Apache2 does not come back up, certbot finishes abnormally

9peppe · May 30, 2020, 5:29am

Why is certbot trying to run this command?

What are your hook configurations?

Look in

/etc/letsencrypt/renewal/
/etc/letsencrypt/renewal-hooks/
/etc/letsencrypt/cli.ini

and tell us.

If you really want to use --standalone you don't need to stop apache. You can just reverse proxy certbot's server through it:

<Location "/.well-known/acme-challenge">
   ProxyPass "http://localhost:23782/.well-known/acme-challenge"
   # 23782 == CERTB, you can choose another free port.
</Location>

and then tell certbot to use that port:

certbot --standalone --http-01-port 23782

brandock · May 30, 2020, 4:02pm

pi@emonpi:~$ ls -lh /etc/letsencrypt/renewal/
total 40K
-rw-r--r-- 1 root root 574 May 15 18:15 baldockery.com.conf
-rw-r--r-- 1 root root 619 May 16 04:35 dakboard.baldockery.com.conf
-rw-r--r-- 1 root root 649 May 27 12:00 emoncmsnodered.baldockery.com.conf
-rw-r--r-- 1 root root 609 May 27 12:01 emonpi.baldockery.com.conf
-rw-r--r-- 1 root root 599 May 16 04:36 home.baldockery.com.conf
-rw-r--r-- 1 root root 599 May 27 12:01 mypi.baldockery.com.conf
-rw-r--r-- 1 root root 614 May 16 04:36 nodered.baldockery.com.conf
-rw-r--r-- 1 root root 649 May 27 12:01 noderedemoncms.baldockery.com.conf
-rw-r--r-- 1 root root 614 May 16 04:37 openhab.baldockery.com.conf
-rw-r--r-- 1 root root 599 May 16 04:37 test.baldockery.com.conf
pi@emonpi:~$ cat /etc/letsencrypt/renewal/*.conf
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/baldockery.com
cert = /etc/letsencrypt/live/baldockery.com/cert.pem
privkey = /etc/letsencrypt/live/baldockery.com/privkey.pem
chain = /etc/letsencrypt/live/baldockery.com/chain.pem
fullchain = /etc/letsencrypt/live/baldockery.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = fba61c080ee8d787595e4fdf81b6560c
pre_hook = apachectl -k stop
post_hook = apachectl -k start
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/dakboard.baldockery.com
cert = /etc/letsencrypt/live/dakboard.baldockery.com/cert.pem
privkey = /etc/letsencrypt/live/dakboard.baldockery.com/privkey.pem
chain = /etc/letsencrypt/live/dakboard.baldockery.com/chain.pem
fullchain = /etc/letsencrypt/live/dakboard.baldockery.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = fba61c080ee8d787595e4fdf81b6560c
pre_hook = apachectl -k stop
post_hook = apachectl -k start
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/emoncmsnodered.baldockery.com
cert = /etc/letsencrypt/live/emoncmsnodered.baldockery.com/cert.pem
privkey = /etc/letsencrypt/live/emoncmsnodered.baldockery.com/privkey.pem
chain = /etc/letsencrypt/live/emoncmsnodered.baldockery.com/chain.pem
fullchain = /etc/letsencrypt/live/emoncmsnodered.baldockery.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = fba61c080ee8d787595e4fdf81b6560c
pre_hook = apachectl -k stop
post_hook = apachectl -k start
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/emonpi.baldockery.com
cert = /etc/letsencrypt/live/emonpi.baldockery.com/cert.pem
privkey = /etc/letsencrypt/live/emonpi.baldockery.com/privkey.pem
chain = /etc/letsencrypt/live/emonpi.baldockery.com/chain.pem
fullchain = /etc/letsencrypt/live/emonpi.baldockery.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = fba61c080ee8d787595e4fdf81b6560c
pre_hook = apachectl -k stop
post_hook = apachectl -k start
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/home.baldockery.com
cert = /etc/letsencrypt/live/home.baldockery.com/cert.pem
privkey = /etc/letsencrypt/live/home.baldockery.com/privkey.pem
chain = /etc/letsencrypt/live/home.baldockery.com/chain.pem
fullchain = /etc/letsencrypt/live/home.baldockery.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = fba61c080ee8d787595e4fdf81b6560c
pre_hook = apachectl -k stop
