I'm using certbot to generate SSL certs for my website. I had an issue (because of cron script error and out of date python2, now resolved) where auto-update didn't work. I now have up to date license files on my server.
The license files are in an archive under letsencrypt, the number seems to increment each update (fullchain3 is latest):
root@mysite /etc/letsencrypt/live/mysite.com # ls -l ../../archive/mysite.com/
total 48K
-rw-r--r-- 1 root root 3.4K Sep 8 2017 fullchain1.pem
-rw-r--r-- 1 root root 3.5K May 8 17:02 fullchain2.pem
-rw-r--r-- 1 root root 3.5K Jul 7 21:19 fullchain3.pem
a symlink points to the latest, and lighty is set up to follow the link:
root@mysite /etc/letsencrypt/live/mysite.com # ls -l ../../live/mysite.com/fullchain.pem
lrwxrwxrwx 1 root root 39 Jul 7 21:19 ../../live/mysite.com/fullchain.pem -> ../../archive/mysite.com/fullchain3.pem
However, SSLLabs tell me my cert is out of date, and when I check serial numbers of license files, it turns out they are getting fullchain2.pem.
Lighty has been restarted. mod-compress is running though, can that be caching the old cert file, even through a restart? and if so how do I tell it not to? if not, what's the cause?
UPDATE : I tried stopping lighty, clearing the cache directory and restarting. Same result, same file seems to be served ...