An error occurred and we failed to restore your config and restart your server

r8w9a5k · May 9, 2023, 2:53pm

Hello,
I am trying to make my web infonova.cz running on HTTPS. I guess I did it but it ends with this error message below. It's all little bit messed up because systemctl status nginx command returns:
systemctl status nginx

× nginx.service - A high performance web server and a reverse proxy server
     Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Tue 2023-05-09 14:38:49 UTC; 12min ago
       Docs: man:nginx(8)
        CPU: 12ms

May 09 14:38:47 vps1789 nginx[12459]: nginx: [emerg] bind() to [::]:80 failed (98: Unknown error)
May 09 14:38:48 vps1789 nginx[12459]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Unknown error)
May 09 14:38:48 vps1789 nginx[12459]: nginx: [emerg] bind() to [::]:80 failed (98: Unknown error)
May 09 14:38:48 vps1789 nginx[12459]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Unknown error)
May 09 14:38:48 vps1789 nginx[12459]: nginx: [emerg] bind() to [::]:80 failed (98: Unknown error)
May 09 14:38:49 vps1789 nginx[12459]: nginx: [emerg] still could not bind()
May 09 14:38:49 vps1789 systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
May 09 14:38:49 vps1789 systemd[1]: nginx.service: Failed with result 'exit-code'.
May 09 14:38:49 vps1789 systemd[1]: Failed to start A high performance web server and a reverse proxy server.
May 09 14:39:22 vps1789 systemd[1]: nginx.service: Unit cannot be reloaded because it is inactive.

My domain is: infonova.cz

I ran this command: sudo certbot --nginx -d infonova.cz www.infonova.cz

It produced this output: You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/www.infonova.cz.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Deploying certificate
Successfully deployed certificate for infonova.cz to /etc/nginx/sites-enabled/infonova.conf
Successfully deployed certificate for www.infonova.cz to /etc/nginx/sites-enabled/infonova.conf
An error occurred and we failed to restore your config and restart your server. Please post to Help - Let's Encrypt Community Support with details about your configuration and this error you received.
Encountered exception during recovery: certbot.errors.MisconfigurationError: nginx restart failed:
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Unknown error)
nginx: [emerg] bind() to [::]:80 failed (98: Unknown error)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Unknown error)
nginx: [emerg] bind() to [::]:80 failed (98: Unknown error)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Unknown error)
nginx: [emerg] bind() to [::]:80 failed (98: Unknown error)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Unknown error)
nginx: [emerg] bind() to [::]:80 failed (98: Unknown error)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Unknown error)
nginx: [emerg] bind() to [::]:80 failed (98: Unknown error)
nginx: [emerg] still could not bind()

NEXT STEPS:

The certificate was saved, but could not be installed (installer: nginx). After fixing the error shown below, try installing it again by running:
certbot install --cert-name www.infonova.cz

My web server is (include version): nginx/1.14.2

The operating system my web server runs on is (include version): Ubuntu 22.04.2 LTS jammy

My hosting provider, if applicable, is: czechia.com

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

rg305 · May 9, 2023, 3:48pm

Hi @r8w9a5k, and welcome to the LE community forum

Please show this file:

r8w9a5k · May 9, 2023, 6:58pm

Hi, thank you for kind greetings.

Here's the file.

# renew_before_expiry = 30 days
version = 2.5.0
archive_dir = /etc/letsencrypt/archive/www.infonova.cz
cert = /etc/letsencrypt/live/www.infonova.cz/cert.pem
privkey = /etc/letsencrypt/live/www.infonova.cz/privkey.pem
chain = /etc/letsencrypt/live/www.infonova.cz/chain.pem
fullchain = /etc/letsencrypt/live/www.infonova.cz/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = xxx i deleted account id because i am not sure if it's ok to make it public
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa

schoen · May 9, 2023, 7:31pm

Hi @r8w9a5k, do you have something else listening on port 80?

