Hello, we have a trouble on one of the Ubuntu 16.04 server with certbot apache plugin. If there is a certificate to renew, the certbot successfuly stops apache, successfuly renew the certificate and successfuly starts the apache again. The problem is that afterwards it stops the apache again and leave it stopped. But there is nothing in logs, why.
Here is an example of the apache error log:
[Mon Oct 01 08:35:44.819289 2018] [mpm_prefork:notice] [pid 13437] AH00169: caught SIGTERM, shutting down
[Mon Oct 01 08:35:52.966333 2018] [mpm_prefork:notice] [pid 4574] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured – resuming normal operations
[Mon Oct 01 08:35:52.966398 2018] [core:notice] [pid 4574] AH00094: Command line: ‘/usr/sbin/apache2’ [Mon Oct 01 08:35:53.310150 2018] [mpm_prefork:notice] [pid 4574] AH00169: caught SIGTERM, shutting down
The last line is important - why it is stopped?
The according letsencrypt log is in short:
2018-10-01 08:35:41,171:INFO:certbot.hooks:Running pre-hook command: service apache2 stop
… certificate renewal…
2018-10-01 08:35:52,905:INFO:certbot.hooks:Running post-hook command: service apache2 start
The last line is actually the very last line in the log - there is nothing else. But the apache was stopped a second after.
I checked all cron tables and there is only one cron job:
root@mtm:/var/log/letsencrypt# cat /etc/cron.d/certbot
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc. Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
Hmm, you’re using the apache authenticator and installer, but also stopping apache before renewal and starting it again afterwards. That won’t work (though I’d have expected it to break in a different way). Apache needs to be running for the apache authenticator to work.
Maybe you switched to the standalone authenticator and added the pre- and post-hooks to avoid the tls-sni-01 issue, then switched back to the apache authenticator but left the hooks in place? If so, remove them. (I’m not sure if it will solve your problem but it’s worth doing anyway).
thank you, you are both correct. We used standalone before and switched to apache. I removed the hooks and now it works. I tried to force renew all certificates, they renewed successfuly and the apache service was still running afterwards.