Another instance of Certbot is already running

H-Lo · April 30, 2023, 7:32pm

My domain is: thevegcat.com
Command: service nginx stop; certbot renew; service nginx start
Output: Another instance of Certbot is already running
Web server: nginx/1.18.0 (Ubuntu)
OS: Ubuntu 22.04.2 LTS
I can login to a root shell on my machine: yes
The version of my client is (output of certbot --version): certbot 1.21.0

When I run commands mentioned above (three in a row separated with semicolon), I get an error message. When I run one by one, everything is fine.
The idea to run all three in a row is to reduce downtime of my web server.
Is there a way to do it propertly without getting an error message?

Rip · April 30, 2023, 7:36pm

Hi @H-Lo and Welcome to the forum!
I see a valid cert on your site.
As far as the command though...

Try:

service nginx stop && certbot renew && service nginx start

The semi-colons are getting in the way.

MikeMcQ · April 30, 2023, 7:40pm

The normal way with nginx is to use the --nginx plug-in or the --webroot method. Probably switching to --webroot is easiest since your HTTPS server block is already working.

Using either of those does not require nginx to be stopped at all.

What does your renewal conf look like. Show us the conf file for this cert in the /etc/letsencrypt/renewal folder

schoen · May 1, 2023, 12:35am

To be a little more explicit,

if you used --nginx to get and install your certificate, then just certbot renew should work (without manually stopping and starting nginx, because certbot --nginx can normally do that for you)
if you use --webroot, then you usually want to specify a --deploy-hook script to reload nginx, unless you used a combination like -a webroot -i nginx; reloading or restarting nginx after a successfully renewal is necessary for nginx to notice the presence of the new certificate and start using it

For automated renewals, these options are usually preferable to the service nginx stop; certbot renew; service nginx start method because certbot renew will usually not need to attempt any renewals, and therefore won't cause frequent downtime for the nginx service.

The error message you got suggests that you have automated renewal and are getting unlucky about trying to renew manually when the automated renewal process is already running (which is very unlikely unless you have a very large number of domains hosted on the same server). But you're saying the error message is repeatable on various occasions? In that case, do you have a --deploy-hook that recursively calls certbot for some reason, or something?

MikeMcQ · May 1, 2023, 2:20am

Yes, @schoen generally good further explanation but ...

A key advantage with the --nginx plug-in is that it does not "do the stop/start nginx for you" but instead does a reload after getting a new cert. The reload is far less disruptive.

Similarly, using --webroot would only require a reload either done with the --deploy-hook or even just a scheduled daily cron or timer.

There is another method to use the nginx authenticator without any installer with something like -a nginx -i null that gives a similar benefit.

So, there are options.

The usual reason people stop/start their webserver is they have mistakenly used the --standalone authenticator.

We can advise better if you show us your existing renewal config file (as I noted).

H-Lo · May 1, 2023, 11:50am

Thank you all for your time! It was standalone - now I see. I'm not an expert on certificates so I searched the internet and found a page with "how to".

root@server:/etc/letsencrypt/renewal  # cat thevegcat.com.conf

# renew_before_expiry = 30 days
version = 1.21.0
archive_dir = /etc/letsencrypt/archive/thevegcat.com
cert = /etc/letsencrypt/live/thevegcat.com/cert.pem
privkey = /etc/letsencrypt/live/thevegcat.com/privkey.pem
chain = /etc/letsencrypt/live/thevegcat.com/chain.pem
fullchain = /etc/letsencrypt/live/thevegcat.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = ***
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory

I am opened to option of removing existing installation of certbot and do a fresh install from scratch. It would be nice if it could be able to renew itself automatically by adding a cron job with only nginx restart without stopping it.

Is there a manual or how-to page that I should know about to make the process smooth and easy?

Manual renew is tricky because I never do it at the time when I get an warning email, and of course, sometimes I forgot and get expired certificate.

Thanks!

MikeMcQ · May 1, 2023, 1:29pm

First, we'll switch to a better method than standalone. Then we'll check the auto-renew config.

Show result of this command:

certbot renew --cert-name thevegcat.com -a nginx -i null --dry-run

The --dry-run will not affect any existing cert. We are making sure the nginx authenticator works for you before switching to this method.

rg305 · May 1, 2023, 2:10pm

If you follow the advice given by this forum, it will get there.