You could try

sudo ss -tlpn

to check.

rg305 · May 9, 2023, 7:40pm

This should use the nginx plugin [and web server]:

but this tells certbot to use itself as the web server:

You might try removing that line from the renewal.conf file first.
OR use:
authenticator = nignx

r8w9a5k · May 9, 2023, 7:41pm

Hello, thank you for taking your time to help me

Here is the sudo ss -tlpn command.

State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 4096 0.0.0.0:80 0.0.0.0:* users:(("docker-proxy",pid=11356,fd=4))
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=622,fd=14))
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=807,fd=3))
LISTEN 0 4096 0.0.0.0:443 0.0.0.0:* users:(("docker-proxy",pid=11338,fd=4))
LISTEN 0 4096 [::]:80 [::]:* users:(("docker-proxy",pid=11361,fd=4))
LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=807,fd=4))
LISTEN 0 4096 [::]:443 [::]:* users:(("docker-proxy",pid=11343,fd=4))

schoen · May 9, 2023, 7:43pm

Perhaps you have nginx running inside a Docker container, but you ran Certbot outside of that container, and it's trying to start (or even configure) a different copy of nginx?

rg305 · May 9, 2023, 7:48pm

If outside docker, then you have installed nginx and it would fail with certbot and with the docker container. I don't think you made these multiple mistakes.

So, while inside docker, it can no longer run certbot [in standalone mode]; Since you have installed nginx and bound it to port 80. Which is likely why you are trying to run certbot --nginx...
But that has failed to do as you asked it.
hmm...
It should have, but it didn't.
I still recommend removing the "standalone" line from the renewal config file.

r8w9a5k · May 9, 2023, 7:49pm

Well how can I check it out? Sorry that I'm not experienced

rg305 · May 9, 2023, 7:50pm

I guess I'm not needed here
Cheers from Miami

r8w9a5k · May 9, 2023, 7:51pm

I removed authenticator line but nothing changes.

schoen · May 9, 2023, 7:57pm

Sorry, I don't really know anything about Docker myself. Did you follow some kind of tutorial to set up your system this way?

rg305 · May 9, 2023, 8:00pm

Show the new config.
Show the command ran.
Show the LE log file.

r8w9a5k · May 9, 2023, 8:05pm

Oh, to be honest I didn't set it up. It was somebody else and I cannot ask him.

I just saw that my web infonova.cz couldn't load due to NET:ERR_CERT_DATE_INVALID so I thought I just install certificate and everything would be fine.

I think I did it and the web now loads ok (atleast for me) but I want it to be perfect without any error messages.

r8w9a5k · May 9, 2023, 8:07pm

Ye for sure.

sudo nano /etc/letsencrypt/renewal/www.infonova.cz.conf

# renew_before_expiry = 30 days
version = 2.5.0
archive_dir = /etc/letsencrypt/archive/www.infonova.cz
cert = /etc/letsencrypt/live/www.infonova.cz/cert.pem
privkey = /etc/letsencrypt/live/www.infonova.cz/privkey.pem
chain = /etc/letsencrypt/live/www.infonova.cz/chain.pem
fullchain = /etc/letsencrypt/live/www.infonova.cz/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = xxx i deleted this :)
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa

rg305 · May 9, 2023, 8:14pm

There are currently four valid/active issued certs that cover that name:

What shows?:
certbot certificates

r8w9a5k · May 9, 2023, 8:16pm

certbot certificates gave me this.

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: www.infonova.cz
Serial Number: xxx i deleted this
Key Type: RSA
Domains: www.infonova.cz infonova.cz
Expiry Date: 2023-08-07 13:14:27+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.infonova.cz/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.infonova.cz/privkey.pem

rg305 · May 9, 2023, 8:19pm

You have a valid cert.
And the web site is using that new cert.

r8w9a5k · May 9, 2023, 8:20pm

Okay, so should I ignore those error messages? I think I can live with that

rg305 · May 9, 2023, 8:21pm

What error messages?
I asked for three things:

And only got one:

I see no error message.