I used the LetsEncrypt wildcard to install my certificates, and it appears to have worked. When I run the certbot-auto certificates command I get:
Found the following certs:
Certificate Name: hubsadmin.com
Domains: hubsadmin.com *.hubsadmin.com
Expiry Date: 2018-06-16 20:15:10+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/hubsadmin.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/hubsadmin.com/privkey.pem
The root domain, hubsadmin.com works fine. However, when I try to access one of the subdomains, hosted on the same server, I receive an error:
This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.
I was researching some threads on this site. If I only have one certificate as per the above, do I need to have SSLCACertificateFile declared in ssl.conf? It is currently commented out.
The subdomains use the same code as the root. The application uses the url to present different views. I have another server with an identical application working, and I did not modify the conf files if that helps.
Unfortunately, your host seems to be down or I am not able to connect to the IP address from my location. Therefore, I'm not able to debug it from this end.
Could you paste the relevant configuration files? I.e., that ssl.conf you mentioned, but also any configuration file for the virtual hosts we're discussing here.
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that restarting httpd will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
# require an ECC certificate which can also be configured in
# parallel.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
# ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convenience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
For what its worth - on the server that is working (completely different domain), there is NO ssl.conf file in the conf.d folder.