Auto renew editing vhost

So a few days ago, a site went down because Apache had shut down. Odd, so started up Apache again and a few hours later the same happened again. Digging into the logs I was seeing an error message relating to Apache being unable to listen on port 80. Now this server has a setup with haproxy listening on ports 80 and 443 to terminate the SSL, then the request is passed back to Varnish on port 8888 and finally to Apache on port 8080. So Apache shouldn’t even be trying to listen on port 80.

Looking at the vhost config, Apache was indeed configured to listen on port 80, but this same setup had been running untouched and without issue for a couple of months already. Eventually I thought about cerbot as being a potential cause of the issue and looked at the certficate, and the issues had started exactly 30 days before the certificate was due for renewal - which is the time certbot will renew a certificate.

So I can only really conclude that certbot auto renew has edited the Apache vhost config and in turn broken the site. Editing the vhost config was something I selected to happen on initial certificate generation, and this was before using haproxy and Varnish in front of Apache, but why is the vhost edited on auto renew and how can I stop it?

How did you setup the renewal? Was it with an option or did you manually set up the cron job? I would confirm that the renewal cron job is not set with the --apache option.

Ah yes, I think its the renew config, /etc/letsencrypt/renewal/ has the line:

installer = apache

which I have now commented to:

#installer = apache

and now a:

sudo certbot renew --dry-run


Plugins selected: Authenticator apache, Installer None

rather than:

Plugins selected: Authenticator apache, Installer apache

After running a renew (it actually failed automatically because I needed to define port 8080 with --http-01-port 8080 on certbot renew for the cron job) but running it from the command line certs were updated and the vhost looks to be unaffected, so hopefully thats sorted it. I’ll find out in 60 days I guess!

Actually it turns out just setting the port for the renew command was enough and you don’t need to comment the installer plugin. This looks to make certbot work with the port you define and so even with the installer plugin doesn’t break the apache config.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.