Inconsistent SSL Issue

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mbaglue.com

I ran this command: certbot certificates

It produced this output:

 Found the following certs:
  Certificate Name: mbaglue.com
    Domains: mbaglue.com www.mbaglue.com
    Expiry Date: 2021-06-25 02:59:14+00:00 (VALID: 60 days)
    Certificate Path: /etc/letsencrypt/live/mbaglue.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/mbaglue.com/privkey.pem

My web server is (include version): Apache

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Certbot 0.40.0

Issue:

If you visit my site via Chrome or a few browser, on certain visits it shows that the certificate is invalid. This is further reconfirmed through third party sites like digicert.com/help.

However, if I run certbot certificates on my server, it says that my cert is not up for renewal. It seems like there are two certificates and the browser picks up one of these at a time. How do I sort this?

1 Like

The browser will use the certificate presented by the webserver, which is the expired certificate.

The fact certbot shows a valid certificate does not always mean this is also used by the webserver. It depends on how you installed the certificate in the first place (which "installer" plugin was used, if any, or how the certificate was installed in the webserver if not done by an "installer" plugin and/or the use of a --deploy-hook to reload the webserver, if necessary) what needs to be done.

1 Like

To the best of my memory, I didn't use any installer plugin.

What's the best way for me to locate the expired certificate on the server and delete it?

1 Like

If you manually installed the certificate into your webserver, it depends on how you did that. Did you link directly to the files in the /etc/letsencrypt/live/ directory in your configuration file? If so, it would be enough to just reload your webserver so it picks up the current and valid one. If not, then it depends on how you did link to the certificate in your configuration file.

That's not the correct method of fixing this issue. Deleting the expired certificate would mean your webservers configuration becomes invalid.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.