Automated renewal of cert fails

nephilim · February 19, 2017, 2:58pm

Hello

I am unable to renew my cert which was created the way beneath:

sudo certbot certonly --quiet --pre-hook "service nginx stop" --post-hook "service nginx start" --standalone -n --rsa-key-size 4096 --agree-tos -m me@provider.com -d sub.domain.tld --standalone-supported-challenges tls-sni-01

To renew the cert by I added the following line to crontab -e (for root user):

0 4 * * * certbot renew --standalone --pre-hook "service nginx stop" --post-hook "service nginx start" >> /var/log/letsencrypt/letsencrypt.log

It fails. Here is the error log:

Error Log

2017-02-19 11:00:06,351:DEBUG:certbot.main:Root logging level set at 30
2017-02-19 11:00:06,354:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-02-19 11:00:06,357:DEBUG:certbot.main:certbot version: 0.9.3
2017-02-19 11:00:06,357:DEBUG:certbot.main:Arguments: ['-q']
2017-02-19 11:00:06,360:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2017-02-19 11:00:06,396:DEBUG:parsedatetime:parse (top of loop): [30 days][]
2017-02-19 11:00:06,433:DEBUG:parsedatetime:CRE_UNITS matched
2017-02-19 11:00:06,435:DEBUG:parsedatetime:parse (bottom) [][30 days][][]
2017-02-19 11:00:06,435:DEBUG:parsedatetime:weekday False, dateStd False, dateStr False, time False, timeStr False, meridian False
2017-02-19 11:00:06,435:DEBUG:parsedatetime:dayStr False, modifier False, modifier2 False, units True, qunits False
2017-02-19 11:00:06,436:DEBUG:parsedatetime:_evalString(30 days, time.struct_time(tm_year=2017, tm_mon=2, tm_mday=19, tm_hour=11, tm_min=0, tm_sec=6, tm_wday=6, tm_yday=50, tm_isdst=0))
2017-02-19 11:00:06,436:DEBUG:parsedatetime:_buildTime: [30 ][][days]
2017-02-19 11:00:06,436:DEBUG:parsedatetime:units days --> realunit days
2017-02-19 11:00:06,437:DEBUG:parsedatetime:return
2017-02-19 11:00:06,437:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2017-03-10 11:07:00 UTC.
2017-02-19 11:00:06,437:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2017-02-19 11:00:06,497:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2017-02-19 11:00:08,221:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x73d6c8b0>
Prep: True
2017-02-19 11:00:08,224:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x73d6c8b0> and installer None
2017-02-19 11:00:08,426:DEBUG:certbot.main:Picked account: <Account(598fb1ab50ec1020df31fab909093113)>
2017-02-19 11:00:08,443:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {}
2017-02-19 11:00:08,454:INFO:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-02-19 11:00:09,756:DEBUG:urllib3.connectionpool:"GET /directory HTTP/1.1" 200 352
