A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about Apache cached old ssl certificate was one problem in server stack that need for a solution. Below are some tips in manage your linux server when you find problem about linux, apache-2.2, ubuntu, ssl, cache.
About 2 weeks ago I bought a new wildcard SSL certificate for all of my servers, and immediately tried to set it up on a server by replacing the old self-signed certificate settings. So, I put in the new details, restarted apache, and refresh my browser, and it’s still complaining about having a self-signed SSL certificate. So I investigate further, and confirm it’s not my browser or local cache by testing it from a remote windows server, but it is still serving the old self-signed certificate (but the chainfile has updated successully). I even tried rebooting the server to attempt to clear apache’s SSL cache or whatever is going on, but no luck there either.
And for some crazy reason, it works fine on port 444, if I edit that site and change it to port 443, it goes back to the old certificate …. 🙁 what’s going on?
it’s not just port 443 that doesn’t work by the way, i’ve tested ports 92XX (as thats what my services run on) and it gets the same errors, even after creating a new site on a new port.
I also tried copying one of the sites to another (new, never had ssl before) server and it works fine there :/
How do I clear apache’s “SSL cache” or whatever is going on here (running Ubuntu 12.10 Server)?
Configuration of one of the sites:
<IfModule mod_ssl.c>
<VirtualHost *:9207>
DocumentRoot /var/www/ssl/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/ssl/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/ssl_access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
ProxyPass /tr http://localhost:9107/tr
ProxyPassReverse /tr http://localhost:9107/tr
SSLEngine on
SSLCertificateFile /etc/ssl/crt/STAR_mysite_net.crt
SSLCertificateKeyFile /etc/ssl/crt/server.key
SSLCertificateChainFile /etc/ssl/crt/STAR_mysite_net.ca-bundle
<FilesMatch ".(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch ".*MSIE.*"
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>
Run this function as root on your linux server:
apachectl graceful
works for me on debian. If that is not working you can try parameter -k
apachectl -k graceful
error messages in dutch chrome: Fout met SSL-verbinding
error message in english chrome: Error with SSL connection
I’ve been struggling with this for hours, the problem for me was that were multiple apache instances running and “service apache restart” don’t stop them, and they were serving the old certificate.
The solution was:
service apache2 stop
pkill apache2
service apache2 start
apachectl graceful didn’t work for me. Adding -k didn’t work either.
I had to simply move the old certificate out from the certs directory, retarted apache and it finally worked.
mv /etc/ssl/certs/STAR_site.crt ~/bkp/
apachectl restart
I think this was the solution for me, I was also messing around with Cloudflare and disabled Universal SSL, and reenabled it for a different domain. Universal SSL was reestablished just as I removed the old cert. So, i’m not 100% certain the above is what did the trick, or toggling Cloudflares Universal SSL.
“rcapache2 graceful” + “rcapache2 restart” on Opensuse.
