Auto renew editing vhost

husseycoding · March 3, 2020, 11:25am

So a few days ago, a site went down because Apache had shut down. Odd, so started up Apache again and a few hours later the same happened again. Digging into the logs I was seeing an error message relating to Apache being unable to listen on port 80. Now this server has a setup with haproxy listening on ports 80 and 443 to terminate the SSL, then the request is passed back to Varnish on port 8888 and finally to Apache on port 8080. So Apache shouldn’t even be trying to listen on port 80.

Looking at the vhost config, Apache was indeed configured to listen on port 80, but this same setup had been running untouched and without issue for a couple of months already. Eventually I thought about cerbot as being a potential cause of the issue and looked at the certficate, and the issues had started exactly 30 days before the certificate was due for renewal - which is the time certbot will renew a certificate.

So I can only really conclude that certbot auto renew has edited the Apache vhost config and in turn broken the site. Editing the vhost config was something I selected to happen on initial certificate generation, and this was before using haproxy and Varnish in front of Apache, but why is the vhost edited on auto renew and how can I stop it?

ZetaRevan · March 3, 2020, 1:15pm

How did you setup the renewal? Was it with an option or did you manually set up the cron job? I would confirm that the renewal cron job is not set with the --apache option.

husseycoding · March 3, 2020, 4:51pm

Ah yes, I think its the renew config, /etc/letsencrypt/renewal/domain.com.conf has the line:

installer = apache

which I have now commented to:

#installer = apache

and now a:

sudo certbot renew --dry-run

shows:

Plugins selected: Authenticator apache, Installer None

rather than:

Plugins selected: Authenticator apache, Installer apache

After running a renew (it actually failed automatically because I needed to define port 8080 with --http-01-port 8080 on certbot renew for the cron job) but running it from the command line certs were updated and the vhost looks to be unaffected, so hopefully thats sorted it. I’ll find out in 60 days I guess!

husseycoding · March 3, 2020, 6:46pm

Actually it turns out just setting the port for the renew command was enough and you don’t need to comment the installer plugin. This looks to make certbot work with the port you define and so even with the installer plugin doesn’t break the apache config.

system · April 2, 2020, 6:46pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cerbot-Auto Renewing Not Working on Apache Due to VHOST Configs Server	9	1860	April 26, 2017
Renewing fails when no vhost runs on port 80, but new certs are issued just fine Help	17	1381	March 16, 2019
Unable to auto renew certificates Help	8	5034	January 17, 2019
2 sites configured identically, one will autorenew, one won't Help	6	2054	March 18, 2018
Missed Vhost on Port 80 (after Apache update), but it is there Help	19	1181	June 5, 2022

Auto renew editing vhost

Related topics