Introduction

Certificate renewal can complete successfully and still leave users seeing the old certificate. That usually means the new certificate exists on disk or in the control panel, but one active listener in the request path still references the previous file or old secret. The fastest fix is to trace where TLS actually terminates and update every layer that can present a certificate to the client.

Symptoms

  • The certificate provider shows renewal succeeded, but browsers still report the old expiration date
  • Some regions, nodes, or hostnames present the new cert while others do not
  • SSL testing tools show inconsistent results across endpoints
  • The issue started after automated renewal or a load balancer change
  • Restarting one service helped briefly or only fixed part of the traffic

Common Causes

  • The web server was not reloaded after renewal and still uses the old certificate in memory
  • A load balancer, CDN, or reverse proxy is terminating TLS with a separate outdated certificate
  • One virtual host or listener still points at the previous certificate path
  • The renewed cert was written to disk, but the deployment process did not sync it to all nodes
  • SNI hostnames map to different cert sources than expected

Step-by-Step Fix

  1. Determine exactly where client TLS terminates for the affected hostname: web server, proxy, CDN, or load balancer.
  2. Inspect the live certificate served at each termination layer rather than trusting the renewal log alone.
  3. Compare the configured certificate path or secret reference on every active listener handling the hostname.
  4. Reload or restart the relevant service only after confirming it points at the renewed certificate and key.
  5. If the site runs behind a load balancer or CDN, update that layer too, because origin renewal does not change edge termination automatically.
  6. Check multi-node or container deployments for instances still mounting an old certificate bundle.
  7. Retest with SNI-aware SSL tools and verify the serial number or expiration date now matches the renewed certificate everywhere.
  8. Confirm intermediate chains are also current so the new certificate is not paired with stale supporting files.
  9. Keep renewal, deployment, and service reload steps tied together so future certificate rotation finishes at the live serving layer.