Apache remains shutdown after renewal


#1

Hello, we have a trouble on one of the Ubuntu 16.04 server with certbot apache plugin. If there is a certificate to renew, the certbot successfuly stops apache, successfuly renew the certificate and successfuly starts the apache again. The problem is that afterwards it stops the apache again and leave it stopped. But there is nothing in logs, why.

Here is an example of the apache error log:
[Mon Oct 01 08:35:44.819289 2018] [mpm_prefork:notice] [pid 13437] AH00169: caught SIGTERM, shutting down
[Mon Oct 01 08:35:52.966333 2018] [mpm_prefork:notice] [pid 4574] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured – resuming normal operations
[Mon Oct 01 08:35:52.966398 2018] [core:notice] [pid 4574] AH00094: Command line: ‘/usr/sbin/apache2’
[Mon Oct 01 08:35:53.310150 2018] [mpm_prefork:notice] [pid 4574] AH00169: caught SIGTERM, shutting down

The last line is important - why it is stopped?

The according letsencrypt log is in short:
2018-10-01 08:35:41,171:INFO:certbot.hooks:Running pre-hook command: service apache2 stop
… certificate renewal…
2018-10-01 08:35:52,905:INFO:certbot.hooks:Running post-hook command: service apache2 start

The last line is actually the very last line in the log - there is nothing else. But the apache was stopped a second after.

Certbot version is 0.26.1.

Can someone help please?


#2

Hi @petrolej

check your system jobs. Is there a second job to renew certificates?


#3

Thank you, Juergen,

I checked all cron tables and there is only one cron job:

root@mtm:/var/log/letsencrypt# cat /etc/cron.d/certbot
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

#4

Do you have a

--deploy-hook

command? Check your Letsencrypt - configuration files in

/etc/letsencrypt/renewal

#5

Hello, there are two files in the directory. No --deploy-hook. Those files contains this:

# renew_before_expiry = 30 days
version = 0.26.1
archive_dir = /etc/letsencrypt/archive/reg.cra.censored.com
cert = /etc/letsencrypt/live/reg.cra.censored.com/cert.pem
privkey = /etc/letsencrypt/live/reg.cra.censored.com/privkey.pem
chain = /etc/letsencrypt/live/reg.cra.censored.com/chain.pem
fullchain = /etc/letsencrypt/live/reg.cra.censored.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
server = https://acme-v02.api.letsencrypt.org/directory
installer = apache
authenticator = apache
account = 1e773d076f1ecfc3f26682986446835f





# renew_before_expiry = 30 days
version = 0.26.1
archive_dir = /etc/letsencrypt/archive/iot-dc-01.cra.censored.com
cert = /etc/letsencrypt/live/iot-dc-01.cra.censored.com/cert.pem
privkey = /etc/letsencrypt/live/iot-dc-01.cra.censored.com/privkey.pem
chain = /etc/letsencrypt/live/iot-dc-01.cra.censored.com/chain.pem
fullchain = /etc/letsencrypt/live/iot-dc-01.cra.censored.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = apache
installer = apache
account = 1e773d076f1ecfc3f26682986446835f
pre_hook = service apache2 stop
post_hook = service apache2 start
server = https://acme-v02.api.letsencrypt.org/directory
pref_challs = http-01,

#6

Hmm, you’re using the apache authenticator and installer, but also stopping apache before renewal and starting it again afterwards. That won’t work (though I’d have expected it to break in a different way). Apache needs to be running for the apache authenticator to work.

Maybe you switched to the standalone authenticator and added the pre- and post-hooks to avoid the tls-sni-01 issue, then switched back to the apache authenticator but left the hooks in place? If so, remove them. (I’m not sure if it will solve your problem but it’s worth doing anyway).


#7

yep, that may be the problem.

looks like there was a switch tls-sni-01 -> http-01 - challenge


#8

Hi Juergen and jmorahan,

thank you, you are both correct. We used standalone before and switched to apache. I removed the hooks and now it works. I tried to force renew all certificates, they renewed successfuly and the apache service was still running afterwards.

Thank you a lot!

Petr


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.