Cert renewed but apache still pulling old one, even after restart

Hi,

For some reason I cannot get my renewed cert to work, basically I am using ubuntu 16.04 with lets encrypt, I have renewed before. I ran the renewal this last weekend and if I run certbot certificates my certificates are listed and show valid 88 days. I have restarted apache2 and the whole server now and when I go to the site it shows the site still pulling the old cert. I think this maybe somewhere in the apache 2 config (i.e. pull cert here) to get it to show the new cert but I am just not sure where.

Any help would be appreciated.

Hi @daneseelen

please answer the following questions:


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

[quote=“JuergenAuer, post:2, topic:99709”]
My domain is: direct-fulfillment.com

I ran this command: certbot certificates

It produced this output:
Found the following certs:
Certificate Name: direct-fulfillment.com-0001
Domains: direct-fulfillment.com www.direct-fulfillment.com
Expiry Date: 2019-11-08 23:57:17+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/direct-fulfillment.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/direct-fulfillment.com-0001/privkey.pem
Certificate Name: direct-fulfillment.com
Domains: direct-fulfillment.com xg.direct-fulfillment.com
Expiry Date: 2019-11-08 23:44:33+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/direct-fulfillment.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/direct-fulfillment.com/privkey.pem
Certificate Name: www.direct-fulfillment.com
Domains: direct-fulfillment.com www.direct-fulfillment.com xg.direct-fulfillment.com
Expiry Date: 2019-11-08 23:53:06+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/www.direct-fulfillment.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.direct-fulfillment.com/privkey.pem

My web server is apache2:

The operating system my web server runs on is (include version): ubuntu 16.04

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):0.31.0

Checking your domain there are only timeouts - https://check-your-website.server-daten.de/?q=direct-fulfillment.com

But you have three new certificates, so that part works:

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-08-10 2019-11-08 direct-fulfillment.com, www.direct-fulfillment.com - 2 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-08-10 2019-11-08 direct-fulfillment.com, www.direct-fulfillment.com, xg.direct-fulfillment.com - 3 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-08-10 2019-11-08 direct-fulfillment.com, xg.direct-fulfillment.com - 2 entries duplicate nr. 1

What says

apachectl -S

If you have duplicated combinations port + vHost, Certbot may not be able to install the certificate.

Check all of the SSLCertificateFile, SSLCertificateKeyFile and (deprecated) SSLCertificateChainFile settings in your Apache configuration.

They should point to files in /etc/letsencrypt/live/, not /etc/letsencrypt/archive/ or other files.

On the other hand, sometimes browsers may show an older certificate when displaying cached pages. It’s possible the web server is actually serving the new certificate.

My bad lol, I knew something was weird, I forgot I had added the server to the firewall for webserver protection and inturn have to add the most current certificate to the firewall as well. Basically internally which bypasses the protection to the firewall was showing the new cert which made me realize it was only externally and in that case the only difference there is the firewall rules so it is now working.

Thanks for the help!

1 Like