2017-02-19 11:00:09,759:DEBUG:root:Received <Response [200]>. Headers: {'content-length': '352', 'expires': 'Sun, 19 Feb 2017 11:00:09 GMT', 'boulder-request-id': 'XTDbNCg0wmMdEgVGfhD_DqCDNsr2KCTyAN387AGy6Ds', 'strict-transport-security': 'max-age=604800', 'server': 'nginx', 'connection': 'keep-alive', 'pragma': 'no-cache', 'cache-control': 'max-age=0, no-cache, no-store', 'date': 'Sun, 19 Feb 2017 11:00:09 GMT', 'x-frame-options': 'DENY', 'content-type': 'application/json', 'replay-nonce': 'rGsIehPFOKdDtsllARQtvQcqNfd-3Ww4AutHzp7GM-k'}. Content: '{\n  "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",\n  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",\n  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",\n  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",\n  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"\n}'
2017-02-19 11:00:09,759:DEBUG:acme.client:Received response <Response [200]> (headers: {'content-length': '352', 'expires': 'Sun, 19 Feb 2017 11:00:09 GMT', 'boulder-request-id': 'XTDbNCg0wmMdEgVGfhD_DqCDNsr2KCTyAN387AGy6Ds', 'strict-transport-security': 'max-age=604800', 'server': 'nginx', 'connection': 'keep-alive', 'pragma': 'no-cache', 'cache-control': 'max-age=0, no-cache, no-store', 'date': 'Sun, 19 Feb 2017 11:00:09 GMT', 'x-frame-options': 'DENY', 'content-type': 'application/json', 'replay-nonce': 'rGsIehPFOKdDtsllARQtvQcqNfd-3Ww4AutHzp7GM-k'}): '{\n  "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",\n  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",\n  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",\n  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",\n  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"\n}'
2017-02-19 11:00:09,761:INFO:certbot.main:Renewing an existing certificate
2017-02-19 11:00:09,762:DEBUG:root:Requesting fresh nonce
2017-02-19 11:00:09,763:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {}
2017-02-19 11:00:10,789:DEBUG:urllib3.connectionpool:"HEAD /acme/new-authz HTTP/1.1" 405 0
2017-02-19 11:00:10,791:DEBUG:root:Received <Response [405]>. Headers: {'content-length': '91', 'pragma': 'no-cache', 'boulder-request-id': 'O3KKirL6c8Oiw0alqUPKsCIm2gxZp8ub5KGOqxp7m3M', 'expires': 'Sun, 19 Feb 2017 11:00:10 GMT', 'server': 'nginx', 'connection': 'keep-alive', 'allow': 'POST', 'cache-control': 'max-age=0, no-cache, no-store', 'date': 'Sun, 19 Feb 2017 11:00:10 GMT', 'content-type': 'application/problem+json', 'replay-nonce': 'Go0Ax8T7N4pS4y-dxIUe7afrLKn3gSccMx1dxQ3KZec'}. Content: ''
2017-02-19 11:00:10,791:DEBUG:acme.client:Storing nonce: "\x1a\x8d\x00\xc7\xc4\xfb7\x8aR\xe3/\x9d\xc4\x85\x1e\xed\xa7\xeb,\xa9\xf7\x81'\x1c3\x1d]\xc5\r\xcae\xe7"
2017-02-19 11:00:10,795:DEBUG:acme.jose.json_util:Omitted empty fields: combinations=None, expires=None, status=None, challenges=None
2017-02-19 11:00:10,795:DEBUG:acme.client:Serialized JSON: {"identifier": {"type": "dns", "value": "sub.domain.tld"}, "resource": "new-authz"}
2017-02-19 11:00:10,811:DEBUG:acme.jose.json_util:Omitted empty fields: x5u=None, x5c=(), crit=(), cty=None, x5tS256=None, jku=None, alg=None, jwk=None, kid=None, typ=None, x5t=None
2017-02-19 11:00:10,987:DEBUG:acme.jose.json_util:Omitted empty fields: x5u=None, x5c=(), crit=(), cty=None, x5tS256=None, jku=None, nonce=None, typ=None, kid=None, x5t=None
