So today, completely out of the blue, one of the vhosts on my webserver started throwing SSL Cert out-of-date errors when I browsed to it. This is Very Odd™ as I have automatic renewals every two months and the certs are each good for three. Not only that, but the vhost in question has been working fine for over a year now with no changes in configuration.
Sooo…. I tried manually updating the ssl cert. Got a new cert, replaced the old cert and… nope still saying it’s out of date. Well okay then… that’s Very Odd™.
So I check to see if the new cert is really the new cert:
wolferz@annapuma ~ $ sudo openssl x509 -in /etc/letsencrypt/live/annapuma.scrapironcity.net/cert.pem -dates notBefore=Feb 14 16:48:37 2020 GMT notAfter=May 14 16:48:37 2020 GMT
Yup. That’d be the new one. Very Odd™ indeed.
So I load up another ssh terminal to a different server half-way around the world and query the cert from there to see what cert is actually being sent out.
wolferz@unipuma ~ $ echo | openssl s_client -showcerts -servername annapuma.scrapironcity.net -connect annapuma.scrapironcity.net:443 2>/dev/null | openssl x509 -inform pem -noout -dates notBefore=Nov 16 13:58:11 2019 GMT notAfter=Feb 14 13:58:11 2020 GMT
Well now. That’s Positively Passing Strange©. Perhaps I have the wrong cert files configured?
wolferz@annapuma ~ $ grep "SSLCertificate" /etc/apache2/sites-enabled/annapuma.scrapironcity.net.conf SSLCertificateFile /etc/letsencrypt/live/annapuma.scrapironcity.net/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/annapuma.scrapironcity.net/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/annapuma.scrapironcity.net/chain.pem
This is apparently not Sparta.
Restart the httpd? Bupkis. Restart the whole server machine? Bupkis.
Soooo WTF? Cause I’m not sure what else to check.
EDIT: And just as magically as it stopped working, it magically started working again.