Old certificate still on verified after setup lets encrypt


First of all I would like to thanks for project of let’s encrypt. I was using comodo ssl last 5 days I had I decided to change with lt’s encrypt. To setup ssl I use webmin/wirtualmin as it is setup in my VPS server (ubuntu 15 64 bit).
On Webmin panel I can see private key file (/etc/webmin/letsencrypt-key.pem) and also certificate file (/etc/webmin/letsencrypt-cert.pem) also additional certificate files (/etc/webmin/letsencrypt-ca.pem).

Everyting is look okay but when I open my website on mozilla firefox still I can see "verified by comodo ca.

Did you restart your web server (Apache or nginx probably)? Webmin might not have done it for you, but it should have a button for doing so.

Yes I did (it is Apache), also I restart vps.

Hi, I have the exact same problem. Chrome is still saying “Comodo delivered certificat” even though in my Apache vhost configuration files, everything is lets encrypt related and that I did a reload of Apache configuration.

Anyone knows what we have to do so that the old certificate is not still active ? Is it a matter of browser local certificate cache per domain ?

No, there is absolutely no such thing as that. :slight_smile: In the TLS technology, every single connection is a new cryptographic session, with a fresh presentation of certificates and a fresh use of cryptographic keys. (except for something called TLS session resumption, which shouldn't be relevant here)

I would suggest doing

grep -r SSLCert /etc/apache2

to see if you can find certificate-related directives that you weren't aware of. (Or, is it possible that you have a reverse proxy or CDN or something that you weren't aware of, so that your Apache program isn't what's actually directly speaking HTTPS to site visitors?)

1 Like

You don’t use CloudFlare do you?

If you use CloudFlare’s CDN service, they intercept your SSL connections, so you would see a Comodo certificate from them when visiting your site, and your Let’s Encrypt certificate would only be used to secure the connection between CloudFlare and your origin server. CloudFlare obtains this certificate for you; it would be unrelated to any Comodo certificate you might have obtained.

You could turn off the orange cloud in the DNS tab of their admin panel if you wanted to reveal your origin server and the certificate on it. Or on their Security tab, make sure SSL is set to “Full SSL (Strict)” and you’ll then get a CloudFlare error page when visiting your site if your Let’s Encrypt certificate is not properly configured.

Hi schoen,
I was able to figure it out. You were right. My setup is centos 7 + apache 2.4 and there is a /etc/httpd/conf.d/ssl.conf file which defines a and inside of it, there was a certificate declaration, like the one in vhost files.

As Im not sure what this __default:443 is for, I decided to let this certificate definition in place and change the certificate details to one of the domains that point to the server. Despite this default configuration, I get the right self encrypt certificate (I can tell which one is with the help of the exact registration time) for each of my domains.

I will keep in mind that every connection is a fresh start in the TLS layer :slight_smile:

Thank you for your help!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.