SSL renew certificate on apache keeps using old certtificate file

apache openssl ssl-certificate

14,576

Solution 1

Well you figured it out yourself but in case anyone else is in same situation, here's some of the things you can check.

First up check locally whether this works, by running the following openssl command on the server (a crucial step we skipped!):

openssl s_client -connect localhost:443

This will show the cert presented to the client from Apache. If that's not the right one, then you know Apache config is at fault. If it is the right one then something downstream is a problem.

In your case you terminate SSL at the load balancer and forgot to change the cert there. Another issue could be browser caching the SSL cert (restart it, Ctrl+F5 to force refresh or better yet try another browser or a third party website like ssllabs.com).

Assuming it's a problem with Apache then you need to check the config to check all instances of the cert have been replace. The below command will show all the vhosts and what config they are configured in:

/usr/local/apache2/bin/apachectl -S

Alternatively just use standard find and grep unix commands to search your Apache config for the old or new cert:

find /usr/local/apache2/conf -name "*.conf" -exec grep olddomain.cer {} \; -print

Both those commands assume apache is installed in /usr/local/apache2 but change the path as appropriate.

If all looks good and you've definitely restarted Apache then you can try a full stop and restart as I have noticed sometimes a graceful restart of Apache doesn't always pick up new config. Before starting the web server back up again, check you can't connect from your browser (to ensure you're connecting to the server you think you're connecting to) and that the process is down with the following command:

ps -ef | grep httpd

and then finally start.

Another thing to check is that the cert you are installing is the one you think it is, using this openssl command to print out the cert details (assuming the cert is in x509 format but there are similar commands for other formats):

openssl x509 -in domain.cer -text

And last but not least check the Apache log files to see if any errors in there. Though would expect that to mean no cert is loaded rather than just the old one.

Solution 2

Good answer from @Barry.

Another aspect is apache is not the front most web server. From this conversation. It is possible that there are other web servers in front of apache. Something like - nginx. In our case it was AWS ELB. We had to change cert in ELB in order to change.

14,576

Eli

Updated on June 04, 2022

Comments

Eli almost 2 years
I'm trying to renew my SSL certificate but there is some problem i'm probably missing. after i'v done the following steps the server keep using the old certificate and i do'nt know why. here'w what i have done:
1. Create new csr file (domain.csr) + key file (domain.key)
2. openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr
3. Copy csr file content and paste it to my ssl provider + get approval.
4. get 5 files from them and upload them to the server (domain.der,domain.pem ,domain.cer, chain.cer , domain.p7b )
5. set on apache ssl.conf file , SSLCertificateFile (domain.cer) SSLCertificateKeyFile (domain.key).
6. restart apache
for some reason my server is still using my old certificate.

is the something i'm doing wrong?
- Barry Pollard over 8 years
  
  Browsers often cache certs. Restart browser or, better yet, use a different one to test. Also check that domain.cer is the new cert by reading the file using OpenSSL.
- Eli over 8 years
  
  what is linux openssl comand to check out which domain.cer file i'm using?
- Barry Pollard over 8 years
  
  Depends on format but try "openssl x509 -in domain.cer -text"
- Eli over 8 years
  
  Thanks @BazzaDP , i did that and the domain.cer is indeed the new and correct file,but the server is still using the old file, can the server has its own cache for ssl files??
- Barry Pollard over 8 years
  
  Did you try a different browser? Is the cert defined in more than one vhost and you only updated some of them? Also try a full stop and start rather than graceful restart.
- Eli over 8 years
  
  1. tried diffrent browser. 2. tried full stop. 3. the olny thing i can imagine is that the cert defined in more than one vhost, is there any linux command to see which cert file (path) is the system using?
- Barry Pollard over 8 years
  
  '/usr/local/apache2/bin/apachectl -S' will show all the vhosts defined and which conf they are defined in. Or this 'find /usr/local/apache2/conf -name "*.conf" -exec grep olddomain.cer {} \; -print' will grep all your conf files for the old cert file. Both of these assume your apache is located in /usr/local/apache2 so change that as appropriate.
- Eli over 8 years
  
  thanx @BazzaDP, I figured it out! I'm using AWS load balancer, so i had to change it also on the AWS console management!
- jww over 8 years
  
  Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See What topics can I ask about here in the Help Center. Perhaps Super User or Unix & Linux Stack Exchange would be a better place to ask. Also see Where do I post questions about Dev Ops?.
Mr Purple about 7 years

Great trouble shooting advice for this problem. For me the local browser was caching the old certs :P