Website no longer secure, certificate created 5/3/2021, renewal due 8/1/2021

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this

It produced this output: No longer secure site. Certificate in the key chain is valid. Renewal due Aug 1st.

My web server is (include version): Server 5.6.1

The operating system my web server runs on is (include version): Mac OS High Sierra 10.13.6

My hosting provider, if applicable, is: Network Solutions

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):Terminal

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):0.33.0

2 Likes redirects to, but your certificate only covers You need to fix either your redirect or your certificate.


Thanks so much. Working now. I had looked at that but thought the certificate was for


Welcome to the Let's Encrypt Community, Jeffrey :slightly_smiling_face:

Still not fixed...

In addition to the current certificate not covering, no intermediate certificates are being served for either or


Thank you very much. I redirect the other sites to for which the certificate has been authorized. Now it works.

1 Like

I don't think you understand, my friend.

The certificate being served for does not include When many people visit, they will be shown a warning about the website being unsecure before being redirected. Depending upon your visitors' browsers, the lack of intermediate certificates being served by and can result in both addresses being considered unsecure due to presenting incomplete certificate chains. Additionally, none of the cipher suites being used support forward secrecy.

I highly recommend using the Intermediate ciphers shown here:

1 Like

First of all, I really appreciate the time you are taking to help me out. This is my first foray into certificates. When I first initiated the request I listed and a domains. I see now that the certificate only applies to because that is the domain established with my internet provider. I see the cipher suite. Two questions. My webserver is Apache. I assume that the cipher suite needs to be placed into the httpd-vhosts.conf file, correct. The other question is that I have another domain listed at the same IP address. Will adding that cipher suite cause this other domain to be redirected to the secure site. I do not have a certificate for that site. Thank you in advance for your help.

1 Like

You are quite welcome, my friend. :slightly_smiling_face:

Hopefully we haven't come across too demandingly. We want you to truly succeed in your certificate endeavors.

When you registered with your domain register (Network Solutions), all of its subdomains came included. You have A records in your DNS for both and that point to a live webserver, so you need a certificate to cover both names.

I see no such certificate ever issued:

Certbot should have set these for you in its own include file if you used the apache installer.

sudo certbot --cert-name --apache -d ","

Not if the directives (from the aforementioned include) are inside the VirtualHost for

What are the outputs of:

sudo certbot certificates
sudo ls -lRa /etc/letsencrypt
sudo apachectl -S
sudo ls -lRa /etc/apache2/sites-available
sudo ls -lRa /etc/apache2/sites-enabled

Please put 3 backticks above and below each output, like this:


@tialaramex is too modest about the post below and actually outlines fixes that I should have.

Ah, @griffin beat me to it. No need to read this unless you want to as it mostly duplicates his advice.

Last first, let's talk about that Mozilla configuration recommendation:

The section about rewriting (all the lines that start with Rewrite, such as RewriteCond and RewriteRule and their enclosing VirtualHost condition) are the part of Mozilla's recommendation that upgrades people to HTTPS. So you should not apply this for the site for which you don't have a certificate, if unsure, leave all those lines out altogether for now. The part nearer the bottom from the line starting SSLProtocol is the part that would improve the security of the site for visitors by using more modern ciphers and so that's the change which is more important to integrate.

While you're in the Apache configuration (and before telling Apache to reload the configuration) look for SSLCertificateFile and see if it's currently set to a path ending in fullchain.pem, if it isn't, this may be why your site fails that "Chain" check somebody else mentioned. This may not have any apparent effect for you, but it can cause problems on some browsers, so better fix it if possible by using the fullchain.pem file.

You might look at whether you can just ask Certbot to expand your certificate to include the name as well. It sounds like these are essentially the same web site, on the same machine, in which case it could be as simple as:

certbot --expand -d -d

This tells Certbot that you'd like the existing certificate "expanded" by adding to it, and you can prove you control this name too.

1 Like

Good recommendations, @tialaramex. :slightly_smiling_face:

I'd do this like so:

sudo certbot --cert-name --apache -d ","

This ensures that it's the certificate that gets expanded.

1 Like

I personally despise using rewrites when there's a much better way.

Avoid them:

A common use for RewriteRule is to redirect an entire class of URLs. For example, all URLs in the /one directory must be redirected to, or perhaps all http requests must be redirected to https.

These situations are better handled by the Redirect directive.


That is the command that I used to create the certificate but I only received it for I assume in retrospect that I did not get a certificate for because it was listed as a domain. I had set the path to where the fullchain.pem file was but got an error saying it was missing or empty. You are correct, the only reason I have as a site is to redirect users to Thanks for responding.

1 Like

I'll give that a try. I originally used the command recommended by tialaramex and it gave me an option to expand but then I got an error stating that the http-01 challenge for could not be found.

1 Like

That looks like a very simple solution. I will try that. Thanks again.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.