SSL renew certificate on apache keeps using old certtificate file

Question

I'm trying to renew my SSL certificate but there is some problem i'm probably missing. after i'v done the following steps the server keep using the old certificate and i do'nt know why. here'w what i have done:

1. Create new csr file (domain.csr) + key file (domain.key)

2. openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr

3. Copy csr file content and paste it to my ssl provider + get approval.

4. get 5 files from them and upload them to the server (domain.der,domain.pem ,domain.cer, chain.cer , domain.p7b )
5. set on apache ssl.conf file , SSLCertificateFile (domain.cer) SSLCertificateKeyFile (domain.key).
6. restart apache

for some reason my server is still using my old certificate.

is the something i'm doing wrong?

Answer 1

Well you figured it out yourself but in case anyone else is in same situation, here's some of the things you can check.

First up check locally whether this works, by running the following openssl command on the server (a crucial step we skipped!):

openssl s_client -connect localhost:443

This will show the cert presented to the client from Apache. If that's not the right one, then you know Apache config is at fault. If it is the right one then something downstream is a problem.

In your case you terminate SSL at the load balancer and forgot to change the cert there. Another issue could be browser caching the SSL cert (restart it, Ctrl+F5 to force refresh or better yet try another browser or a third party website like ssllabs.com).

Assuming it's a problem with Apache then you need to check the config to check all instances of the cert have been replace. The below command will show all the vhosts and what config they are configured in:

/usr/local/apache2/bin/apachectl -S

Alternatively just use standard find and grep unix commands to search your Apache config for the old or new cert:

find /usr/local/apache2/conf -name "*.conf" -exec grep olddomain.cer {} \; -print

Both those commands assume apache is installed in /usr/local/apache2 but change the path as appropriate.

If all looks good and you've definitely restarted Apache then you can try a full stop and restart as I have noticed sometimes a graceful restart of Apache doesn't always pick up new config. Before starting the web server back up again, check you can't connect from your browser (to ensure you're connecting to the server you think you're connecting to) and that the process is down with the following command:

ps -ef | grep httpd

and then finally start.

Another thing to check is that the cert you are installing is the one you think it is, using this openssl command to print out the cert details (assuming the cert is in x509 format but there are similar commands for other formats):

openssl x509 -in domain.cer -text

And last but not least check the Apache log files to see if any errors in there. Though would expect that to mean no cert is loaded rather than just the old one.

Answer 2

Good answer from @Barry.

Another aspect is apache is not the front most web server. From this conversation. It is possible that there are other web servers in front of apache. Something like - nginx. In our case it was AWS ELB. We had to change cert in ELB in order to change.