I had four websites configured on an Ubuntu 22.04 server using NginX.
There was a technical problem with the database connection that required me to move the four websites to a new server.
I moved three of them to one server, and the fourth to a different server. This is the problem domain.
I created new Letsencrypt certificates for all four sites.
The fourth site, now on a separate server from the other three, is showing an error This website is not secure when I visit it.
When I look at the certificate details, the certificate is for one of the other three websites, on a different server, with a different domain name.
I did two things:
- logged in to the old server and did
certbot delete
for all the certificates - logged in to the new server which is NOT hosting the problem site and did
certbot delete
for the incorrect certificate that was being shown in the browser error page
Now, the deleted certificate for the wrong domain name is still being shown in the browser (Safari & Chrome/Mac).
From what I understand, SSL certificates are not cached, but are supplied by the server with each request.
- in Terminal on the Mac, I tried
curl -vvI https://example.com
, and got the correct, new certificate. - in Terminal I tried
echo | openssl s_client -showcerts -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -inform pem -noout -text
and got the certificate from the other server - I re-did the first command and this time I got the wrong certificate
A friend roughly 15,000km away also gets the wrong certificate.
I don't understand how it is possible:
- the certificate being shown was on a separate server from the beginning
- it was for a different domain name from the beginning
- it has been deleted
- the new, correct certificate was available from the beginning (and I tried re-installing it)