Cerbot create and renew OK, but browser links to old certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: elearning.dstgroup.pt

I ran this command:

It produced this output:

My web server is (include version):Apache 2.4.6

The operating system my web server runs on is (include version):centos 7 - 6.1810.2.e17

My hosting provider, if applicable, is: on premise

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no, ssh

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 1.0.0

Initially we add a certificate manually, and it worked, and is the one the broswer is pointing. This one is now expired.

meanwhile we used certbot to create a new certificate to the same domain, and to renew automatic, and is working fine, but is not being used by apache!

SSL.conf

Listen 443 https

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300

SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

SSL Virtual Host Context

<VirtualHost default:443>
DocumentRoot “/var/www/html”
ServerName elearning.dstgroup.pt

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA

Server Certificate:

SSLCertificateFile /etc/letsencrypt/live/elearning.dstgroup.pt/cert.pem

Server Private Key:

SSLCertificateKeyFile /etc/letsencrypt/live/elearning.dstgroup.pt/privkey.pem

Server Certificate Chain:

SSLCertificateChainFile /etc/letsencrypt/live/elearning.dstgroup.pt/chain.pem
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

<Files ~ “.(cgi|shtml|phtml|php3?)$”>
SSLOptions +StdEnvVars

<Directory “/var/www/cgi-bin”>
SSLOptions +StdEnvVars

BrowserMatch "MSIE [2-5]"nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x “%r” %b”

ServerAlias elearning.dstgroup.pt
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

Httpd.conf

<VirtualHost *:80>
DocumentRoot “/var/www/html”
ServerName elearning.dstgroup.pt
RewriteEngine on
RewriteCond %{SERVER_NAME} =elearning.dstgroup.pt
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

#Supplemental configuration

Load config files in the “/etc/httpd/conf.d” directory, if any.

IncludeOptional conf.d/*.conf

Thanks

1 Like

Looks like you didn’t use the apache plugin to let certbot install the certificate for you initially, but you manually installed it. After the certbot renewal, did you reload your Apache webserver, so it reads the new certificate files?

1 Like

The first was created and imported to the server

Them i used certbot to create a new certificate.

I restarted de Apache several times! its seams to ignore the paths to the certificates and points to the old one!

1 Like

What’s the output of certbot certificates and apache2ctl -D?

1 Like

**
**
Found the following certs:
Certificate Name: dstsgps.com
Domains: *.dstsgps.com
Expiry Date: 2020-09-11 22:52:59+00:00 (VALID: 84 days)
Certificate Path: /etc/letsencrypt/live/dstsgps.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/dstsgps.com/privkey.pem
Certificate Name: elearning.dstgroup.pt
Domains: elearning.dstgroup.pt
Expiry Date: 2020-08-02 22:10:04+00:00 (VALID: 44 days)
Certificate Path: /etc/letsencrypt/live/elearning.dstgroup.pt/fullchain.pem
Private Key Path: /etc/letsencrypt/live/elearning.dstgroup.pt/privkey.pem

httpd -S
VirtualHost configuration:
*:80 elearning.dstgroup.pt (/etc/httpd/conf/httpd.conf:351)
*:443 elearning.dstgroup.pt (/etc/httpd/conf.d/ssl.conf:56)
ServerRoot: “/etc/httpd”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/etc/httpd/logs/error_log”
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
PidFile: “/run/httpd/httpd.pid”
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“apache” id=48
Group: name=“apache” id=48

1 Like

Something is very wrong, but I can’t get my finger around it.

If I request the hostname elearning.dstgroup.pt, I get the certificate for *.dstgroup.pt. But according to your apache2ctl -D, you don’t even have that VirtualHost configured! According to your information, there isn’t a site where *.dstgroup.pt or the certificate for this hostname is configured.

Also, tiny detail, but the certificate I’m getting is for *.dstgroup.pt, but you only have a certificate for *.dstgroup.com! Different top-level domain! Where did you put the certificate for *.dstgroup.pt? Perhaps a whole different server?

1 Like