2017-02-19 11:00:10,988:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "yoPFSvedZxOnC3X4va54z5BephMKXha1XW611KHqUMV9V5KtOtJ2x2ADW1TDEbjwp7U0e4F0BHk5mHeZfifBXzN8sz0rMeQhLxU22wVRTib8MOxu8gp1oPWCzDLXOYOipv2u3xPEqgBLfdd5cXNKTgnOAraMIsdT12WE03kXmqFLpac3y9zr8cLJStgtua2zp79pVTUU_PryXGAaHOrk-ig4tiybvhP4mnBiltzB1_p_OLYEdWx3dQK4gV_aUeO4aIcq65ECs8UHdSvNn25TlT7GU3rD6fttHX5G2Bjf6on3g4zcbMRfvd5h42oxmUTPOagTp7meo4m4aCgcop4KiaIUzEHOtwXGq5FBSZShggdSlqj2hdWt2FtLWBiyiDzMhnNfrKEveOjiVGAFpf6zmNspXc9qlEB_yZDAHM_NgBaCrNCYFLjVEuonmegCy4NoQ3hgNHMZqdIkpdjW12lDey9QCNstn7MiDpelEaIYo1JGh57m3g95RoHfgJTQKzsPUXqK-ms-FvkQ-AeSpxwsAMBSRFjet9EG4iSMOmtE2g_8xW8Tm_QwelEbleq5-_1-Er271g5hQagj7cxqYBTOU3XdFeu_IWSSHOtK2F9IYawcQZF7wVQA4o-_PVo-DtxO9MPjrsFdsKwrLf8kusytItO5Cql2k-jOO51uRNdAkQ0"}}, "protected": "eyJub25jZSI6ICJHbzBBeDhUN040cFM0eS1keElVZTdhZnJMS24zZ1NjY014MWR4UTNLWmVjIn0", "payload": "eyJpZGVudGlmaWVyIjogeyJ0eXBlIjogImRucyIsICJ2YWx1ZSI6ICJ3aW50ZXIucGMtZmVlLmNvbSJ9LCAicmVzb3VyY2UiOiAibmV3LWF1dGh6In0", "signature": "UFZ_ZlG8sCUmv1zvA08id3fl8E1oE98hW0C7wTper2Lo75w9Rjds02GE5-GJQfZfsYQn5Z6MwnXfLJ5h-qKuy7AZY-P2x2YDe43QeVhSmse1mAVKInW39VsYxOo-F_qEQNlibp5gwpesREB31kQL-x5KiY26da-eI47NAnn1v6iVgtgwhBFgmb8884piumJyMFX_D50P4YkWLSobO8ave-myUEtsf_C-jvnkWg1UkpjZ5iBB7azJvnmO1Kw4bGQ1WRyAPAHYq0BaIjOinRBMx5Pun_PI0VmY_LM9q_K2kMmeCPwjP0xLNiNWNpx-aBk1N3DFM34f1VpnyOcyWyt-DmhC1spi2nsvgfjctiwk5Z-yGwnsUGbKFUj2EK_6bENWYCpC336fgun65N_20KpIy1CKpLuZf7j2mmGJE5RxOGGxpmGiRuCXKSOq6TKMIrh4cL3uiH-LfR-FTlwnCcIJmjW91MiSe80FXYcYQLNAgpxDCMUUfEkvX9j6Hr5I6JykqpWcTqqa1vDR3Ue4pPG9MhOq7j51scdAW4YZN6RoRurNXguSZXGVysRe--5i4F3ydgIfvoTEXGcg6xTzCkW8RTfSu5UdWs386Nc4jNPK00Mhyb7BoCF4O2ImUg8z09wGA4Rtof-QxKIObD4YKDF4p9QGA7e1U1AUCyE1I_sfO1Y"}'}
2017-02-19 11:00:11,908:DEBUG:urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 201 1002
2017-02-19 11:00:11,910:DEBUG:root:Received <Response [201]>. Headers: {'content-length': '1002', 'expires': 'Sun, 19 Feb 2017 11:00:11 GMT', 'boulder-request-id': 'Qh9TFNLoK4NwHdPcBbR-eokeY1u71pNs7OQSWEC4lSI', 'strict-transport-security': 'max-age=604800', 'server': 'nginx', 'cache-control': 'max-age=0, no-cache, no-store', 'connection': 'keep-alive', 'link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'location': 'https://acme-v01.api.letsencrypt.org/acme/authz/tbR6dWXjZoO6_DE_9DLjFP2e5053Ho-eUYyBqI2STqs', 'pragma': 'no-cache', 'boulder-requester': '7119559', 'date': 'Sun, 19 Feb 2017 11:00:11 GMT', 'x-frame-options': 'DENY', 'content-type': 'application/json', 'replay-nonce': 'kScoyF6PTHSezdb5l7PgGY5Zpfdgglfx0tVSKNVkFmQ'}. Content: '{\n  "identifier": {\n    "type": "dns",\n    "value": "sub.domain.tld"\n  },\n  "status": "pending",\n  "expires": "2017-02-26T11:00:11.783058401Z",\n  "challenges": [\n    {\n      "type": "dns-01",\n      "status": "pending",\n      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/tbR6dWXjZoO6_DE_9DLjFP2e5053Ho-eUYyBqI2STqs/673557697",\n      "token": "EDLFhKZPjK4lbnqeLhxhhdyFV_tiLBrHPrdQxOyS3sM"\n    },\n    {\n      "type": "tls-sni-01",\n      "status": "pending",\n      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/tbR6dWXjZoO6_DE_9DLjFP2e5053Ho-eUYyBqI2STqs/673557698",\n      "token": "NRlCcdcMrfjv9eBExLZ9GNMkKeULiobHQOXvDdEfXHQ"\n    },\n    {\n      "type": "http-01",\n      "status": "pending",\n      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/tbR6dWXjZoO6_DE_9DLjFP2e5053Ho-eUYyBqI2STqs/673557699",\n      "token": "Ctt6IE7EvupL0fhuqZounIAqYV0948blanTP8AQEc7s"\n    }\n  ],\n  "combinations": [\n    [\n      1\n    ],\n    [\n      0\n    ],\n    [\n      2\n    ]\n  ]\n}'
