SSL not working properly

My domain is redirecting to Apache default page after I installed SSL certificate from LetsEncrypt. When I checked on sslshopper it shows the following error
" The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate."

Details are here.

My domain is:

I ran this command: certbot --apache

It produced this output:

Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:

My web server is (include version): Apache/2.4.37 (centos)

The operating system my web server runs on is (include version): CentOS 8

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.14.0

Could you please paste the entire output of certbot?

It seems your server is sending a self signed certificate currently and not the Let's Encrypt certificate.

Also please paste the output of sudo apachectl -S

this is the complete output
[root@hackingguru conf.d]# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel):

Please read the Terms of Service at You must
agree in order to register with the ACME server. Do you agree?

(Y)es/(N)o: Y

Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.

Which names would you like to activate HTTPS for?


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Requesting a certificate for and
Performing the following challenges:
http-01 challenge for
http-01 challenge for
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/sites-available/
Deploying Certificate to VirtualHost /etc/httpd/sites-available/
Enabling site /etc/httpd/sites-available/ by adding Include to root configuration
Deploying Certificate to VirtualHost /etc/httpd/sites-available/
Redirecting vhost in /etc/httpd/sites-enabled/ to ssl vhost in /etc/httpd/sites-available/

Congratulations! You have successfully enabled and

Subscribe to the EFF mailing list (email:


  • Congratulations! Your certificate and chain have been saved at:
    Your key file has been saved at:
    Your certificate will expire on 2021-10-21. To obtain a new or
    tweaked version of this certificate in the future, simply run
    certbot again with the "certonly" option. To non-interactively
    renew all of your certificates, run "certbot renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
    Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

Please dont confuse the in this output as I have directory named where my ssl certs are saved for the domain.

output of sudo apachectl -S is empty.

it shows nothing.

I'm not entirely sure I understand this part. The example.coms in the output above are for the Apache virtualhost configuration files, not for directories? How do you mean "directories where your ssl certs are saved"? Because certbot saves the certs to /etc/letsencrypt/live/

That's weird.. Maybe sudo httpd -S?

Sorry I meant the in the /etc/httpd/sites-available/
this should not confuse you as my apache config file is with this name and I did not bothered to replace this "" part with "" thats it.

output for sudo httpd -S:

VirtualHost configuration:
*:80 (/etc/httpd/sites-enabled/
*:443 is a NameVirtualHost
default server (/etc/httpd/conf.d/ssl.conf:40)
port 443 namevhost (/etc/httpd/conf.d/ssl.conf:40)
port 443 namevhost (/etc/httpd/sites-enabled/
port 443 namevhost (/etc/httpd/sites-available/
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex authdigest-client: using_defaults
Mutex lua-ivm-shm: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/etc/httpd/run/" mechanism=default
Mutex cache-socache: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/etc/httpd/run/"
User: name="apache" id=48
Group: name="apache" id=48

Hmm, I think the difference between your HTTP configuration in, which only seems to contain the www subdomain, but not the apex domain itself and the HTTPS configuration in ssl.conf, which does not include the www subdomain, but only the apex domain, confused certbot: it used the only HTTP virtualhost available from and used it to generate a HTTPS template for both hostnames. But there already was a HTTPS virtualhost in ssl.conf for which probably has the self signed certificate configured.
You can see that has a working HTTPS certificate from Let's Encrypt, but the apex domain does not indeed.

A few things to optimize your configuration:

  • Also add the apex domain name (i.e., your domain without the www subdomain) as a ServerAlias directive in You might need to modify the redirect directive in that configuration file to make the redirect work for both hostnames too;
  • change the ServerName directive in ssl.conf to some kind of placeholder such as localhost or so that it doesn't come into effect for requests for or

After those changes your webserver should be good to go.


Why is the same file listed for /sites-enabled/ and /sites-available/ ?


1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.