Expired SSL certificates make websites insecure. And, it can even result in a website attack.
Therefore, replacing website SSL with a valid one is really critical. But, in certain cases, websites throw up errors and still show the old SSL certificate even after renewal.
At Bobcares, we often see customers reporting problems with website showing old certificate as part of our Outsourced Technical Services for web hosts.
Today, we’ll see the top causes for Apache serving old SSL certificate and how our Support Engineers fix them.
Problems with old SSL certificate
It is really frustrating to see websites failing even after website SSL renewal. Here, the data transfer from Apache web server will not be secure. This further risks the website for an attack. Also, it will affect your online sales as users tend to abandon shopping carts.
Moreover, websites will throw up security errors in the browser.
What causes Apache to serve old SSL certificates?
From our experience in managing Apache servers, our Dedicated Engineers often see websites showing old SSL certificates. We’ll now see the typical reasons that can cause Apache to serve old SSL certificates.
1. Browser cache
Browsers often cache website SSL certs. We often see this as a common reason for showing up the old certificates. When the new certificate is not updated in the browser, visitors will see the old expired certificate.
With expired SSL, certain browsers even stop further communication with the Apache web server.
2. Reference to wrong certificate files
Again, SSL problems can appear when there is a reference to the old expired SSL certificates. Here, the SSL files will be included in the Apache configuration files which points to old SSL certificates. As a result, the website can show old certificates in certain browsers.
3. Reverse proxy setup
Similarly, we frequently see SSL certificate errors in Apache servers where Nginx is set up as a reverse proxy. Here, this proxy server speedup the website by forwarding website requests to Apache. And, if the SSL certificate is not set correctly in the Nginx configuration, website will show up SSL errors too.
4. IP address assignment
In certain Apache servers, even the IP address assignment of websites can create SSL problems. This happens mainly when multiple domains are associated with a single dedicated IP address. When the website is not assigned to IP address with valid SSL certificate, it can show errors or old expired certificate. Our Support Engineers often see such errors in mis-configured DirectAdmin servers.
Also, when the website DNS point to the wrong IP address, it can result in certificate errors too.
How we fix website SSL?
Till now, we saw the various reasons that would cause Apache to serve old SSL certificates. Let’s now see how our Dedicated Engineers diagnose and fix the website showing old SSL certificate.
As the first step, we check the secure website link from our side. This helps to isolate problems with customer’s browser cache. A simple browser restart can fix the problem of showing old SSL certificate.
Further, we confirm that the website resolves to the correct server and IP address. When there are no DNS issues, we check and confirm the service that listens on web server port. This helps to understand if there is Nginx or any other reverse proxy setup in the server.
Then, we further check the SSL cerificate files in the Apache server. Our Support Engineers run the following openssl command on the server to verify the cert presented to the client from Apache:
openssl s_client -connect domain.com:443
If that’s not the right one, we finalize that the Apache config is at fault. Here, we look for all the references of SSL files in Apache installation folder using the command:
grep -i -r "SSLCertificateChainFile" /etc/apache2/
This helps us to correct any reference to the wrong SSL certificate.
Recently, a customer reported problems with SSL certificate in DirectAdmin server after website IP address change.
Here, we checked and found problems with the IP assignment of the website. Then, we fixed the issue by changing the IP address binding to the new one in Apache configuration file.
[Is your website still showing old SSL certificate even after renewal? We can fix it for you.]
In short, Apache serving old SSL certificate can happen due to browser cache, wrong reference to SSL files, bad reverse proxy configuration and so on. Today, we’ve seen the top reasons for the error and how our Support Engineers make the website use the correct SSL certificate.