2017-02-19 11:00:11,911:DEBUG:acme.client:Storing nonce: "\x91'(\xc8^\x8fLt\x9e\xcd\xd6\xf9\x97\xb3\xe0\x19\x8eY\xa5\xf7`\x82W\xf1\xd2\xd5R(\xd5d\x16d"
2017-02-19 11:00:11,912:DEBUG:acme.client:Received response <Response [201]> (headers: {'content-length': '1002', 'expires': 'Sun, 19 Feb 2017 11:00:11 GMT', 'boulder-request-id': 'Qh9TFNLoK4NwHdPcBbR-eokeY1u71pNs7OQSWEC4lSI', 'strict-transport-security': 'max-age=604800', 'server': 'nginx', 'cache-control': 'max-age=0, no-cache, no-store', 'connection': 'keep-alive', 'link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'location': 'https://acme-v01.api.letsencrypt.org/acme/authz/tbR6dWXjZoO6_DE_9DLjFP2e5053Ho-eUYyBqI2STqs', 'pragma': 'no-cache', 'boulder-requester': '7119559', 'date': 'Sun, 19 Feb 2017 11:00:11 GMT', 'x-frame-options': 'DENY', 'content-type': 'application/json', 'replay-nonce': 'kScoyF6PTHSezdb5l7PgGY5Zpfdgglfx0tVSKNVkFmQ'}): '{\n  "identifier": {\n    "type": "dns",\n    "value": "sub.domain.com"\n  },\n  "status": "pending",\n  "expires": "2017-02-26T11:00:11.783058401Z",\n  "challenges": [\n    {\n      "type": "dns-01",\n      "status": "pending",\n      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/tbR6dWXjZoO6_DE_9DLjFP2e5053Ho-eUYyBqI2STqs/673557697",\n      "token": "EDLFhKZPjK4lbnqeLhxhhdyFV_tiLBrHPrdQxOyS3sM"\n    },\n    {\n      "type": "tls-sni-01",\n      "status": "pending",\n      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/tbR6dWXjZoO6_DE_9DLjFP2e5053Ho-eUYyBqI2STqs/673557698",\n      "token": "NRlCcdcMrfjv9eBExLZ9GNMkKeULiobHQOXvDdEfXHQ"\n    },\n    {\n      "type": "http-01",\n      "status": "pending",\n      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/tbR6dWXjZoO6_DE_9DLjFP2e5053Ho-eUYyBqI2STqs/673557699",\n      "token": "Ctt6IE7EvupL0fhuqZounIAqYV0948blanTP8AQEc7s"\n    }\n  ],\n  "combinations": [\n    [\n      1\n    ],\n    [\n      0\n    ],\n    [\n      2\n    ]\n  ]\n}'
2017-02-19 11:00:11,915:INFO:certbot.auth_handler:Performing the following challenges:
2017-02-19 11:00:11,915:INFO:certbot.auth_handler:tls-sni-01 challenge for sub.domain.com
2017-02-19 11:00:11,956:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 112, in _solve_challenges
    resp = self.auth.perform(self.achalls)
  File "/usr/lib/python2.7/dist-packages/certbot/plugins/standalone.py", line 234, in perform
    self._verify_ports_are_available(achalls)
  File "/usr/lib/python2.7/dist-packages/certbot/plugins/standalone.py", line 231, in _verify_ports_are_available
    "At least one of the required ports is already taken.")
MisconfigurationError: At least one of the required ports is already taken.

