LetsEncrypt provides correct certificate, but doesn't work

There’s lots of confusion (and possible mistakes) in the post above.
Forget all the ‘include’ nonsense, and look at the most basic example from the official docs.

https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html

See how simple that first block of code is? I’d use something like that for the initial test of the web site, with just a plain html holding page, and no redirects and no rewrite rules, then browse to the page and see that the certificate is either right or wrong. Once it’s working, of course you can then go and make it as complicated as you want.

I would echo @gerry666uk at this point. Adding this certificate shouldn’t be this hard and no, you didn’t follow my chain of thought on the ssl.conf file either, so forget that. You don’t want to move the certificates into the contents of the other certificates. That’s going to end up causing problems.

Regroup and go back to the beginning as @gerry666uk is saying and take careful note of your changes. Make sure that whatever you’ve done up to this point is just undone and back to where it was before you began (except for generating the Let’s Encrypt certificates of course.)

Thanks @gerry666uk and @sspencerwire. I was thinking of the same, start with a simple version. But there is one more thing I want to do before that:
@sspencerwire Sorry if you think I didn’t want to follow your suggestion about ssl.conf and moving the text into the certificate files. I was on my way to do that, but became uncertain about exactly which cert files you referred to. See my question to you in my latest post:

Now I just did it (assuming the above is what you meant).
I checked:

• /etc/hosts to include “192.168.1.221 hartings.se”
• restarted httpd
• cleared cache in browser and restarted it

but there is no difference. The server.hartings.se certificate is still there as first certificate:

Skärmavbild 2022-10-16 kl. 15.21.311920×1236 79 KB

Funny, as my httpd.conf file is exactly the same (checked with diff) as in my running server (apart from the fact that added one line at the very end:
SSLCertificateChainFile /etc/letsencrypt/live/hartings.se/fullchain.pem
to get the certificate at least visible (but apparently not fully active.

I will now “regroup” and take a step back and use the installation-default httpd.conf , or the example in the reference given by @gerry666uk

I really appreciate all the suggestions you guys propose. Without you and this forum, I would be lost on this issue.
I am sorry for not being that quick; I am in the middle of a renovation and can only spend limited time each time I look into this. Not ideal, I know.
I really hope I can count on your help to finish this!

OK. Fresh start:

1. I reloaded the default httpd.conf, as supplied in the RL 9 distribution. ONLY modification is, that I had to add “ServerName hartings.se:80”. Without specifying this, Apache could not find the domain name and said upon starting:

Oct 23 14:33:10 server.hartings.se httpd[281803]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using server.hartings.se. Set the 'ServerName' directive globally to suppress this message

2. /etc/httpd/conf/httpd-le-ssl.conf as configured by the system - no manual changes
3. /etc/letsencrypt/options-ssl-apache.conf as configured by the system - no manual changes

[root@server conf]# more /etc/letsencrypt/options-ssl-apache.conf
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
[root@server conf]#

4. /etc/hosts:

[root@server conf]# ping -c 5 hartings.se
PING hartings.se (192.168.1.221) 56(84) bytes of data.
64 bytes from hartings.se (192.168.1.221): icmp_seq=1 ttl=64 time=0.041 ms
64 bytes from hartings.se (192.168.1.221): icmp_seq=2 ttl=64 time=0.017 ms
64 bytes from hartings.se (192.168.1.221): icmp_seq=3 ttl=64 time=0.016 ms
64 bytes from hartings.se (192.168.1.221): icmp_seq=4 ttl=64 time=0.016 ms
64 bytes from hartings.se (192.168.1.221): icmp_seq=5 ttl=64 time=0.020 ms

--- hartings.se ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4119ms
rtt min/avg/max/mdev = 0.016/0.022/0.041/0.009 ms
[root@server conf]# more /etc/hosts
127.0.0.1	localhost localhost4 localhost4.localdomain4
::1	localhost server.hartings.se localhost6 localhost6.localdomain6
192.168.1.221	hartings.se
[root@server conf]#

5. All certificates as installed by the system - no manual changes, not touched:
   SSLCertificateFile /etc/pki/tls/certs/localhost.crt
   SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

Result in browser (after clearing cache and restarting browser):

Skärmavbild 2022-10-23 kl. 19.55.181920×1192 70.5 KB

With these default settings, and the installed LetsEncrypt certificate, it should show the hartings.se certificates, I think.
So I add the two LetsEncrypt SSLCertificate lines at the end of the httpd.conf
(This should NOT be required, as they are in the file /etc/httpd/conf/httpd-le-ssl.conf)

[root@server conf]# more httpd-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName hartings.se
    Redirect / https://hartings.se/
    ServerAlias www.hartings.se
RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.

# RewriteCond %{SERVER_NAME} =www.hartings.se [OR]
# RewriteCond %{SERVER_NAME} =hartings.se
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/hartings.se/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/hartings.se/privkey.pem
</VirtualHost>
</IfModule>
[root@server conf]#

Restart httpd, clear cache in browser and restart browser.
Now the browser shows the following:

Skärmavbild 2022-10-23 kl. 20.36.211920×1188 77.4 KB

Why is the certificate “server.hartings.se” still there?
What did I do wrong here? Or could it be a bug in the OS?

As before, any hint on what to check/correct is very welcome!

Problem solved!
OK. After the “fresh start” (see my previous post), I started to re-read all comments and I noticed, I haven’t really done everything that was suggested. My sincere apologies! I was very very busy at the time and not focused enough…

The key thing was to override the lines referring in the file/etc/httpd/conf.d/ssl.conf

by the Letsencrypt links:

For some reason it didn’t work to copy the certificates text into the contents of the files (perhaps I made a mistake), but overriding the links did work!
Thanks for this @sspencerwire . You pointed me to this! I just missed this key hint!

It proved not to be required to add the above Letsencrypt links in the httpd.conf, as the proper links are in the Included file /etc/httpd/conf.d/ssl.conf, so I removed them again from httpd.conf. It still works!

Also many thanks to @pajamian for pointing out how to test the certificate on a non-active server by putting the temporarily IP address of that server and the domain name in the /etc/hosts file:

Thanks all for you patience.
I learned a lot. Especially, to be focused and to READ carefully what you guys write!