Apache seems to be using old expired certificate even though new one is installed

Solution 1:

Something's in front of Apache. Check out that config:

Listen 127.0.0.1:443
....
<VirtualHost 127.0.0.1:443>

It's listening on localhost only, so internet clients aren't hitting this service directly - they're likely getting proxied.

For the sanity check that Apache's loading the right cert, hit the service directly on Apache's listener: openssl s_client -connect 127.0.0.1:443 -showcerts

Not sure about the Andromeda header, so, let's find the process: lsof -i.

Apache will have 127.0.0.1:443, while some other service has 0.0.0.0:443 (or the VPS's public address :443) - that's the one that needs the new cert.

Solution 2:

A common source of this problem is multiple running instances of Apache. The config changes are picked up by a process that you (re)start but the request is served by an old process which is running with old configuration.

Stop the service:

service apache2 stop

Check if the site is still accessible. If yes, then you have identified the cause.

Now run

ps aux | grep apache

It will give you list of running apache2 process and their PIDs. Kill them all (Note, this command may also return unrelated processes with Apache in their name/user etc. like Apache Tomcat, you might not want kill them.)

kill <pid>

Run ps aux again and ensure that processes are no longer running.

Check again if site is accessible. It shouldn't be.

Now start apache service

service apache2 start

Verify that the new certificate is being served.

If you don't want to kill processes, you may reboot the system. It will have the same effect.