Letsencrypt obsolete "Ghost" certificate online

Hi eveverybody. create account to ask my question because I have no more idea. Don't know if i'm at the right place. excuse me in advance. Th'at's my first message.

My domain is OK: madeinmarseille.net
cert is OK but I have a "ghost" certificate online num " 04775b4497e4362a2c807c5dc410103c0c6e" expired april 9

I say "ghost" because it isnt referenced by Certbot who know only
my 2 officials and fonctionnals actuals certifs
Serial Number: 468e7.....e0f4e0
and the valide actual certificate for madeinmarseille.net
Serial Number: 4e67ae882401e5d829023dd6a053fc32ffb
Expiry Date: 2022-08-07 06:31:14+00:00 (VALID: 88 days)

90% Certif returns are OK with the new certif . 10% are obsolete with the Ghost certif !
test with 3 OS, 4 machines and 4 Web browsers(Chr FF Op Edge). Same results
Ghost certif be back after a random number of clicks and page views.

I tried to "renew" it, impossible cause not exist
I tried to "delete" new cert with same name ... but unfortunatly, https://www.ssllabs.com/ always see the old certif which send "obsolete" message.

Can I delete certif with serial number ? (see of course "--cert-name" but dont see "--cert-[id]" in man )
Whats the secret !?

certbot --version ----> certbot 1.27.0
debian Lenny with root access

thanks for advance

Well, you're not crazy, I can see that happening too:

$ openssl s_client -connect madeinmarseille.net:443 -showcerts 2>/dev/null | openssl x509 -noout -subject -serial
subject= /CN=madeinmarseille.net
serial=0375D757472577FDC1EE5445019E3FC50FA1

$ openssl s_client -connect madeinmarseille.net:443 -showcerts 2>/dev/null | openssl x509 -noout -subject -serial
subject= /CN=madeinmarseille.net
serial=04775B4497E4362A2C807C5DC410103C0C6E

$ openssl s_client -connect madeinmarseille.net:443 -showcerts 2>/dev/null | openssl x509 -noout -subject -serial
subject= /CN=madeinmarseille.net
serial=0375D757472577FDC1EE5445019E3FC50FA1

We've had a couple of users report the same issue over the years.

My theory is that something (rarely) goes wrong with Apache reloading, after certificate renewal. Your server ends up with orphaned Apache processes which are still holding onto the old certificate "in memory", even though the certificate has since been deleted from the file system.

Solving this can most simply be done by rebooting your server.

To do so without a reboot, you will want to stop Apache, then kill off any orphaned Apache processes, and then start Apache:

service apache2 stop
killall -9 apache2
service apache2 restart

I sure hope not :laughing: .

5 Likes

suppose there is a bug with certbot conf...
thats my third or fourth reboot...
Thanks

1 Like

You still see the certificate randomly changing after a server reboot?

If so, I'd be interested to see the output of:

apachectl -t -D DUMP_VHOSTS
6 Likes