This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store

I used the LetsEncrypt wildcard to install my certificates, and it appears to have worked. When I run the certbot-auto certificates command I get:
Found the following certs:
Certificate Name: hubsadmin.com
Domains: hubsadmin.com *.hubsadmin.com
Expiry Date: 2018-06-16 20:15:10+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/hubsadmin.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/hubsadmin.com/privkey.pem

The root domain, hubsadmin.com works fine. However, when I try to access one of the subdomains, hosted on the same server, I receive an error:

This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.

I was researching some threads on this site. If I only have one certificate as per the above, do I need to have SSLCACertificateFile declared in ssl.conf? It is currently commented out.

What else could be causing this?

Hi,

Can you share the subdomain conf file and the subdomains you’re having trouble with?

Thank you

calendar.hubsadmin.com is the subdomain. Where would the subdomain conf files be?

The subdomains use the same code as the root. The application uses the url to present different views. I have another server with an identical application working, and I did not modify the conf files if that helps.

That shouldn't be necessary.

Unfortunately, your host seems to be down or I am not able to connect to the IP address from my location. Therefore, I'm not able to debug it from this end.

Could you paste the relevant configuration files? I.e., that ssl.conf you mentioned, but also any configuration file for the virtual hosts we're discussing here.

I believe hubsadmin.com should work. I believe the subdomain does not work due to this issue.

This is file /etc/httpd/conf/httpd-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
    DocumentRoot "/var/www/html"
    ServerName "hubsadmin.com"
    ServerAlias "www.hubsadmin.com"
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/hubsadmin.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/hubsadmin.com/privkey.pem
</VirtualHost>
</IfModule>

inside of /etc/httpd/conf.d/ssl.conf is

#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that restarting httpd will prompt again.  Keep
#   in mind that if you have both an RSA and a DSA certificate you
#   can configure both in parallel (to also allow the use of DSA
#   ciphers, etc.)
#   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
#   require an ECC certificate which can also be configured in
#   parallel.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
#   ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convenience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

For what its worth - on the server that is working (completely different domain), there is NO ssl.conf file in the conf.d folder.

Thanks!

You need to include "calendar.hubsadmin.com" or "*.hubsadmin.com"

1 Like

Thank you, that worked! Interesting that I did not need to do that on the other server.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.