Expired Let'sEncrpyt certificate being randomly served by Apache

Help
1

My domain is: https://loyalengine.com

I ran this command: certbot certificates

It produced this output:

Following certs:
Certificate Name: loyalengine.com
Domains: loyalengine.com www.loyalengine.com
Expiry Date: 2022-10-19 01:44:16+00:00 (VALID: 53 days)
Certificate Path: /etc/letsencrypt/live/loyalengine.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/loyalengine.com/privatekey.pem

My web server is (include version): Tomcat 9.0.26

Operating system: Ubuntu 18.04 (LTS) x64

Provider: Digital Ocean

Root login: Yes, I can

Control panel: None. Just using FileZilla.

Output of certbot --version: 0.31.0

Other things: crt.sh | loyalengine.com (The certificate which expired on 2022-08-15 gets served to clients every other time).
If you refresh my domain in Chrome or Safari, sometime you'll received the expired certificate with a warning that my site isn't safe.

Important to remember: since 2019 (3 years ago), I haven't had such an issue. It only started appearing last week.

I have gone through other similar posts with no help. Reloading Apache2 didn't help either. Forcing Certificate Renewal doesn't help either.

Thanks in advance

2 Likes
2

Hi @edward777, and welcome to the LE community forum :slight_smile:

Please show the output of:
ps -ef | grep -Ei 'apache|http|nginx' | grep -v grep

3 Likes
3

@rg305 This is the output. Thanks

grep output
grep output1506×442 27.5 KB

2 Likes
4

The output looks good - all apache are being handled by the same PID [30807].

I can't replicate your findings.
I tried combinations of:

  • base domain & www
  • IPv4 & IPv6
  • HTTP & HTTPS
4 Likes
5

I can:

$ openssl s_client -connect loyalengine.com:443 -showcerts 2>/dev/null | openssl x509 -noout -dates | grep notAfter
notAfter=Oct 19 01:44:16 2022 GMT
^C

$ openssl s_client -connect loyalengine.com:443 -showcerts 2>/dev/null | openssl x509 -noout -dates | grep notAfter
notAfter=Aug 15 21:21:24 2022 GMT

Try:

  1. Stop Apache
  2. Check for any remaining apache2 processes and kill -9 them.
  3. Start Apache
5 Likes
6

@_az would "sudo service apache2 restart" have the same effect?

This isn't my expertise, that's why I asked :slight_smile:

Thanks again

2 Likes
7

The problem is that very rarely, one of the Apache processes gets orphaned, and using service apache2 restart doesn't kill it.

You can try:

  1. systemctl stop apache2
  2. killall -9 apache2
  3. systemctl start apache2
6 Likes
8

@_az thanks you very much.
For now all browsers (Chrome and Safari) are picking up the new certificate. I have refreshed them over 30 times (yes, thirty) without any issue.
This issue is resolved.

3 Likes
9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.