bug: Updating the ssl certificate does not take effect

[oldthreefeng]

Issue description

Environment

• apisix version (cmd: apisix version): 1.5
• OS (cmd: uname -a): centos 7.9，
• OpenResty / Nginx version (cmd: nginx -V or openresty -V):

openresty -V
Tengine version: Tengine/2.3.2
nginx version: nginx/1.17.3
built by gcc 6.4.0 (Alpine 6.4.0) 
built with OpenSSL 1.1.1b Tassl 1.4  23 Aug 2020
TLS SNI support enabled

• etcd version, if have (cmd: run curl http://127.0.0.1:9090/v1/server_info to get the info from server-info API):

/ # etcdctl --version
etcdctl version: 3.3.25
API version: 2
/ # exit

• apisix-dashboard version, if have:

Minimal test code / Steps to reproduce the issue

update ssl cert by curl patch.

i get the cert from cluster

curl  -H "X-API-KEY: $X_API_KEY"  -sSfL http://*:9180/apisix/admin/ssl/00000000000000000638  | jq .
{
  "node": {
    "value": {
      "cert": "-----BEGIN CERTIFICATE-----\nMIIFPTCCBCWgAwIBAgISA7TkxJvohgY6TqWAE2cu6zzMMA0GCSqGSIb3DQEBCwUA\nMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\nEwJSMzAeFw0yMTAzMjkxNTU2MDNaFw0yMTA2MjcxNTU2MDNaMBwxGjAYBgNVBAMT\nEWJldGEuaWxlYXJudGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\nAQEA0rR7j1z3GH/M9RVioXCQ4yVBSixcHf9oK7LVumNhmgDYMdoUNpovRsDJXB0n\ntjxC3viXVybd3KJHpZ2eI6pfbvRB98gsyNBDYXs3JSxfWUnlf4gX3Y+kS2BTtkzp\nu00OilNjwGwyfbqkVy2OyAlbLufNbKmab3QWSzzxjidLRmp5BkYF8eyRbWxYlyQb\ng7VzEBz9/kMf3WFEfn1dPRwrej/9pDhXdz6BF0ivW1nmcSTerCeW1ujosgSYwX1X\nRcYFNqPfBfOMS9ENIDNLvJXjcowOwWXy5M5vUAdGgb63tonlCJZ0mPoGXQ/jXaf0\nQBfLazDdchhMxoAxg52iOiWXRQIDAQABo4ICYTCCAl0wDgYDVR0PAQH/BAQDAgWg\nMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0G\nA1UdDgQWBBT04ICFySd41oCrvh47oJDlsaaN6jAfBgNVHSMEGDAWgBQULrMXt1hW\ny65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6\nLy9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iu\nb3JnLzAxBgNVHREEKjAoghMqLmJldGEuaWxlYXJudGEuY29tghFiZXRhLmlsZWFy\nbnRhLmNvbTBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYG\nCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB\n1nkCBAIEgfUEgfIA8AB2AESUZS6w7s6vxEAH2Kj+KMDa5oK+2MsxtT/TM5a1toGo\nAAABeH7p7lEAAAQDAEcwRQIhAJZiwSi9tcne0xRjKr64J8jrwQbLx1GTWuXBtjGc\naEx4AiAlVQIW3lzS6ba3IXOOQvhX6zZ08Yip/XXy/zyIvmDCmAB2APZclC/RdzAi\nFFQYCDCUVo7jTRMZM7/fDC8gC8xO8WTjAAABeH7p7m8AAAQDAEcwRQIgMpy//pVZ\nw06hmEOguTD7BE2GXkMjpB1UkGl2N7GaN3ICIQCELylK5JPdcETLneL32ueL7aiy\ni/MFN41Ie94MeA5J2zANBgkqhkiG9w0BAQsFAAOCAQEAK3+q6k5uvmvrO3Ua0UB5\nG97zU+EGJXy6QxS+6o9uaAAFO/jw4ABnGi4ykGZjOejHHB2nfWRskB9SLNvft8fa\nXsrDt2NDTNM4z3ygJfEUAO4XzAqaor0DAJnoSOQXj5uAHPR/D+IpdhdppWzl4+/s\nJL8UtrLi9xD4ruMT6rXWYRpm33FH8c3bURn4zojO9hJZ9Fg1HzHg9rNQiJj7npw2\n77sEprgRBpnw08JeGiFS2wrujM9+GWP2ghcTOaVjQ6jRUOzomyyxsqdi6LJj0qXE\nrk1hBRpWHB3+MXweJcXIh8Q3jiVHx4LuyG7RWsewHH2uHkvBNbUb5qaXBeqUNk60\nMg==\n-----END CERTIFICATE-----\n\n-----BEGIN CERTIFICATE-----\nMIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/\nMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\nDkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow\nMjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT\nAlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs\njVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp\nTm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB\nU840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7\ngcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel\n/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R\noYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E\nBAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p\nZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE\np7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE\nAYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu\nY3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0\nLmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf\nr52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B\nAQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH\nejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8\nS8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL\nqjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p\nO5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw\nUdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==\n-----END CERTIFICATE-----",
      "id": "00000000000000000638",
      "sni": "*.beta.ilearnta.com",
      "status": 1
    },
    "createdIndex": 764,
    "key": "/apisix/ssl/00000000000000000638",
    "modifiedIndex": 764
  },
  "action": "get"
}

i get the right ssl cert from the admin ssl.

$ curl  -H "X-API-KEY: $X_API_KEY"  -sSfL http://*:9180/apisix/admin/ssl/00000000000000000638  | jq -r .node.value.cert  > a.cer
$ openssl x509 -noout -text -in  a.cer| grep Not 
            Not Before: Mar 29 15:56:03 2021 GMT
            Not After : Jun 27 15:56:03 2021 GMT

but from the http server side

$ echo -n \
        | openssl s_client -host www.beta.ilearnta.com -port 443 -showcerts 2>/dev/null \
        | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > a.cer

$ openssl x509 -noout -text -in a.cer | grep Not                                       
            Not Before: Jan 29 11:56:02 2021 GMT
            Not After : Apr 29 11:56:02 2021 GMT

this is really confused me.

is there any cache or other things to stop me get the right ssl cert ?

[Firstsawyou]

The apisix version is too old, it is recommended to use the latest version to try. Not sure if it has been repaired, you can check the CHANGELOG.md file to make sure.

[oldthreefeng]

fixed ~~