SSL Renewal renewed but not activate You may need to install an Intermediate/chain certificate to link it to a trusted root certificate

My domain is: https://qa-ui.juvlon.in

I ran this command: ./letsencrypt-auto --force-renewal -nvv certonly --standalone -d qa-ui.juvlon.in -d qa-ui.juvlon.in

It produced this output:- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/qa-ui.juvlon.in/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/qa-ui.juvlon.in/privkey.pem
Your cert will expire on 2020-02-09. To obtain a new or tweaked
version of this certificate in the future, simply run
letsencrypt-auto again. To non-interactively renew all of your
certificates, run “letsencrypt-auto renew”

• If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
  Donating to EFF: https://eff.org/donate-le

My web server is (include version): nginx

The operating system my web server runs on is (include version): linux

certificate not getting renewed showing that

The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.

You used --certonly - this doesn’t update the use of the cert [it only gets a cert].
But you also used --standalone which means you had to stop the server to get the new cert [which you did - Congrats!] and then had to restart the server.
Not sure why you had to use --force-renewal - probably an attempt to force the use of the new cert [but that is NOT what that parameter does]

So… how can you have a new cert and have restarted the server while still using an old cert?
Let’s find out.
Please show the following information:
ls -l /etc/letsencrypt/live/qa-ui.juvlon.in/
ls -l /etc/letsencrypt/archive/qa-ui.juvlon.in/
./letsencrypt-auto certificates
./letsencrypt-auto version

lrwxrwxrwx 1 root root 39 Nov 20 15:59 cert.pem -> …/…/archive/qa-ui.juvlon.in/cert8.pem
lrwxrwxrwx 1 root root 40 Nov 20 15:59 chain.pem -> …/…/archive/qa-ui.juvlon.in/chain8.pem
lrwxrwxrwx 1 root root 44 Nov 20 15:59 fullchain.pem -> …/…/archive/qa-ui.juvlon.in/fullchain8.pem
lrwxrwxrwx 1 root root 42 Nov 20 15:59 privkey.pem -> …/…/archive/qa-ui.juvlon.in/privkey8.pem

-rw-r–r-- 1 root root 1797 Feb 11 2016 cert1.pem
-rw-r–r-- 1 root root 1911 Aug 8 11:47 cert2.pem
-rw-r–r-- 1 root root 1911 Nov 11 12:30 cert3.pem
-rw-r–r-- 1 root root 1911 Nov 11 13:58 cert4.pem
-rw-r–r-- 1 root root 1911 Nov 11 15:03 cert5.pem
-rw-r–r-- 1 root root 1911 Nov 11 15:04 cert6.pem
-rw-r–r-- 1 root root 1911 Nov 11 15:46 cert7.pem
-rw-r–r-- 1 root root 1915 Nov 20 15:59 cert8.pem
-rw-r–r-- 1 root root 1675 Feb 11 2016 chain1.pem
-rw-r–r-- 1 root root 1647 Aug 8 11:47 chain2.pem
-rw-r–r-- 1 root root 1647 Nov 11 12:30 chain3.pem
-rw-r–r-- 1 root root 1647 Nov 11 13:58 chain4.pem
-rw-r–r-- 1 root root 1647 Nov 11 15:03 chain5.pem
-rw-r–r-- 1 root root 1647 Nov 11 15:04 chain6.pem
-rw-r–r-- 1 root root 1647 Nov 11 15:46 chain7.pem
-rw-r–r-- 1 root root 1647 Nov 20 15:59 chain8.pem
-rw-r–r-- 1 root root 3472 Feb 11 2016 fullchain1.pem
-rw-r–r-- 1 root root 3558 Aug 8 11:47 fullchain2.pem
-rw-r–r-- 1 root root 3558 Nov 11 12:30 fullchain3.pem
-rw-r–r-- 1 root root 3558 Nov 11 13:58 fullchain4.pem
-rw-r–r-- 1 root root 3558 Nov 11 15:03 fullchain5.pem
-rw-r–r-- 1 root root 3558 Nov 11 15:04 fullchain6.pem
-rw-r–r-- 1 root root 3558 Nov 11 15:46 fullchain7.pem
-rw-r–r-- 1 root root 3562 Nov 20 15:59 fullchain8.pem
-rw-r–r-- 1 root root 1704 Feb 11 2016 privkey1.pem
-rw-r–r-- 1 root root 1704 Aug 8 11:47 privkey2.pem
-rw-r–r-- 1 root root 1704 Nov 11 12:30 privkey3.pem
-rw-r–r-- 1 root root 1708 Nov 11 13:58 privkey4.pem
-rw-r–r-- 1 root root 1704 Nov 11 15:03 privkey5.pem
-rw-r–r-- 1 root root 1708 Nov 11 15:04 privkey6.pem
-rw-r–r-- 1 root root 1704 Nov 11 15:46 privkey7.pem
-rw-r–r-- 1 root root 1704 Nov 20 15:59 privkey8.pem

Also:
./letsencrypt-auto certificates
./letsencrypt-auto --version

Found the following certs:
Certificate Name: qa-ui.juvlon.in-0001
Domains: qa-ui.juvlon.in
Expiry Date: 2016-05-29 17:34:00+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/qa-ui.juvlon.in-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/qa-ui.juvlon.in-0001/privkey.pem
Certificate Name: qa-ui.juvlon.in
Domains: qa-ui.juvlon.in
Expiry Date: 2020-02-18 09:29:55+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/qa-ui.juvlon.in/fullchain.pem
Private Key Path: /etc/letsencrypt/live/qa-ui.juvlon.in/privkey.pem

./letsencrypt-auto --version
certbot 0.40.1

Delete this cert:

./letsencrypt-auto delete --cert-name qa-ui.juvlon.in-0001

Well, at least you don’t need to renew and issue any more certificates. You have at least one, it’s just not being used for some reason.

