Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: https://yourtop.news
I ran this command:
It produced this output:
My web server is (include version): apache 2.4
The operating system my web server runs on is (include version):
letsencrypt runs on opensense with haproxy
I can login to a root shell on my machine (yes or no, or I don't know): no
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot):
When I check certificate it is renewed but when I browse page it finds old one.
Are you restarting haproxy after issuing/renewing the cert?
yes, I restarted whole firewall and it is the same
Do you make a copy of the renewed cert for haproxy? If so, could you have forgotten to update the copy?
I don't understand what's happening here. What do you do when you "browse page", and how does it "find old one"? How is haproxy on your OPNsense box related to what you're seeing when you "browse page"?
you can check by yourself http://yourtop.news because I am confused here.
How it is related to opensense. on opensense it is letsencrypt installed and all certificates for differend web pages on differend servers. There is only one external IP for multiple sites.
Can we see the output of?:
apachectl -t -D DUMP_VHOSTS
Yes as I said certificate expired but in opensense it is renewed and valid.
this is on server where web page is.
*:80 is a NameVirtualHost
default server phpmyadmin.yourtop.news (/etc/httpd/conf.d/phpMyAdmin.conf:7)
port 80 namevhost phpmyadmin.yourtop.news (/etc/httpd/conf.d/phpMyAdmin.conf:7)
port 80 namevhost mail.yourtop.news (/etc/httpd/conf.d/roundcubemail.conf:11)
port 80 namevhost yourtop.news (/etc/httpd/conf.d/yourtopnews.conf:1)
Where does port 443 go?
[ I just noticed that
Apache is only serving port 80 ]
yes apache server only port 80. below is apache config.
port 80 is redirected in haproxy to port 443 and it should take certificate from letsecnryprt in opensense.
Alias /yourtopnews "/var/www/html/yourtop"
CustomLog "logs/yourtop.news.access_log" combined
Allow from all
What I meant was:
If there a NAT device, where do the inbound port 443 connections go?
[ I see that the port 80 connections go to
What it sounds like OP is describing is that HAProxy is running on his OPNsense box. It's handling TLS termination for (apparently) more than one website and acting as a reverse proxy to those sites.
yes and that worked until certificate expired, now I am stuck and don't know what can be wrong? haproxy? Acme? or something in firewall or port forward?
Have you checked your haproxy config for the cert location or file name?
I understand haproxy terminates the SSL connection so would need a cert for that. I saw this blog post on haproxy site. Perhaps its config is using your older cert?
Ok thank you I will check this. But still don't know why this works before certificate expired.
Because something in your system is still sending out the expired cert.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.