Certificate renewed but apache still serving the expired certificates to browser

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: choclairs.com

I ran this command: sudo certbot --force-renewal -d choclairs.com && sudo certbot certificates

It produced this output:

Found the following certs:
Certificate Name: choclairs.com
Domains: choclairs.com
Expiry Date: 2022-08-28 13:35:57+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/choclairs.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/choclairs.com/privkey.pem

My web server is (include version): apache2

The operating system my web server runs on is (include version): Ubuntu 20.04.3 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

Please don't use that option, especially if you don't know what it does or if you don't know when to use it.

Now you've issued 5 certificates yesterday and you're rate limited. You've managed to waste Let's Encrypt resources in doing so. Please don't do that.

Have you reloaded your webserver?

Thank you, I will not use the option for the future use.

I dint used --force-renewal initially, I used this option at the last.

I ran this command in the first instance of try for renewal : sudo certbot renew --apache -d choclairs.com

Yes, I reloaded the webserver. but no luck in loading the renewed certificate.

That was unnecessary, as the certbot certificates output would have already proven successful renewal. To force that again and again wouldn't change anything, so why do it?

Could you please share the output of the following command:

sudo apachectl -t -D DUMP_VHOSTS

Also, unless you have managed to also delete those five certs, you should still have them (or, at least, still have the last one issued).

Please also show the output of:
certbot certificates

ubuntu@ip-XX-XX-XX-XXX:~$ sudo apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443 choclairs.com (/etc/apache2/sites-enabled/choclairs-le-ssl.conf:2)
*:80 is a NameVirtualHost
default server ip-XX-XX-XX-XXX.ap-south-1.compute.internal (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost ip-XX-XX-XX-XXX.ap-south-1.compute.internal (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost choclairs.com (/etc/apache2/sites-enabled/choclairs.conf:1)
alias www.choclairs.com

No, I didn't deleted the newly issued certificates.

ubuntu@ip-XX-XX-XX-XX:~$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: choclairs.com
Domains: choclairs.com
Expiry Date: 2022-08-28 13:35:57+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/choclairs.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/choclairs.com/privkey.pem

Just noticed:

Two names:

One name:

Also, one name:

Do you need to cover both names?

Also noticed four different IPs:

Name:      choclairs.com
Addresses: 13.248.193.178
           76.223.8.95

Name:      www.choclairs.com
Addresses: 2a05:d018:642:4300::a
           54.154.35.170

No, Initially we thought of covering both www & non-www.

Certs only cover non-www and generated for : choclairs.com

www.choclairs.com is mentioned as ServerAlias in apache conf.

OK, even for the single/base name, I see two IPs:

Are both IPs reaching the same server?

Yes, both reach to the same server.

Please show:
ps -ef | grep -i apache | grep -v grep

ubuntu@ip-XX-XX-XX-XX:~$ ps -ef | grep -i apache | grep -v grep
root 565248 1 0 17:02 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 565249 565248 0 17:02 ? 00:00:09 /usr/sbin/apache2 -k start
www-data 565250 565248 0 17:02 ? 00:00:07 /usr/sbin/apache2 -k start

That output looks correct.

Please show this file:

• /etc/apache2/sites-enabled/choclairs-le-ssl.conf -

<VirtualHost *:443>
ServerName choclairs.com
ServerAlias www.choclairs.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
CustomLog ${APACHE_LOG_DIR}/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/choclairs.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/choclairs.com/privkey.pem
</VirtualHost>

What command did you use to reload Apache? And what was the output?

Hey Guys,
Thank you for the time and effort you all have dedicated to understand the root cause for the issue and provide the suitable solution.

I have found the issue, Our Architecture is deployed in AWS and designed as : Web Traffic -> Global Accelerator -> Load balancer -> WebServer

Previously issued SSL certificate (which got expired) was imported into ACM of AWS and traffic is routed through Load Balance Listener : HTTPS and using the imported cert of ACM.
We assumed that, we had changed the architecture and deactivated the SSL usage via Load Balancer & ACM but unfortunately we didn't, which created a total confusion.

Now, we have reimported the updated (renewed) certificate & the browser started loading the new certificate with updated validity.

Apologies for the inconvenience.

Thank you.
Cheers!

Can you perhaps script that updating process? If so you could have that script run as a --deploy-hook in Certbot.

sudo systemctl reload apache2