Why my Letsencrypt cert is considered as Self-signed cert by browsers

My domain is: kaltura.shisu.edu.cn

I ran this command: certbot certonly

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): CentOS 7

I can login to a root shell on my machine (yes or no, or I don’t know): yes

Press F12, under the security tab, I can see the certificate IS self-signed. I cannot understand at all.

FYI: I request kaltura.shisu.edu.cn cert in a Ubuntu 16.04 box 4-5 days ago, It worked wonderfully. But today I can not get it working, even by copying pem files from Ubuntu box.

With certonly you, as the name says, only get a certificate. You have to install it manually yourself that way. How did you install the certificate you acquired with certbot certonly?

Your system is not using the LE certs files.
It is still using a self-signed cert:

You need to find the vhost config file and update it to use the LE cert files.

My VHOST config:
<IfModule !ssl_module>
LoadModule ssl_module modules/mod_ssl.so

SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
<IfVersion < 2.4>
SSLMutex default

= 2.4>
Mutex sysvsem default

SSLCryptoDevice builtin

SSLCertificateFile /etc/letsencrypt/live/kaltura.shisu.edu.cn/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/kaltura.shisu.edu.cn/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/kaltura.shisu.edu.cn/chain.pem

SSLEngine on
SSLProtocol all -SSLv2

    ErrorLog "/opt/kaltura/log/kaltura_apache_errors_ssl.log"
    CustomLog /opt/kaltura/log/kaltura_apache_access_ssl.log vhost_kalt

    Include "/opt/kaltura/app/configurations/apache/conf.d/enabled.*.conf"

My request method:

[root@kaltura log]# certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 3
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c’
to cancel): kaltura.shisu.edu.cn
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/kaltura.shisu.edu.cn.conf)

What would you like to do?

1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for kaltura.shisu.edu.cn

Select the webroot for kaltura.shisu.edu.cn:

1: Enter a new webroot

Press 1 [enter] to confirm the selection (press ‘c’ to cancel): 1
Input the webroot for kaltura.shisu.edu.cn: (Enter ‘c’ to cancel): /root
Waiting for verification…
Cleaning up challenges
An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: kaltura.shisu.edu.cn
Please see the logfiles in /var/log/letsencrypt for more details.

The error didn’t occur last time, for the rate limit has not been reached.

Getting more and more certificates while none of them isn't being used isn't going to be of much help. Forget the rate limit, just get your most recent certificate working. :slight_smile:

Did you reload your Apache after you added the SSL directives? Do you have other SSL directives that might override the Let's Encrypt ones?

Surely I restart httpd, and even reboot the box. Nothing works.:disappointed:

It looks like you resolved the main problem:

Now it seems that there is a redirect that (uses HTTP) to:
which should be via HTTPS:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.