UntrustedRoot: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider

olek · January 6, 2021, 3:36pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:7oo8.icu

I ran this command:certbot --apache --noninteractive --agree-tos --register-unsafely-without-email --expand -d 7oo8.icu -d 7oo9.icu

It produced this output:Account registered.
Requesting a certificate for 7oo8.icu and 7oo9.icu

Congratulations! You have successfully enabled https://7oo8.icu and
https://7oo9.icu

IMPORTANT NOTES:

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/7oo8.icu/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/7oo8.icu/privkey.pem
Your cert will expire on 2021-04-06. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew all of
your certificates, run "certbot renew"
If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

$Error:Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Performing the following challenges:
http-01 challenge for 7oo8.icu
http-01 challenge for 7oo9.icu
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/sites-available/7oo8.icu-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/sites-available/7oo8.icu-le-ssl.conf
Enabling site /etc/httpd/sites-available/7oo8.icu-le-ssl.conf by adding Include to root configuration
Created an SSL vhost at /etc/httpd/sites-available/7oo9.icu-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/sites-available/7oo9.icu-le-ssl.conf
Enabling site /etc/httpd/sites-available/7oo9.icu-le-ssl.conf by adding Include to root configuration
Redirecting vhost in /etc/httpd/sites-enabled/7oo8.icu.conf to ssl vhost in /etc/httpd/sites-available/7oo8.icu-le-ssl.conf
Redirecting vhost in /etc/httpd/sites-enabled/7oo9.icu.conf to ssl vhost in /etc/httpd/sites-available/7oo9.icu-le-ssl.conf

My web server is (include version):Server version: Apache/2.4.6 (CentOS)

The operating system my web server runs on is (include version): Operating System: CentOS Linux 7 (Core)
Kernel: Linux 5.8.6-1.el7.elrepo.x86_64

My hosting provider, if applicable, is:ServerPoint

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.10.1

JuergenAuer · January 6, 2021, 4:54pm

Hi @olek

your second domain has the correct certificate with two domain names.

So certificate creation and installation of the second https vHost had worked.

What says

apachectl -S
httpd -S

second row, if the first row doesn't work.

Looks like your vHost configuration is a little bit buggy.

olek · January 6, 2021, 4:58pm

Thanks Juergen
here is the apachectl -S result:
VirtualHost configuration:
*:80 is a NameVirtualHost
default server www.7oo8.icu (/etc/httpd/sites-enabled/7oo8.icu.conf:1)
port 80 namevhost www.7oo8.icu (/etc/httpd/sites-enabled/7oo8.icu.conf:1)
alias 7oo8.icu
port 80 namevhost www.7oo9.icu (/etc/httpd/sites-enabled/7oo9.icu.conf:1)
alias 7oo9.icu
*:443 is a NameVirtualHost
default server mail.7oo8.icu (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost mail.7oo8.icu (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost www.7oo8.icu (/etc/httpd/sites-available/7oo8.icu-le-ssl.conf:2)
alias 7oo8.icu
port 443 namevhost www.7oo9.icu (/etc/httpd/sites-available/7oo9.icu-le-ssl.conf:2)
alias 7oo9.icu
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
PidFile: "/run/httpd/httpd.pid"
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48

JuergenAuer · January 6, 2021, 5:07pm

Most looks ok.

Compare

these two vHosts, the first may have the wrong certificate. Use the lines of the second.

PS: No, bad idea: Your certificate doesn't have the www domain names.

May be create two certificates, one per domain, every certificate with non-www and www.

Osiris · January 6, 2021, 5:06pm

Can you show the contents of /etc/httpd/sites-available/7oo8.icu-le-ssl.conf? It's a little bit weird that certbot said it succesfully enabled it in that configuration file, but it doesn't seem to work?

Also, you didn't include the www subdomains in your certificate, but you do have www subdomains configured in Apache. If you're using the -d command line option, you need to explicitely add the www subdomains yourself.

olek · January 6, 2021, 5:20pm

Hey,

i dont need or use www dont know why i put it there...probably copied the config from somewhere....

here is the file content:

"
<VirtualHost *:443>
ServerName www.7oo8.icu
ServerAlias 7oo8.icu

SSLCertificateFile /etc/letsencrypt/live/7oo8.icu/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/7oo8.icu/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/7oo8.icu/chain.pem

ProxyPass http://55.195.102.23/
ProxyPassReverse http://55.195.102.23/

<Location "/frontend/assets/gallery">
ProxyPass "!"

<Location "/frontend/assets/files">
ProxyPass "!"

<Location "/frontend/assets/img">
ProxyPass "!"

"

Osiris · January 6, 2021, 5:35pm

Are the SSL commands (and most notably the paths) exactly the same as the 7oo9.icu-le-ssl.conf file? It looks like it should have to work.. Perhaps another Apache reload fixes it?

olek · January 6, 2021, 5:49pm

this solved it:

May be create two certificates, one per domain, every certificate with non-www and www.

Thanks again juergen

Osiris · January 6, 2021, 5:51pm

I'd rather call it a work-around. Your previous certificate should work fine, if Apache is properly configured and reloaded.

rg305 · January 6, 2021, 10:18pm

The failure was the site uses apex and www.

While the cert was only for the apex:

^^^ no www was included in the certs.