Discover Centmin Mod today
Register Now

Letsencrypt New domain ssl issued not trust problem

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Jinbo, Dec 1, 2020.

  1. Jinbo

    Jinbo New Member

    Dec 1, 2020
    Local Time:
    7:16 AM
    centmin menu choose option 2 add new domain.
    It's new domain nginx vhost site setup for first time!

    letsencrypt option below choose 4
    3. issue live cert with HTTP + HTTPS
    4. issue live cert with HTTPS default

    Result in NET::ERR_CERT_INVALID (domain untrust)

    If letsencrypt option below choose 3
    3. issue live cert with HTTP + HTTPS
    4. issue live cert with HTTPS default

    Then domain works fine.

    Maybe done letsencrypt ssl first then redirect www to non www domain will work.
  2. eva2000

    eva2000 Administrator Staff Member

    May 24, 2014
    Brisbane, Australia
    Local Time:
    8:16 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    First try running your intended SSL certificate domain through the online testing tool to check for potential errors with HTTP-01 validation. If you created Centmin Mod 123.09beta01 or higher Nginx site with Letsencrypt via menu option 2, 22 or nv command line, you now also have an automatic API check log saved at /root/centminlogs/${DT}.log where is domain specified during nginx vhost creation and DT is date/timestamp. Inspecting the /root/centminlogs/${DT}.log log will also give you clues as to why letsencrypt SSL certificate issuance failed.

    Centmin Mod Self-Signed SSL Fallback

    If you're seeing a Centmin Mod's self-signed untrusted ssl certificate instead of letsencrypt ssl certificate, then that's and centminmod's fallback if letsencrypt verification fails to obtain letsencrypt ssl cert, it falls back to centmin mod self-signed ssl certificate on https port 443 side so to preserve the https nginx vhost


    There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
    • logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to or and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
    • For direct runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate or post.
    • Enable debug mode. In persistent config file at /etc/centminmod/ (create it if doesn't exist) add and enable debug mode which gives much more verbose letsencrypt issuance process information when you re-run or menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
    If auto renewals didn't happen, check output for the following commands
    Code (Text):
    grep acme /var/log/cron* | sed -e "s|$(hostname -s)|host|g"

    Code (Text):
    echo y | /usr/local/src/centminmod/addons/ checkdates

    Code (Text):
    "/root/"/ --cron --home "/root/"

    Code (Text):
    echo | openssl s_client -connect

    Without the answers to above questions and logs, there is nothing to help troubleshoot.

    SSLLabs Test

    Also run your HTTPS domain site through SSLLabs tester at SSL Server Test (Powered by Qualys SSL Labs) if it says untrusted SSL cert and prompts to continue the test, continue the test.