Apache sometimes return expired certificate for web page

My domain is: crm.lurity.com
My web server is: Apache/2.4.41
The operating system my web server runs on is: Ubuntu 20.04.1 LTS
I can login to a root shell on my machine: yes
The version of my certbot client is: certbot 0.40.0

Apache sometimes return expired certificate for web page https://crm.lurity.com
Sometimes it returns old expired certificate. It seems like Apache have certificate in cache cause today 5.1.2023 I delete whole letencript folder with certificates for this domain and generate new one, but it still send me an old one generated on 2.1.2023.

Before this delete Apache sometimes send me a certificate which was expired (generated on october).

Can somebody tell me please how is it possible or how can I clean Apache cache for certificates?

1 Like

You should restart Apache (or your server)

Sometimes an Apache worker gets stuck and serves an old cert. That seems to be happening here.

I got an old cert after about 8 requests

6 Likes

You can't fix an Apache problem by removing certbot nor replacing valid certs.

You probably just need to restart Apache or reboot the server.
We should be able to see multiple Apache service PIDs with:
netstat -pant | grep -Ei 'apache|http' | grep -i listen
ps -ef | grep -Ei 'apache|http'

7 Likes

I did run systemctl apache2 reload. Isnt it enough? Is it necessary to restart Apache?

1 Like

Yes, restart is needed not just reload in this case. If that doesn't work reboot the server

Normally reload is enough but sometimes a single Apache worker gets stuck and restart / reboot is needed

5 Likes

Possibly.
Show:

5 Likes

Sometimes even an Apache restart can't address "lost workers" [that are owned by previous runs of Apache].

5 Likes

Agree which is why I said

5 Likes

netstat -pant | grep -Ei 'apache|http' | grep -i listen
returns

tcp6       0      0 :::80                   :::*                    LISTEN      1076/apache2
tcp6       0      0 :::443                  :::*                    LISTEN      1076/apache2
1 Like

Sorry, we need to see:
ps -ef | grep -Ei 'apache|http'

5 Likes

ps -ef | grep -Ei 'apache|http'

returns

root        1076       1  0  2022 ?        00:04:45 /usr/sbin/apache2 -k start
www-data 1820617    1076  0  2022 ?        00:40:45 /usr/sbin/apache2 -k start
www-data 2619721    1076  0 04:56 ?        00:00:00 /usr/sbin/apache2 -k start
www-data 2674008    1076  0 09:55 ?        00:00:38 /usr/sbin/apache2 -k start
www-data 2685949    1076  0 10:57 ?        00:00:21 /usr/sbin/apache2 -k start
www-data 2696213    1076  0 11:53 ?        00:00:17 /usr/sbin/apache2 -k start
root     2745507 2736486  0 16:07 pts/10   00:00:00 grep --color=auto -Ei apache|http
2 Likes

Sounds like an Apache issue, not directly a Let's Encrypt or ACME Client issue.

You could check some Apache forums for additional potential solutions, here are a couple.
https://httpd.apache.org/support.html
https://www.apachelounge.com/

5 Likes

You are right, it is obviously related to Apache. I asked there.
Also I restart Apache. Now it seems it is working. Hope it will be ok also tomorrow.

Thank you.

8 Likes

SSL Labs on this got the right cert SSL Server Test: crm.lurity.com (Powered by Qualys SSL Labs)

5 Likes

Sometimes it is right sometimes not. Now it should be ok. There is a new certificate and Apache has been restarted.

2 Likes

It does seem OK now :slight_smile:

4 Likes