This is odd:

https://www.ssllabs.com/ssltest/analyze.html?d=qa-ui.juvlon.in&hideResults=on

SSL Labs sees multiple configurations when accessing your site. One with an expired certificate and missing certificate chain, and one with a valid certificate from September and a correctly configured chain.

Do you have multiple servers behind a load balancer or something?

What does “ps aux | grep nginx” show?

Also show:
grep -Ri ssl_cert /etc/nginx/

If any files are found to be using this path:
/etc/letsencrypt/live/qa-ui.juvlon.in-0001/
replace that entry with the valid cert path:
/etc/letsencrypt/live/qa-ui.juvlon.in/

/etc/nginx/snippets/snakeoil.conf:ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
/etc/nginx/snippets/snakeoil.conf:ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
/etc/nginx/sites-enabled/qa-hsbcmf-dm.juvlon.in: # ssl_certificate;
/etc/nginx/sites-enabled/qa-hsbcmf-dm.juvlon.in: # ssl_certificate_key;
/etc/nginx/sites-enabled/app7.e-juvlon.com: # ssl_certificate;
/etc/nginx/sites-enabled/app7.e-juvlon.com: # ssl_certificate_key;
/etc/nginx/sites-enabled/qa-ui.juvlon.in: #ssl_certificate /etc/nginx/ssl/qa-ui.juvlon.in/147195/server.crt;
/etc/nginx/sites-enabled/qa-ui.juvlon.in: #ssl_certificate_key /etc/nginx/ssl/qa-ui.juvlon.in/147195/server.key;
/etc/nginx/sites-enabled/qa-ui.juvlon.in: ssl_certificate /etc/letsencrypt/archive/qa-ui.juvlon.in/cert2.pem;
/etc/nginx/sites-enabled/qa-ui.juvlon.in: ssl_certificate_key /etc/letsencrypt/archive/qa-ui.juvlon.in/privkey2.pem;
/etc/nginx/sites-available/qa-hsbcmf-dm.juvlon.in: # ssl_certificate;
/etc/nginx/sites-available/qa-hsbcmf-dm.juvlon.in: # ssl_certificate_key;
/etc/nginx/sites-available/qa-ui.juvlon.in_bkp_1: ssl_certificate /etc/nginx/ssl/qa-ui.juvlon.in/59536/server.crt;
/etc/nginx/sites-available/qa-ui.juvlon.in_bkp_1: ssl_certificate_key /etc/nginx/ssl/qa-ui.juvlon.in/59536/server.key;
/etc/nginx/sites-available/app7.e-juvlon.com: # ssl_certificate;
/etc/nginx/sites-available/app7.e-juvlon.com: # ssl_certificate_key;
/etc/nginx/sites-available/qa-ui.juvlon.in: #ssl_certificate /etc/nginx/ssl/qa-ui.juvlon.in/147195/server.crt;
/etc/nginx/sites-available/qa-ui.juvlon.in: #ssl_certificate_key /etc/nginx/ssl/qa-ui.juvlon.in/147195/server.key;
/etc/nginx/sites-available/qa-ui.juvlon.in: ssl_certificate /etc/letsencrypt/archive/qa-ui.juvlon.in/cert2.pem;
/etc/nginx/sites-available/qa-ui.juvlon.in: ssl_certificate_key /etc/letsencrypt/archive/qa-ui.juvlon.in/privkey2.pem;
/etc/nginx/forge-conf/qa-ui.juvlon.in/before/ssl_redirect.conf: ssl_certificate /etc/nginx/ssl/qa-ui.juvlon.in/147195/server.crt;
/etc/nginx/forge-conf/qa-ui.juvlon.in/before/ssl_redirect.conf: ssl_certificate_key /etc/nginx/ssl/qa-ui.juvlon.in/147195/server.key;

qa-ui.juvlon.in/ qa-ui.juvlon.in-0001/

./letsencrypt-auto delete --cert-name qa-ui.juvlon.in-0001 i need to delete this certificate ??? from which location

If any files are found to be using this path:
/etc/letsencrypt/live/qa-ui.juvlon.in-0001/
replace that entry with the valid cert path:
/etc/letsencrypt/live/qa-ui.juvlon.in/

both certificate are available on this path `/etc/letsencrypt/live

Edit file:
/etc/nginx/sites-enabled/qa-ui.juvlon.in
Replace:
ssl_certificate /etc/letsencrypt/archive/qa-ui.juvlon.in/cert2.pem;
ssl_certificate_key /etc/letsencrypt/archive/qa-ui.juvlon.in/privkey2.pem;
with:
ssl_certificate /etc/letsencrypt/live/qa-ui.juvlon.in/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/qa-ui.juvlon.in/privkey.pem;

That command will delete it from ever being renewed again [the files will remain in the /archive/ folder].

can i run below command

./letsencrypt-auto delete --cert-name qa-ui.juvlon.in-0001

please help me and let me know step by step what is the process

START HERE: