CA Bundle is not updated after reinstalling Print

  • 0

This is the final essential article for your SSL Installation Errors category. It addresses a specific frustration: when a customer does everything right, but the browser still says the certificate is "Expired" or "Untrusted."


CA Bundle is not updated after reinstalling certificate

You have successfully reinstalled or renewed your SSL certificate in cPanel, and the status shows "Active," but your browser still shows the old expiration date or a "Certificate Not Trusted" warning. This is a common issue usually caused by the servers CA Bundle (Certificate Authority Bundle) being stuck in the cache.

The CA Bundle is a file that contains the "Intermediate" certificates. These act as a bridge between your specific domain certificate and the trusted Root Certificate (like Sectigo). If this bridge isn't updated, browsers can't verify your new SSL.

Common Causes at Nixzoehost

  • cPanel SSL Cache: cPanel often caches SSL data to improve performance. Even if you paste a new CA Bundle, the server may still be serving the old one from its memory.

  • Apache Vhost Stuck: The web server (Apache) might be holding onto the previous configuration for your websites VirtualHost.

  • Incomplete Bundle Paste: During manual installation, the "Certificate Authority Bundle (CABUNDLE)" field was left empty or filled with the old data.


How to Fix the Error

Method 1: The "Uninstall and Start Fresh" (Best for cPanel)

The most effective way to clear a stuck CA Bundle in cPanel is to completely remove the old installation:

  1. Log in to cPanel and go to SSL/TLS > Manage SSL Sites.

  2. Find your domain and click Uninstall. (Don't worry, your certificate files are still saved in your account).

  3. Refresh the page.

  4. Select your domain from the dropdown and click Autofill by Domain.

  5. Ensure the CABUNDLE field is populated with the new data.

  6. Click Install Certificate. This forces cPanel to rewrite the configuration from scratch.

Method 2: Verify the Chain (For Manual Installs)

If you are managing your own server, you can verify if the bundle is correct by looking at the "Chain of Trust." Each certificate should lead to the next.

Method 3: Clear the Server Cache (VPS/Dedicated Users)

If you have root access to your server, you can force Apache to drop its old cache and reload the new files:

  • For Apache: Run service httpd graceful or apachectl graceful.

  • For Nginx: Run nginx -s reload.


How to Check if it Worked

Do not trust your own browser immediately, as it has its own cache. Use an external tool to see what the rest of the world sees:

  1. Go to SSL Shopper's SSL Checker.

  2. Type in your domain name.

  3. Look for the "Certificate Chain" section. If you see broken red lines or an "Extra/Old" certificate, the CA Bundle is still not updated correctly.


Summary Table: Troubleshooting the Bundle

Problem Likely Cause Solution
Browser shows old date Local Browser Cache Clear browser history or use Incognito mode.
"Insecure" but SSL is active Missing Intermediate Cert Reinstall using Method 1 (Uninstall/Install).
Broken Chain error Incorrect CABUNDLE Paste the new CA Bundle provided in your Nixzoehost email.

Nixzoehost Tip: If you've tried Method 1 and Method 3 and the error persists, please open a support ticket. Our technical team can manually clear the server-side SSL cache for you in under 5 minutes!


Was this answer helpful?

« Back