NextCloud sends old SSL Certificate

Ghaith_Haddad · August 8, 2019, 4:53pm

Hello there, so i made a self signed certificate, then later on found out that it has wrong info and made a new one, but for some reason even though i deleted the wrong certificate the server still sends it to the browser and the browser keeps rejecting it.

How can i properly make nextcloud send the correct certificate. I update the default-ssl.conf file to read the mydomain.com.crt and mydomain.com.key files (the .key file is not the root/private .key file). then checked the apache2 configtest syntax is ok, then reloaded apache2 with no errors but still that didn’t help either.

Any help or recommendations are much appreciated!

Schmu · August 8, 2019, 6:45pm

Sounds like you already did everything usually necessary.
One additional thing you can at least try, is performing a full reload (CTRL + F5) or even temporary deactivating the cache in the browser in the developer console under “Network” and then hit the check box “Disable cache”.
If disabling the cache works, you can delete the cache at all in the browser’s settings.

Ghaith_Haddad · August 8, 2019, 7:03pm

I did try that but i don’t think the issue is with the browser because i tried it will different browsers and still no luck.

I think the issue is with the nextcloud server itself, why does it keep sending the wrong certificate which is DELETED in the first place. like i find that extremely weird and frustrating lol.

Schmu · August 8, 2019, 7:18pm

But the server can’t send what isn’t there, right? I thought there might be caching issues then on the receiving end then.

Well, some other things I can think of:

the certificate still exists on the server and only a link was deleted
the wrong config was edited
there is a proxy server who is configured with the same old certificate and that is actually providing the cert to the browsers

Ghaith_Haddad · August 8, 2019, 7:23pm

those are actually good points:

im using WinSCP to search for all .crt files that i have on the server but only the ones that i created and built in ones are showing up so u don’t know if that would be the cause.

there should be one config files (if im not wrong) that tells apache2 which sites are enabled and which ports to listen to.

i don’t know about the last point maybe that could be the cause, is there a way to “update” the proxy server with the new certificate somehow?

Thank you so far for the help and advice though! <3

KarlF12 · August 8, 2019, 7:32pm

Nextcloud has nothing to do with the certificate. The web server uses it.

Did you try restarting Apache instead of reloading?

Ghaith_Haddad · August 8, 2019, 7:41pm

Yes, i tried both. i tried disabling and enabling the conf file, enabling headers, env, dir, mime, rewrite then reload and restart, yet still nothing.

KarlF12 · August 9, 2019, 12:12am

You can directly query the certificate with OpenSSL to determine whether the web server is presenting the new or old one.

openssl s_client -connect server:port | openssl x509 -text

agamemthor · October 6, 2023, 5:12pm

I encountered a similar issue. Connecting to my nextcloud instance through any browser or device resulted in an expired certificate notification. Despite replacing the certificates in /etc/letsencrypt/live/mydomain.com/ and restarting apache, rebooting the machine, etc.

The solution was in my firewall. I’m running pfsense with HAProxy. The trick for me was Turning off SSL Offloading on the HAProxy https frontend, reloading, then turning it on again and reloading.