Let's Encrypt renews but browsers still seeing old/expired SSL certificate

This morning was frustrating. I recently upgraded my VPS from the deprecated letsencrypt client to the newer cerbot client and generated new certificates for all my personal domains. I thought everything was fine — until I kept seeing intermittent SSL errors.

I figured I did something wrong, so I triple checked my Apache configs, made sure each website was pointing to the correct certificate, and restarted Apache...things seemed to work in Chrome, but not Firefox.

Ok, obviously Firefox was caching the certificate, right? I cleared everything. Same error. I reinstalled Firefox. Same error. Then I noticed that, when I refreshed Chrome, I would occasionally see images blocked, then a moment later they would load.

I ran some SSL tests with mixed results. They were seeing both certs intermittently too. 🤔

So I disabled the server with sudo service apache2 stop. To my surprise, my websites were online, but this time the SSL was consistently invalid.

It turns out, when I upgraded to certbot, I somehow launched a second instance Apache that wasn't responding to reloads, so there were two instances handling HTTPS traffic — one serving up the cached certificate from memory.

To solve the problem, I ran:

sudo killall apache2
sudo service apache2 start

Evidently, Chrome is more resilient to this than Firefox. Perhaps when Chrome sees a valid certificate from at least one HTTPS request, it retries any that fail until it gets a valid one.

Either way, mystery solved. 🕵🏻‍♂️