post_hook = apachectl -k start
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/mypi.baldockery.com
cert = /etc/letsencrypt/live/mypi.baldockery.com/cert.pem
privkey = /etc/letsencrypt/live/mypi.baldockery.com/privkey.pem
chain = /etc/letsencrypt/live/mypi.baldockery.com/chain.pem
fullchain = /etc/letsencrypt/live/mypi.baldockery.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = fba61c080ee8d787595e4fdf81b6560c
pre_hook = apachectl -k stop
post_hook = apachectl -k start
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/nodered.baldockery.com
cert = /etc/letsencrypt/live/nodered.baldockery.com/cert.pem
privkey = /etc/letsencrypt/live/nodered.baldockery.com/privkey.pem
chain = /etc/letsencrypt/live/nodered.baldockery.com/chain.pem
fullchain = /etc/letsencrypt/live/nodered.baldockery.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = fba61c080ee8d787595e4fdf81b6560c
pre_hook = apachectl -k stop
post_hook = apachectl -k start
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/noderedemoncms.baldockery.com
cert = /etc/letsencrypt/live/noderedemoncms.baldockery.com/cert.pem
privkey = /etc/letsencrypt/live/noderedemoncms.baldockery.com/privkey.pem
chain = /etc/letsencrypt/live/noderedemoncms.baldockery.com/chain.pem
fullchain = /etc/letsencrypt/live/noderedemoncms.baldockery.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = fba61c080ee8d787595e4fdf81b6560c
pre_hook = apachectl -k stop
post_hook = apachectl -k start
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/openhab.baldockery.com
cert = /etc/letsencrypt/live/openhab.baldockery.com/cert.pem
privkey = /etc/letsencrypt/live/openhab.baldockery.com/privkey.pem
chain = /etc/letsencrypt/live/openhab.baldockery.com/chain.pem
fullchain = /etc/letsencrypt/live/openhab.baldockery.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = fba61c080ee8d787595e4fdf81b6560c
pre_hook = apachectl -k stop
post_hook = apachectl -k start
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/test.baldockery.com
cert = /etc/letsencrypt/live/test.baldockery.com/cert.pem
privkey = /etc/letsencrypt/live/test.baldockery.com/privkey.pem
chain = /etc/letsencrypt/live/test.baldockery.com/chain.pem
fullchain = /etc/letsencrypt/live/test.baldockery.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = fba61c080ee8d787595e4fdf81b6560c
pre_hook = apachectl -k stop
post_hook = apachectl -k start
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory

Three empty directories:

pi@emonpi:~$ ls -lh /etc/letsencrypt/renewal-hooks
total 12K
drwxr-xr-x 2 root root 4.0K Nov 17  2019 deploy
drwxr-xr-x 2 root root 4.0K Nov 17  2019 post
drwxr-xr-x 2 root root 4.0K Nov 17  2019 pre

pi@emonpi:~$ cat /etc/letsencrypt/cli.ini
# Because we are using logrotate for greater flexibility, disable the
# internal certbot logrotation.
max-log-backups = 0

I have no specific attachment to using --standalone. This is just the command I learned when from the blogs and posts I read when I first installed certbot way back when. I confess I don't even know what it does, only that it was working for me back when I was using cron to run an older certbot version. But this is good to know. My favorite idea is to figure out why the newer systems-based service is not working for me.

9peppe · May 30, 2020, 7:00pm

Then don't use it. It's not very useful when you already have a webserver running.

It spins up a temporary webserver to perform an http validation. But you can do that perfectly well using the apache webserver you already have, using --apache or --webroot.

Is this the command you're trying?

Try using certbot renew --apache --pre-hook "" --post-hook "" for the next ~100 days.

system · June 29, 2020, 7:00pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.