H-Lo · May 1, 2023, 8:30pm

Thank you!!
I guess I'll have to install nginx plugin:

$ certbot renew --cert-name thevegcat.com -a nginx -i null --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/thevegcat.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Failed to renew certificate thevegcat.com with error: The requested nginx plugin does not appear to be installed

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/thevegcat.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

$ ls -al

total 88
drwxr-xr-x 3 root root  4096 Aug  3  2022 .
drwxr-xr-x 8 root root  4096 Aug  3  2022 ..
drwxr-xr-x 2 root root  4096 Aug  3  2022 __pycache__
-rw-r--r-- 1 root root 15904 Nov  2  2021 common.py
-rw-r--r-- 1 root root  5658 Nov  2  2021 dns_common_lexicon.py
-rw-r--r-- 1 root root 12677 Nov  2  2021 dns_common.py
-rw-r--r-- 1 root root  7335 Nov  2  2021 dns_test_common_lexicon.py
-rw-r--r-- 1 root root  2523 Nov  2  2021 dns_test_common.py
-rw-r--r-- 1 root root  6036 Nov  2  2021 enhancements.py
-rw-r--r-- 1 root root    23 Nov  2  2021 __init__.py
-rw-r--r-- 1 root root  4162 Nov  2  2021 storage.py
-rw-r--r-- 1 root root  1745 Nov  2  2021 util.py

$ systemctl status certbot.timer

● certbot.timer - Run certbot twice daily
     Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
     Active: active (waiting) since Sat 2023-04-29 16:42:52 UTC; 2 days ago
    Trigger: Mon 2023-05-01 21:05:22 UTC; 30min left
   Triggers: ● certbot.service

Apr 29 16:42:52 ubuntu-8gb-nbg1-1 systemd[1]: Started Run certbot twice daily.

MikeMcQ · May 1, 2023, 8:39pm

You should install the snap version of Certbot. Ubuntu 22 easily supports that

Be sure to follow all the steps carefully

H-Lo · May 1, 2023, 9:12pm

Installed snapd. Previously I removed old certbot with apt remove certbot. Next I did this:

$ certbot --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: thevegcat.com
2: matomo.thevegcat.com
3: veganskivodic.thevegcat.com
4: www.thevegcat.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
An RSA certificate named thevegcat.com already exists. Do you want to update its
key type to ECDSA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate key type/(K)eep existing key type: U
Renewing an existing certificate for thevegcat.com and 3 more domains

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/thevegcat.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/thevegcat.com/privkey.pem
This certificate expires on 2023-07-30.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for thevegcat.com to /etc/nginx/sites-enabled/TheVegCat.conf
Successfully deployed certificate for matomo.thevegcat.com to /etc/nginx/sites-enabled/TheVegCat.conf
Successfully deployed certificate for veganskivodic.thevegcat.com to /etc/nginx/sites-enabled/TheVegCat.conf
Successfully deployed certificate for www.thevegcat.com to /etc/nginx/sites-enabled/TheVegCat.conf
Your existing certificate has been successfully renewed, and the new certificate has been installed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

MikeMcQ · May 1, 2023, 9:22pm

That's good. You used the --nginx plug-in as both authenticator and installer. So, it made changes to your nginx config.

Make sure to review your nginx config to ensure all is still well. Probably fine but worth a check.

H-Lo · May 1, 2023, 9:23pm

certbot 2.5.0

H-Lo · May 1, 2023, 9:28pm

Thanks! It's a good advice. And yes, it did some changes to my site configurations but it went well.
It used 4 spaces instead of one tab, but I can live with it.

Is that all or I have to configure it to renew itself?

rg305 · May 1, 2023, 9:30pm

OH DEAR!
Quickly sed that into uniformity!
We will fall into chaos without it - LOL

H-Lo · May 1, 2023, 9:32pm

Ok, now that I already made 100 questions, one more can't make it worst. Certbot added if block into server config and now I'm not sure does it make my old configuration obsolete or not.

Does it mean that if block does the same job as my listen command and everything else below if block? Should I remove the rest?

Here it is:

# go away from "http" - subdomain "veganskivodic.thevegcat.com"
server {
    if ($host = veganskivodic.thevegcat.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen               80;
        listen               [::]:80;
        server_name          veganskivodic.thevegcat.com;
        server_tokens        off;
        client_max_body_size 20M;

        return               301 https://veganskivodic.thevegcat.com$request_uri;


}

H-Lo · May 1, 2023, 9:33pm

I'm already searching for "report bug" form.

rg305 · May 1, 2023, 9:34pm

They both will do the same...
So, the first will be used.

rg305 · May 1, 2023, 9:39pm

Nothing like repetitive redundancy!
I backup my backups!
Why do it once? When you can do it twice for double the effort!
LOL

H-Lo · May 1, 2023, 9:40pm

This one died after install, I guess you all know how to bring it back to life. And if I manage to bring it back, does it mean it will run automatically and then I could send manual updates to retirement?

$ systemctl status certbot.timer

○ certbot.timer
     Loaded: masked (Reason: Unit certbot.timer is masked.)
     Active: inactive (dead) since Mon 2023-05-01 21:07:19 UTC; 31min ago
    Trigger: n/a

Apr 29 16:42:52 ubuntu-8gb-nbg1-1 systemd[1]: Started Run certbot twice daily.
May 01 21:07:19 ubuntu-8gb-nbg1-1 systemd[1]: certbot.timer: Deactivated successfully.
May 01 21:07:19 ubuntu-8gb-nbg1-1 systemd[1]: Stopped Run certbot twice daily.