UntrustedRoot: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:7oo8.icu

I ran this command:certbot --apache --noninteractive --agree-tos --register-unsafely-without-email --expand -d 7oo8.icu -d 7oo9.icu

It produced this output:Account registered.
Requesting a certificate for 7oo8.icu and 7oo9.icu

Congratulations! You have successfully enabled https://7oo8.icu and


  • Congratulations! Your certificate and chain have been saved at:
    Your key file has been saved at:
    Your cert will expire on 2021-04-06. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the "certonly" option. To non-interactively renew all of
    your certificates, run "certbot renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

$Error:Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Performing the following challenges:
http-01 challenge for 7oo8.icu
http-01 challenge for 7oo9.icu
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/sites-available/7oo8.icu-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/sites-available/7oo8.icu-le-ssl.conf
Enabling site /etc/httpd/sites-available/7oo8.icu-le-ssl.conf by adding Include to root configuration
Created an SSL vhost at /etc/httpd/sites-available/7oo9.icu-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/sites-available/7oo9.icu-le-ssl.conf
Enabling site /etc/httpd/sites-available/7oo9.icu-le-ssl.conf by adding Include to root configuration
Redirecting vhost in /etc/httpd/sites-enabled/7oo8.icu.conf to ssl vhost in /etc/httpd/sites-available/7oo8.icu-le-ssl.conf
Redirecting vhost in /etc/httpd/sites-enabled/7oo9.icu.conf to ssl vhost in /etc/httpd/sites-available/7oo9.icu-le-ssl.conf

My web server is (include version):Server version: Apache/2.4.6 (CentOS)

The operating system my web server runs on is (include version): Operating System: CentOS Linux 7 (Core)
Kernel: Linux 5.8.6-1.el7.elrepo.x86_64

My hosting provider, if applicable, is:ServerPoint

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.10.1

Hi @olek

your second domain has the correct certificate with two domain names.

So certificate creation and installation of the second https vHost had worked.

What says

apachectl -S
httpd -S

second row, if the first row doesn't work.

Looks like your vHost configuration is a little bit buggy.

Thanks Juergen :slight_smile:
here is the apachectl -S result:
VirtualHost configuration:
*:80 is a NameVirtualHost
default server www.7oo8.icu (/etc/httpd/sites-enabled/7oo8.icu.conf:1)
port 80 namevhost www.7oo8.icu (/etc/httpd/sites-enabled/7oo8.icu.conf:1)
alias 7oo8.icu
port 80 namevhost www.7oo9.icu (/etc/httpd/sites-enabled/7oo9.icu.conf:1)
alias 7oo9.icu
*:443 is a NameVirtualHost
default server mail.7oo8.icu (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost mail.7oo8.icu (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost www.7oo8.icu (/etc/httpd/sites-available/7oo8.icu-le-ssl.conf:2)
alias 7oo8.icu
port 443 namevhost www.7oo9.icu (/etc/httpd/sites-available/7oo9.icu-le-ssl.conf:2)
alias 7oo9.icu
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
PidFile: "/run/httpd/httpd.pid"
User: name="apache" id=48
Group: name="apache" id=48

Most looks ok.


these two vHosts, the first may have the wrong certificate. Use the lines of the second.

PS: No, bad idea: Your certificate doesn't have the www domain names.

May be create two certificates, one per domain, every certificate with non-www and www.

Can you show the contents of /etc/httpd/sites-available/7oo8.icu-le-ssl.conf? It's a little bit weird that certbot said it succesfully enabled it in that configuration file, but it doesn't seem to work?

Also, you didn't include the www subdomains in your certificate, but you do have www subdomains configured in Apache. If you're using the -d command line option, you need to explicitely add the www subdomains yourself.


i dont need or use www dont know why i put it there...probably copied the config from somewhere....

here is the file content:

<VirtualHost *:443>
ServerName www.7oo8.icu
ServerAlias 7oo8.icu

SSLCertificateFile /etc/letsencrypt/live/7oo8.icu/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/7oo8.icu/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/7oo8.icu/chain.pem


<Location "/frontend/assets/gallery">
ProxyPass "!"

<Location "/frontend/assets/files">
ProxyPass "!"

<Location "/frontend/assets/img">
ProxyPass "!"


Are the SSL commands (and most notably the paths) exactly the same as the 7oo9.icu-le-ssl.conf file? It looks like it should have to work.. Perhaps another Apache reload fixes it?

this solved it:

May be create two certificates, one per domain, every certificate with non-www and www.

Thanks again juergen :slight_smile:

1 Like

I'd rather call it a work-around. Your previous certificate should work fine, if Apache is properly configured and reloaded.

The failure was the site uses apex and www.

While the cert was only for the apex:

^^^ no www was included in the certs.