2017-02-19 11:00:11,957:DEBUG:certbot.error_handler:Calling registered functions
2017-02-19 11:00:11,957:INFO:certbot.auth_handler:Cleaning up challenges
2017-02-19 11:00:11,958:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/sub.domain.com.conf produced an unexpected error: At least one of the required ports is already taken.. Skipping.
2017-02-19 11:00:11,967:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 348, in renew_all_lineages
    main.obtain_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 563, in obtain_cert
    action, _ = _auth_from_domains(le_client, config, domains, lineage)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 96, in _auth_from_domains
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 238, in renew_cert
    new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 253, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 74, in get_authorizations
    resp = self._solve_challenges()
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 112, in _solve_challenges
    resp = self.auth.perform(self.achalls)
  File "/usr/lib/python2.7/dist-packages/certbot/plugins/standalone.py", line 234, in perform
    self._verify_ports_are_available(achalls)
  File "/usr/lib/python2.7/dist-packages/certbot/plugins/standalone.py", line 231, in _verify_ports_are_available
    "At least one of the required ports is already taken.")
MisconfigurationError: At least one of the required ports is already taken.

2017-02-19 11:00:11,978:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 9, in <module>
    load_entry_point('certbot==0.9.3', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 776, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 592, in renew
    renewal.renew_all_lineages(config)
  File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 365, in renew_all_lineages
    len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

As I am new I am not able to understand the error log yet. So I kindly ask for your assistance. What is going wrong? What did I miss to do? Any idea to get this fixed?

I followed this guide.

Kind regards
//neph

tialaramex · February 19, 2017, 3:28pm

The error message says “At least one of the required ports is already taken”.

The standalone mode of Certbot works like this: Certbot becomes a tiny web server listening for connections, and then when Let’s Encrypt wants to validate that you really control your names it can connect over the Internet to your web server (which is Certbot) and get confidence it’s talking to the same software which asked for the certificate.

You asked for tls-sni-01 challenge, which is done by answering on port 443 (the default HTTPS port). So Certbot wants to listen for connections to this port. But, according to this error, something else was still listening on port 443.

The hooks you set, to start and stop nginx, should have ensured nginx was not listening. So, my first thoughts are:

Do you actually have another HTTP(S) server, such as Apache or a proxy server, or anything like that which might be still running ?
Does the nginx properly stop when asked, or does it give back control immediately, then stop gradually a few seconds later (which would be too slow for Certbot) ?

You might be able to run the following command, which asks for a list of servers listening on any port.

sudo lsof -iTCP -sTCP:LISTEN

nephilim · February 19, 2017, 3:54pm

Thank you so much for your kind explanation!

