Apache cached old ssl certificate

Posted on

A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about Apache cached old ssl certificate was one problem in server stack that need for a solution. Below are some tips in manage your linux server when you find problem about linux, apache-2.2, ubuntu, ssl, cache.

About 2 weeks ago I bought a new wildcard SSL certificate for all of my servers, and immediately tried to set it up on a server by replacing the old self-signed certificate settings. So, I put in the new details, restarted apache, and refresh my browser, and it’s still complaining about having a self-signed SSL certificate. So I investigate further, and confirm it’s not my browser or local cache by testing it from a remote windows server, but it is still serving the old self-signed certificate (but the chainfile has updated successully). I even tried rebooting the server to attempt to clear apache’s SSL cache or whatever is going on, but no luck there either.
And for some crazy reason, it works fine on port 444, if I edit that site and change it to port 443, it goes back to the old certificate …. 🙁 what’s going on?
it’s not just port 443 that doesn’t work by the way, i’ve tested ports 92XX (as thats what my services run on) and it gets the same errors, even after creating a new site on a new port.
I also tried copying one of the sites to another (new, never had ssl before) server and it works fine there :/
How do I clear apache’s “SSL cache” or whatever is going on here (running Ubuntu 12.10 Server)?

Configuration of one of the sites:

<IfModule mod_ssl.c>
<VirtualHost *:9207>
        DocumentRoot /var/www/ssl/
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        <Directory /var/www/ssl/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        ErrorLog /var/log/apache2/error.log
        LogLevel warn
        CustomLog /var/log/apache2/ssl_access.log combined
        Alias /doc/ "/usr/share/doc/"
        <Directory "/usr/share/doc/">
                Options Indexes MultiViews FollowSymLinks
                AllowOverride None
                Order deny,allow
                Deny from all
                Allow from ::1/128
ProxyPass /tr http://localhost:9107/tr
ProxyPassReverse /tr http://localhost:9107/tr
        SSLEngine on
        SSLCertificateFile    /etc/ssl/crt/STAR_mysite_net.crt
        SSLCertificateKeyFile /etc/ssl/crt/server.key
        SSLCertificateChainFile /etc/ssl/crt/STAR_mysite_net.ca-bundle
        <FilesMatch ".(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        BrowserMatch ".*MSIE.*" 
                nokeepalive ssl-unclean-shutdown 
                downgrade-1.0 force-response-1.0

Run this function as root on your linux server:

apachectl graceful

works for me on debian. If that is not working you can try parameter -k

apachectl -k graceful

error messages in dutch chrome: Fout met SSL-verbinding

error message in english chrome: Error with SSL connection

I’ve been struggling with this for hours, the problem for me was that were multiple apache instances running and “service apache restart” don’t stop them, and they were serving the old certificate.

The solution was:

service apache2 stop
pkill apache2
service apache2 start

apachectl graceful didn’t work for me. Adding -k didn’t work either.

I had to simply move the old certificate out from the certs directory, retarted apache and it finally worked.

mv /etc/ssl/certs/STAR_site.crt ~/bkp/
apachectl restart

I think this was the solution for me, I was also messing around with Cloudflare and disabled Universal SSL, and reenabled it for a different domain. Universal SSL was reestablished just as I removed the old cert. So, i’m not 100% certain the above is what did the trick, or toggling Cloudflares Universal SSL.

“rcapache2 graceful” + “rcapache2 restart” on Opensuse.

Leave a Reply

Your email address will not be published. Required fields are marked *