I'm hosting a webpage with Apache on a Raspberry Pi (Debian), and can't seem to get the server to issue the current certificate. I generated a self-signed SSL certificate in /home/pi/ssl/ with:

openssl req -new -sha256 -x509 -nodes -days 365 -out example.com.pem -keyout example.com.key

Apache looks up the .pem and .key file pair from file /etc/apache2/sites-enabled/owncloud.conf, which contains:

SSLCertificateFile    /home/pi/ssl/example.com.pem
SSLCertificateKeyFile /home/pi/ssl/example.com.key

When I delete these files and restart Apache I get error [FAIL] Reloading web server config: apache2 failed!. This error doesn't happen when restarting after a new certificate file pair has been generated, so Apache does seem to be calling the certificate.

However the certificate that comes through in browsers (Chrome Incognito or FF/Safari private windows, and even a browser on a computer that surely never requested the domain before) is an old certificate I generated a month ago - see below:

old certificate details

Any ideas why this is happening?

  • 1
    Just to be very very sure: can you run openssl x509 -in /home/pi/ssl/example.com.pem -text -noout to see which common name it shows?
    – Arjan
    Commented May 21, 2015 at 13:30
  • 1
    And just to be sure: there is no other certificate configured anywhere in your apache config, i.e. no other certificate on any virtual host? Commented May 21, 2015 at 14:03
  • @Arjan example.com - see gist
    – geotheory
    Commented May 21, 2015 at 14:10
  • Solved! grep -i -r "SSLCertificateChainFile" /etc/apache2/ showed /etc/apache2/sites-available/default-ssl still had references to the default 'snakeoil' certificate. Commenting these out and the browser returns the customised certificate.
    – geotheory
    Commented May 21, 2015 at 14:33
  • Nice, but weird: sites-available should not be used, unless linked into sites-enabled... Still then: please post it as answer. :-)
    – Arjan
    Commented May 21, 2015 at 17:14

2 Answers 2


It turns out the certificate being issued was for some reason the default Apache "snakeoil" certificate. I established this by:

grep -i -r "SSLCertificateChainFile" /etc/apache2/

.. which returned 2 lines from file /etc/apache2/sites-available/default-ssl that referenced the snakeoil certificate. I commented these lines out and the browser now returns the customised certificate.

  • 1
    "the default Apache "snakeoil" certificate..." - haha, yes. Delete that certificate and its private key... Its one of those things that once you know about it, you actively hunt it.
    – jww
    Commented May 24, 2015 at 23:16

A common source of such problems is multiple running instances of Apache. The config changes are picked up by a process that you (re)start but the request is served by an old process which is running with old configuration.

Stop the service:

service apache2 stop

Check if the site is still accessible. If yes, then you have identified the cause.

Now run

ps aux | grep apache

It will give you list of running apache2 process and their PIDs. Kill them all (Note, this command may also return unrelated processes with Apache in their name/user etc. like Apache Tomcat, you might not want kill them.)

kill <pid>

Run ps aux again and ensure that processes are no longer running.

Check again if site is accessible. It shouldn't be.

Now start apache service

service apache2 start

Verify that the new certificate is being served.

If you don't want to kill processes, you may reboot the system. It will have the same effect.


You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .