My domain is:thevegcat.com Command: service nginx stop; certbot renew; service nginx start Output: Another instance of Certbot is already running Web server: nginx/1.18.0 (Ubuntu) OS: Ubuntu 22.04.2 LTS I can login to a root shell on my machine: yes The version of my client is (output of certbot --version): certbot 1.21.0
When I run commands mentioned above (three in a row separated with semicolon), I get an error message. When I run one by one, everything is fine.
The idea to run all three in a row is to reduce downtime of my web server.
Is there a way to do it propertly without getting an error message?
The normal way with nginx is to use the --nginx plug-in or the --webroot method. Probably switching to --webroot is easiest since your HTTPS server block is already working.
Using either of those does not require nginx to be stopped at all.
What does your renewal conf look like. Show us the conf file for this cert in the /etc/letsencrypt/renewal folder
if you used --nginx to get and install your certificate, then just certbot renew should work (without manually stopping and starting nginx, because certbot --nginx can normally do that for you)
if you use --webroot, then you usually want to specify a --deploy-hook script to reload nginx, unless you used a combination like -a webroot -i nginx; reloading or restarting nginx after a successfully renewal is necessary for nginx to notice the presence of the new certificate and start using it
For automated renewals, these options are usually preferable to the service nginx stop; certbot renew; service nginx start method because certbot renew will usually not need to attempt any renewals, and therefore won't cause frequent downtime for the nginx service.
The error message you got suggests that you have automated renewal and are getting unlucky about trying to renew manually when the automated renewal process is already running (which is very unlikely unless you have a very large number of domains hosted on the same server). But you're saying the error message is repeatable on various occasions? In that case, do you have a --deploy-hook that recursively calls certbot for some reason, or something?
Yes, @schoen generally good further explanation but ...
A key advantage with the --nginx plug-in is that it does not "do the stop/start nginx for you" but instead does a reload after getting a new cert. The reload is far less disruptive.
Similarly, using --webroot would only require a reload either done with the --deploy-hook or even just a scheduled daily cron or timer.
There is another method to use the nginx authenticator without any installer with something like -a nginx -i null that gives a similar benefit.
So, there are options.
The usual reason people stop/start their webserver is they have mistakenly used the --standalone authenticator.
We can advise better if you show us your existing renewal config file (as I noted).
Thank you all for your time! It was standalone - now I see. I'm not an expert on certificates so I searched the internet and found a page with "how to".
root@server:/etc/letsencrypt/renewal # cat thevegcat.com.conf
# renew_before_expiry = 30 days
version = 1.21.0
archive_dir = /etc/letsencrypt/archive/thevegcat.com
cert = /etc/letsencrypt/live/thevegcat.com/cert.pem
privkey = /etc/letsencrypt/live/thevegcat.com/privkey.pem
chain = /etc/letsencrypt/live/thevegcat.com/chain.pem
fullchain = /etc/letsencrypt/live/thevegcat.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = ***
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
I am opened to option of removing existing installation of certbot and do a fresh install from scratch. It would be nice if it could be able to renew itself automatically by adding a cron job with only nginx restart without stopping it.
Is there a manual or how-to page that I should know about to make the process smooth and easy?
Manual renew is tricky because I never do it at the time when I get an warning email, and of course, sometimes I forgot and get expired certificate.
Thank you!!
I guess I'll have to install nginx plugin:
$ certbot renew --cert-name thevegcat.com -a nginx -i null --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/thevegcat.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Failed to renew certificate thevegcat.com with error: The requested nginx plugin does not appear to be installed
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/thevegcat.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
$ ls -al
total 88
drwxr-xr-x 3 root root 4096 Aug 3 2022 .
drwxr-xr-x 8 root root 4096 Aug 3 2022 ..
drwxr-xr-x 2 root root 4096 Aug 3 2022 __pycache__
-rw-r--r-- 1 root root 15904 Nov 2 2021 common.py
-rw-r--r-- 1 root root 5658 Nov 2 2021 dns_common_lexicon.py
-rw-r--r-- 1 root root 12677 Nov 2 2021 dns_common.py
-rw-r--r-- 1 root root 7335 Nov 2 2021 dns_test_common_lexicon.py
-rw-r--r-- 1 root root 2523 Nov 2 2021 dns_test_common.py
-rw-r--r-- 1 root root 6036 Nov 2 2021 enhancements.py
-rw-r--r-- 1 root root 23 Nov 2 2021 __init__.py
-rw-r--r-- 1 root root 4162 Nov 2 2021 storage.py
-rw-r--r-- 1 root root 1745 Nov 2 2021 util.py
$ systemctl status certbot.timer
● certbot.timer - Run certbot twice daily
Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
Active: active (waiting) since Sat 2023-04-29 16:42:52 UTC; 2 days ago
Trigger: Mon 2023-05-01 21:05:22 UTC; 30min left
Triggers: ● certbot.service
Apr 29 16:42:52 ubuntu-8gb-nbg1-1 systemd[1]: Started Run certbot twice daily.
Thanks! It's a good advice. And yes, it did some changes to my site configurations but it went well.
It used 4 spaces instead of one tab, but I can live with it.
Is that all or I have to configure it to renew itself?
Ok, now that I already made 100 questions, one more can't make it worst. Certbot added if block into server config and now I'm not sure does it make my old configuration obsolete or not.
Does it mean that if block does the same job as my listen command and everything else below if block? Should I remove the rest?
Here it is:
# go away from "http" - subdomain "veganskivodic.thevegcat.com"
server {
if ($host = veganskivodic.thevegcat.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name veganskivodic.thevegcat.com;
server_tokens off;
client_max_body_size 20M;
return 301 https://veganskivodic.thevegcat.com$request_uri;
}
This one died after install, I guess you all know how to bring it back to life. And if I manage to bring it back, does it mean it will run automatically and then I could send manual updates to retirement?
$ systemctl status certbot.timer
○ certbot.timer
Loaded: masked (Reason: Unit certbot.timer is masked.)
Active: inactive (dead) since Mon 2023-05-01 21:07:19 UTC; 31min ago
Trigger: n/a
Apr 29 16:42:52 ubuntu-8gb-nbg1-1 systemd[1]: Started Run certbot twice daily.
May 01 21:07:19 ubuntu-8gb-nbg1-1 systemd[1]: certbot.timer: Deactivated successfully.
May 01 21:07:19 ubuntu-8gb-nbg1-1 systemd[1]: Stopped Run certbot twice daily.