Auto Renewal System

I’m trying to figure out how I can renew my certificates without any downtime to my Apache2 server and its client connections.

I use root’s Crontab, configured with:

0 */4 * * * /root/letsencrypt-auto.sh

the /root/letsencrypt-auto.sh file contains:

#!/bin/bash
date >> /root/logs/letsencrypt.log
letsencrypt renew >> /root/logs/letsencrypt.log

and here is what my log file is spammed with:

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/imaginecrafting.com/fullchain.pem (failure)
  /etc/letsencrypt/live/www.imaginecrafting.com/fullchain.pem (failure)
  /etc/letsencrypt/live/mail.imaginecrafting.com/fullchain.pem (failure)
Thu Feb 15 16:00:01 UTC 2018
Processing /etc/letsencrypt/renewal/imaginecrafting.com.conf

-------------------------------------------------------------------------------
The program apache2 (process ID 2699) is already listening on TCP port 80. This
will prevent us from binding to that port. Please stop the apache2 program
temporarily and then try again. For automated renewal, you may want to use a
script that stops and starts your webserver. You can find an example at
https://letsencrypt.org/howitworks/#writing-your-own-renewal-script.
Alternatively you can use the webroot plugin to renew without needing to stop
and start your webserver.
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.imaginecrafting.com.conf

-------------------------------------------------------------------------------
The program apache2 (process ID 2699) is already listening on TCP port 80. This
will prevent us from binding to that port. Please stop the apache2 program
temporarily and then try again. For automated renewal, you may want to use a
script that stops and starts your webserver. You can find an example at
https://letsencrypt.org/howitworks/#writing-your-own-renewal-script.
Alternatively you can use the webroot plugin to renew without needing to stop
and start your webserver.
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mail.imaginecrafting.com.conf

-------------------------------------------------------------------------------
The program apache2 (process ID 2699) is already listening on TCP port 80. This
will prevent us from binding to that port. Please stop the apache2 program
temporarily and then try again. For automated renewal, you may want to use a
script that stops and starts your webserver. You can find an example at
https://letsencrypt.org/howitworks/#writing-your-own-renewal-script.
Alternatively you can use the webroot plugin to renew without needing to stop
and start your webserver.
-------------------------------------------------------------------------------

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/imaginecrafting.com/fullchain.pem (failure)
  /etc/letsencrypt/live/www.imaginecrafting.com/fullchain.pem (failure)
  /etc/letsencrypt/live/mail.imaginecrafting.com/fullchain.pem (failure)

I don’t want to shut down my Apache2 server to renew certs. Is there any way I can configure traffic to route my Apache2 server, except if the traffic is from Letsencrypt verification process?

If so, what are the commands for such a thing?

I am using Ubuntu Server 16.04, hosted by DigitalOcean (so I don’t have routing/switching capability, but I can do it all in a virtual machine).

Hi @Eliter,

It looks like you originally chose --standalone as your authentication method?

This method is meant for machines that don’t already have a web server running. Would you be able to use --webroot instead, as this message suggests? --standalone works by launching its own web server, while --webroot works by writing static files into a specified directory so that they’ll be served by an existing web server.

Looks like that is what I’m looking for. However, I need to set the webroot path. What do I set it to?

/var/www/html/whatever.staticfile ? It is an absolute path?

It should be an absolute path to your document root (the top level of your web site content).

Certbot will need to be able to create files within .well-known/acme-challenge (which you don’t have to create ahead of time) in that path and have them appear in the corresponding locations in /.well-known/acme-challenge on your site. There are some web server configurations (e.g. with some ways of configuring a CMS or other web application) where this won’t work because static files aren’t served by default, in which case you may need to add an exception to the web application routing so that /.well-known/acme-challenge is served directly out of the filesystem.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.