The certificate chain in the configuration details of the certificate is invalid

I see. there are 2 blocks in chain.pem, and 3 blocks in fullchain.pem, let me remove the last block in chain.pem, and try

1 Like

If that works, then you only need to renew the cert and request the "short chain".

That said, you really need to work on a way to automate the renewals.

4 Likes

Sorry, it didn't work, I removed the second/last block in chain.pem, still the same error:
The certificate chain in the configuration details of the certificate is invalid.

Once it works, I will think about automation, but right ow, it is a little overwhelming

here is the chain.pem (before I removed the last block)
chain.pem (3.7 KB)

Once thing I need to mention:
2.5 months ago, I issued:
-d welooop.com,*.welooop.com
to get the certificate, and it actually worked on my site.
As mentioned in the previous thread: Not Secure after certificate was issued - #10 by Osiris
I was told I don't need the wild card, so just let it expire. Yesterday I just issue the command with:
-d welooop.com
Does this make any difference?

That is the "long chain".

Did you remove and retry?

Not much.
But it won't cover the "www" name:

Name:    welooop.com
Address: 129.80.187.95

Name:    www.welooop.com
Address: 129.80.187.95

If you also need to cover that name, use:
-d welooop.com -d www.welooop.com

3 Likes

Please show:
ls -l /etc/letsencrypt/live/welooop.com/
ls -l /home/ubuntu/*.pem

3 Likes

root@certbot-20230406:/etc/letsencrypt/accounts# ls -l /etc/letsencrypt/live/welooop.com/
total 4
-rw-r--r-- 1 root root 692 Apr 6 16:22 README
lrwxrwxrwx 1 root root 35 Apr 6 16:22 cert.pem -> ../../archive/welooop.com/cert1.pem
lrwxrwxrwx 1 root root 36 Apr 6 16:22 chain.pem -> ../../archive/welooop.com/chain1.pem
lrwxrwxrwx 1 root root 40 Apr 6 16:22 fullchain.pem -> ../../archive/welooop.com/fullchain1.pem
lrwxrwxrwx 1 root root 38 Apr 6 16:22 privkey.pem -> ../../archive/welooop.com/privkey1.pem

I removed the ones in /home/ubuntu after download using WinScp

I tried the "short" one, same error, didn't work.

Maybe the WinSCP garbled the contents???
Try copying them over again.

From where?

2 Likes

In OCI, it allows to copy the content of the .pem file directly, let me try that now, to skip the possible WinScp issue.

Show these outputs:

openssl x509 -in cert1.pem -noout -pubkey
openssl rsa -in privkey1.pem -pubout

[if it asks for a passphrase, just enter anything]

2 Likes

root@certbot-20230406:/etc/letsencrypt/live/welooop.com# openssl x509 -in cert1.pem -noout -pubkey
Could not open file or uri for loading certificate from cert1.pem
20A0A6B0FFFF0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:../crypto/store/store_register.c:237:scheme=file
20A0A6B0FFFF0000:error:80000002:system library:file_open:No such file or directory:../providers/implementations/storemgmt/file_store.c:267:calling stat(cert1.pem)
Unable to load certificate
root@certbot-20230406:/etc/letsencrypt/live/welooop.com# openssl rsa -in privkey1.pem -pubout
Could not open file or uri for loading private key from privkey1.pem
20300C9BFFFF0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:../crypto/store/store_register.c:237:scheme=file
20300C9BFFFF0000:error:80000002:system library:file_open:No such file or directory:../providers/implementations/storemgmt/file_store.c:267:calling stat(privkey1.pem)

Also, I copied and pasted the .pem content directly into OCI setup screen, still same error. and I got this:

2.5 months ago I got my first certificate on a ubuntu machine, after that, that machine was no longer available, so I had to "renew" or get a "new certificate" on a brand new ubuntu machine, I don't know if that matters.

If there is an easy way to "re-generate the certificate"/"start from scratch" , I would love to try that. Please let me know what command can I use?

right now, in my Google Domain, there are 2 TXT records for _acme-challenge.welooop.com
one is the previous one, the second one is the one I got yesterday, Is that OK? should I delete the first/old one?

Does Let's Encrypt have a sample/demo/trial certificate that I can use to test?

My certificate doesn't work on my website, so either (1) the certificate has problem or (2) my website has problem, if I can eliminate one, then the rest is much easier, any thoughts?

No, there is no trial cert and private key for testing :slight_smile:

It looks to me your Apache server is mis-configured for the domain weloop.com. It is using a cert that expired 2 years ago. It is a wildcard for *.sites.myregisteredsite.com

I haven't read thru this whole thread but this is pretty definitive

I don't see any mention of Apache in your first post but the server response header says it is.

3 Likes