Apache sometimes return expired certificate for web page

camohub · January 5, 2023, 2:24pm

My domain is: crm.lurity.com
My web server is: Apache/2.4.41
The operating system my web server runs on is: Ubuntu 20.04.1 LTS
I can login to a root shell on my machine: yes
The version of my certbot client is: certbot 0.40.0

Apache sometimes return expired certificate for web page https://crm.lurity.com
Sometimes it returns old expired certificate. It seems like Apache have certificate in cache cause today 5.1.2023 I delete whole letencript folder with certificates for this domain and generate new one, but it still send me an old one generated on 2.1.2023.

Before this delete Apache sometimes send me a certificate which was expired (generated on october).

Can somebody tell me please how is it possible or how can I clean Apache cache for certificates?

MikeMcQ · January 5, 2023, 2:30pm

You should restart Apache (or your server)

Sometimes an Apache worker gets stuck and serves an old cert. That seems to be happening here.

I got an old cert after about 8 requests

rg305 · January 5, 2023, 2:30pm

You can't fix an Apache problem by removing certbot nor replacing valid certs.

camohub · January 5, 2023, 2:40pm

I did run systemctl apache2 reload. Isnt it enough? Is it necessary to restart Apache?

MikeMcQ · January 5, 2023, 2:43pm

Yes, restart is needed not just reload in this case. If that doesn't work reboot the server

Normally reload is enough but sometimes a single Apache worker gets stuck and restart / reboot is needed

rg305 · January 5, 2023, 2:44pm

Possibly.
Show:

rg305 · January 5, 2023, 2:45pm

Sometimes even an Apache restart can't address "lost workers" [that are owned by previous runs of Apache].

MikeMcQ · January 5, 2023, 2:52pm

Agree which is why I said

camohub · January 5, 2023, 2:55pm

netstat -pant | grep -Ei 'apache|http' | grep -i listen
returns

tcp6       0      0 :::80                   :::*                    LISTEN      1076/apache2
tcp6       0      0 :::443                  :::*                    LISTEN      1076/apache2

rg305 · January 5, 2023, 2:57pm

Sorry, we need to see:
ps -ef | grep -Ei 'apache|http'

camohub · January 5, 2023, 3:08pm

ps -ef | grep -Ei 'apache|http'

returns

root        1076       1  0  2022 ?        00:04:45 /usr/sbin/apache2 -k start
www-data 1820617    1076  0  2022 ?        00:40:45 /usr/sbin/apache2 -k start
www-data 2619721    1076  0 04:56 ?        00:00:00 /usr/sbin/apache2 -k start
www-data 2674008    1076  0 09:55 ?        00:00:38 /usr/sbin/apache2 -k start
www-data 2685949    1076  0 10:57 ?        00:00:21 /usr/sbin/apache2 -k start
www-data 2696213    1076  0 11:53 ?        00:00:17 /usr/sbin/apache2 -k start
root     2745507 2736486  0 16:07 pts/10   00:00:00 grep --color=auto -Ei apache|http

barf7709 · January 5, 2023, 3:34pm

Sounds like an Apache issue, not directly a Let's Encrypt or ACME Client issue.

You could check some Apache forums for additional potential solutions, here are a couple.
https://httpd.apache.org/support.html
https://www.apachelounge.com/

camohub · January 5, 2023, 3:46pm

You are right, it is obviously related to Apache. I asked there.
Also I restart Apache. Now it seems it is working. Hope it will be ok also tomorrow.

Thank you.

barf7709 · January 5, 2023, 4:21pm

SSL Labs on this got the right cert SSL Server Test: crm.lurity.com (Powered by Qualys SSL Labs)

camohub · January 9, 2023, 8:24am

Sometimes it is right sometimes not. Now it should be ok. There is a new certificate and Apache has been restarted.

rg305 · January 9, 2023, 8:28am

It does seem OK now

system · February 8, 2023, 8:28am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.