Automatic Renewal not working

Help
1

Hello,

I've received an email about expiration of my certificates.
I thought I have auto renewal configured but seems like its not working.

When I run certbot renew manually I have an error: "Could not bind TCP port 80.."
Which makes sense to me as on that port nginx is running.
(During the weekend I will stop server and try the process again)

My question is what do I need to change so renewals worked automatically?
Id also like not to stop my ngnix server.

DETAILS:

When running systemctl list-timers i can see snap.certbot.renew.timer there:

Thu 2023-11-23 16:32:00 UTC  6h left       Thu 2023-11-23 00:03:01 UTC  10h ago     snap.certbot.renew.timer     snap.certbot.renew.service

My sd.tsbph.cz.conf file:

# Options used in the renewal process
[renewalparams]
account = <not_sure_if_safe_to_share>
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa

nginx config:

server {
    listen 80;
    server_name www2.tsbph.cz;

    # Redirect HTTP to HTTPS
    return 301 https://$host$request_uri;
}
...
server {
    listen 80;
    server_name sd.tsbph.cz;

    # Redirect HTTP to HTTPS
    return 301 https://$host$request_uri;
}

My domain is:

sd.tsbph.cz

and

www2.tsbph.cz

I ran this command:

sudo certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/sd.tsbph.cz.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for sd.tsbph.cz and www2.tsbph.cz
Failed to renew certificate sd.tsbph.cz with error: Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/sd.tsbph.cz/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
nginx/1.14.2

The operating system my web server runs on is (include version):
Debian GNU/Linux 10 (buster)

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.7.4

2

Is there a specific reason why you chose the standalone authenticator when you first set things up?

1 Like
3

No, I just didn't understand the implications of this options.

4

You could try:

sudo certbot renew --nginx

For this once.

If that succeeds, Certbot should be able to renew without an issue in the future (with the current systemd timer).

You can test renewal, after the above command has been successful with renewing, with:

sudo certbot renew --dry-run
3 Likes
5

Thank you, this worked like a charm.

So the issue was with my original configurations?
I can see --nginx flag changed my sd.tsbph.cz.conf file:

# Options used in the renewal process
[renewalparams]
account = <????>
authenticator = nginx
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
installer = nginx
6

Yes.
You originally used certbot with --standalone.
So, the automatic renewal process tried to do the same.
But you now have nginx using port 80.
So, the renewal process fails without full access to port 80.
The solution was to use nginx instead [of certbot --standalone].

5 Likes
7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.