This is the result:

pi@winter-pi:~ $ sudo lsof -iTCP -sTCP:LISTEN
COMMAND    PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
spreed-we  518     root    3u  IPv4  12529      0t0  TCP localhost:http-alt (LISTEN)
sshd       534     root    3u  IPv4  12464      0t0  TCP *:ssh (LISTEN)
sshd       534     root    4u  IPv6  12466      0t0  TCP *:ssh (LISTEN)
memcached  542 memcache   26u  IPv4  12493      0t0  TCP localhost:11211 (LISTEN)
nginx      720     root    6u  IPv4  11584      0t0  TCP *:https (LISTEN)
nginx      720     root    7u  IPv6  11585      0t0  TCP *:https (LISTEN)
nginx      722 www-data    6u  IPv4  11584      0t0  TCP *:https (LISTEN)
nginx      722 www-data    7u  IPv6  11585      0t0  TCP *:https (LISTEN)
nginx      723 www-data    6u  IPv4  11584      0t0  TCP *:https (LISTEN)
nginx      723 www-data    7u  IPv6  11585      0t0  TCP *:https (LISTEN)
nginx      724 www-data    6u  IPv4  11584      0t0  TCP *:https (LISTEN)
nginx      724 www-data    7u  IPv6  11585      0t0  TCP *:https (LISTEN)
nginx      725 www-data    6u  IPv4  11584      0t0  TCP *:https (LISTEN)
nginx      725 www-data    7u  IPv6  11585      0t0  TCP *:https (LISTEN)
mysqld    1233    mysql   10u  IPv4   9842      0t0  TCP localhost:mysql (LISTEN)
php5-fpm  1257     root    8u  IPv4  10747      0t0  TCP localhost:9000 (LISTEN)
php5-fpm  3036 www-data    0u  IPv4  10747      0t0  TCP localhost:9000 (LISTEN)
php5-fpm  8509 www-data    0u  IPv4  10747      0t0  TCP localhost:9000 (LISTEN)
php5-fpm  8511 www-data    0u  IPv4  10747      0t0  TCP localhost:9000 (LISTEN)

Seems to be just nginx which is listening on HTTP(S) port.

nephilim · February 19, 2017, 6:07pm

I will handle it via a script (le_renew.sh) as of now:

#!/bin/bash
#Erneuert Zertifikat von Let's Encrypt

service nginx stop
certbot renew --standalone
service nginx start

Then I have added this to root’s crontab:

45 3 * * 1 /path/to/script/le_renew.sh >> /var/log/letsencrypt/letsencrypt.log

Should work now.

Thank you so much.

Kind regards
//neph

tob · February 20, 2017, 10:03am

But this stops nginx every day - instead of stop nginx only when renewal is required.

nephilim · February 20, 2017, 1:28pm

You’re right. This is too much. Cron now checks twice per month. That should be enough. Solution is updated.

tob · February 20, 2017, 1:51pm

It is okay, to check certificate expiration every day - but you dont have to stop nginx every time. Try to solve the problem using pre- und post-hook - then nginx is stopped when needed only.

Twice per month can cause problems - for example expiration on 31st:
on 1st - nothing to do, cert valid more than 30 days.
on 15th - maybe issuing fails… next try on 1st of the next month is too late…

Osiris · February 20, 2017, 1:55pm

As you’re running a webserver, you might prefer to use the webroot plugin.

nephilim · February 20, 2017, 5:57pm

As you can see in my initial post, pre- and post-hook did not work for me. This caused the error I provided in same post. Anyhow, I updated solution again and check now every week for expiration.

Is it possible to do the domain validation via port 443 using this plugin? I found the text beneath in:

https://certbot.eff.org/docs/using.html#webroot

(...)Then the Let’s Encrypt validation server makes HTTP requests to validate that the DNS for each requested domain resolves to the server running certbot.(...)

I don't want to open port 80 in my network and I couldn't find any comment referring to HTTPS in this part. So this means to me, that webroot does not support the domain validation via TCP443. Am I right?

Kind regards
//neph

Osiris · February 20, 2017, 7:04pm

Webroot uses port 80 exclusively for the initial connection, yes, but subsequently can be redirected to (other) HTTPS destinations.

But for my information: if you don't want to have port 80 open.. How will people access your site? Your visitors will have to manually enter https:// in front of your web address?

nephilim · February 21, 2017, 5:21am

Does this mean I can get the cert the way I did (initial post) and renew it using webroot?

This is not an official one. Just a small service at home for private use only.

system · March 23, 2017, 5:21am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.