invalid cert in some cases and valid in others

Hey there, first at all thanks for reading. I have a problem with letsencrypt generate cert and validation from Postman and severals webhooks externals to my domain... the error es the same

"failed: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed."

My domain is: mispichos.com

I ran this command: certbot certificate is OK and server block too
"sudo certbot certonly --webroot -w /var/www/html -d www.mispichos.com -d mispichos.com"

It produced this output:

My web server is (include version):
Server: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version):
ubuntu 18

My hosting provider, if applicable, is:
aws

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
ssh private server

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.20.0
i use snap to install certbot

My config server blocks:

Expires map

map $sent_http_content_type $expires {
default off;
text/html epoch;
text/css max;
application/javascript max;
~image/ max;
font max;
}

server {
server_name www.mispichos.com;
return 301 $scheme://mispichos.com$request_uri;

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/www.mispichos.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.mispichos.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
server_name mispichos.com;
root "/var/www/html/new_repo/adssdadas";
if ($ssl_protocol = "") {
rewrite ^/(.*) https://$server_name/$1 permanent;
}

index index.html index.htm index.php;

charset utf-8;

expires $expires;

location / {
try_files $uri $uri/ /index.php?$query_string;
}

location /mp {
    try_files $uri $uri/ /mp/index.php?$query_string;
}

location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt  { access_log off; log_not_found off; }


sendfile off;

client_max_body_size 100m;

location ~ \.php$ {
    try_files $uri =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/run/php/php7.3-fpm.sock;
    fastcgi_index index.php;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

    fastcgi_intercept_errors off;
    fastcgi_buffer_size 16k;
    fastcgi_buffers 4 16k;
    fastcgi_connect_timeout 300;
    fastcgi_send_timeout 300;
    fastcgi_read_timeout 300;
}

location ~ /\.ht {
    deny all;
}

# Necessary for Let's Encrypt Domain Name ownership validation
location ~ /.well-known {
   allow all;
}


location ~* \.(ico|woff|ttf|otf|svg|woff2|eot)$ {
    expires max;
    add_header Pragma public;
    add_header Cache-Control "public";
}

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/www.mispichos.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.mispichos.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
if ($host = mispichos.com) {
return 301 https://$host$request_uri;
} # managed by Certbot

server_name mispichos.com;
listen 80;
return 404; # managed by Certbot

}

server {
if ($host = www.mispichos.com) {
return 301 https://$host$request_uri;
} # managed by Certbot

server_name www.mispichos.com;
listen 80;
return 404; # managed by Certbot

}

Hi @gdedieu92, and welcome to the LE community forum :slight_smile:

Try switching to the alternate/shorter trust root path, with:

sudo certbot certonly \
--webroot -w /var/www/html \
-d www.mispichos.com -d mispichos.com \
--preferred-chain "ISRG Root X1" \
--force-renewal

[only do this ONCE - do not include forced renewal in any script]