The certificate is not trusted because it is self-signed

My domain is:

I ran this command:
Tried to connect to from browser

It produced this output: uses an invalid security certificate.

The certificate is not trusted because it is self-signed.


My web server is (include version):
nginx version: nginx/1.18.0

The operating system my web server runs on is (include version):
Ubuntu 20

My hosting provider, if applicable, is:
google domains

I can login to a root shell on my machine (yes or no, or I don't know):
Yes, I use AWS EC2

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.10.1

Google Domains detects my certificates and so do other certificate checking sites.
Apparently *.app sites have some extra protection from Google HSTS, but I don't really know how to fix the error.
I thought using Let's Encrypt to generate a certificate would fix it but maybe I need to also register the certificate somehow?

Thanks for any help!

1 Like

Hello @arashout,

I see no problem, well, there is a nginx bad gateway error but nginx is serving the right (and valid) certificate for your domain.

Maybe it is a browser's cache issue.



Which port are you getting that error from?
Also, I don't see a "www" DNS A record - was that on purpose?

1 Like

omg you are right!
It's working now!

I used incognito and no longer getting the cert error. Maybe it just took some time.

What do I need a "www" DNS A record for?

I only have an A Record for to my ec2 ip


Some people will type www in front of any URL, just because they're not used to URLs without it.


Imagine how much time and effort could be saved if the useless www subdomain custom were eliminated.

http://apex -> https://apex -> https://www.apex

Eliminating the www subdomain eliminates 100% of redirects for sites using HSTS and 50% of redirects for sites not using HSTS. No need for a www serveralias or CNAME/A record. Never need to remember to include www in certificate. Greatly simplifies address canonicalization.


too late it is already an ingrained custom (for too many)


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.