Apache cached old ssl certificate

linux apache-2.2 ubuntu ssl cache

13,053

Solution 1

Run this function as root on your linux server:

apachectl graceful

works for me on debian. If that is not working you can try parameter -k

apachectl -k graceful

error messages in dutch chrome: Fout met SSL-verbinding

error message in english chrome: Error with SSL connection

Solution 2

I've been struggling with this for hours, the problem for me was that were multiple apache instances running and "service apache restart" don't stop them, and they were serving the old certificate.

The solution was:

service apache2 stop
pkill apache2
service apache2 start

13,053

Sbx

Updated on September 18, 2022

Comments

Sbx almost 2 years
About 2 weeks ago I bought a new wildcard SSL certificate for all of my servers, and immediately tried to set it up on a server by replacing the old self-signed certificate settings. So, I put in the new details, restarted apache, and refresh my browser, and it's still complaining about having a self-signed SSL certificate. So I investigate further, and confirm it's not my browser or local cache by testing it from a remote windows server, but it is still serving the old self-signed certificate (but the chainfile has updated successully). I even tried rebooting the server to attempt to clear apache's SSL cache or whatever is going on, but no luck there either.
And for some crazy reason, it works fine on port 444, if I edit that site and change it to port 443, it goes back to the old certificate .... :( what's going on? it's not just port 443 that doesn't work by the way, i've tested ports 92XX (as thats what my services run on) and it gets the same errors, even after creating a new site on a new port. I also tried copying one of the sites to another (new, never had ssl before) server and it works fine there :/
How do I clear apache's "SSL cache" or whatever is going on here (running Ubuntu 12.10 Server)?

Configuration of one of the sites:
```
<IfModule mod_ssl.c>
<VirtualHost *:9207>
        DocumentRoot /var/www/ssl/
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/ssl/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>
        ErrorLog /var/log/apache2/error.log
        LogLevel warn
        CustomLog /var/log/apache2/ssl_access.log combined
        Alias /doc/ "/usr/share/doc/"
        <Directory "/usr/share/doc/">
                Options Indexes MultiViews FollowSymLinks
                AllowOverride None
                Order deny,allow
                Deny from all
                Allow from 127.0.0.0/255.0.0.0 ::1/128
        </Directory>
ProxyPass /tr http://localhost:9107/tr
ProxyPassReverse /tr http://localhost:9107/tr
        SSLEngine on
        SSLCertificateFile    /etc/ssl/crt/STAR_mysite_net.crt
        SSLCertificateKeyFile /etc/ssl/crt/server.key
        SSLCertificateChainFile /etc/ssl/crt/STAR_mysite_net.ca-bundle
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch ".*MSIE.*" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>
```
- Andrew B over 11 years
  
  Could you post your configuration? Edit your post, hit enter twice, paste the configuration, and then highlight all of it and choose "block quote". (the double enter is important)
- Mike B over 11 years
  
  Do you have any web proxies or transparent internet filters in the mix? Are you pointing directly to the server or going through a load-balancer?
- Sbx over 11 years
  
  Okay, I've added the configuration of one of the sites, @MikeB, as you can now see it does use ProxyPass, could that be a problem? If so, what do I need to do to update the SSL cert? (the site on port 444 doesn't use ProxyPass)
- Patrick Mevzek almost 6 years
  
  Your configuration does not match your text. You have it for ports 9207 and 9107 while you speak in your text about ports 443 and 444. What remains is that Apache will read your certificates at the time it starts. There is no other cache than that at Apache. And if you gave the website name people could have tried to see which certificate they get.
Patrick Mevzek almost 6 years

The user already said he restarted Apache.
Patrick Mevzek almost 6 years

The user already said he restarted Apache.
6006604 almost 4 years

This did not fix the issue but it did give some additional information about an apache configuration issue.