Cannot automate the multi-domain renewal of certificates with cron

My domain is: eigenval.ml

I ran this command:

I'm trying long ago to automate the renewal procedure. So far I have the following line in my cron file

43 6 * * * cd /var/www/letsencrypt/ && ./certbot-auto renew --allow-subset-of-names && systemctl restart nginx

but it seems that it doesn't renew the certificate.

Within the cron logs I can see the following but nothing weird IMO

Jul 20 06:43:01 WEB CRON[31433]: (root) CMD (cd /var/www/letsencrypt/ && ./certbot-auto renew --allow-subset-of-names && systemctl restart nginx)

Any ideas on what I migh

My web server is (include version): nginx 1.14.x

The operating system my web server runs on is (include version): Debian 8

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.9.0

Try merging the first two commands:

/var/www/letsencrypt/certbot-auto renew --allow-subset-of-names

And also including the third command:
/var/www/letsencrypt/certbot-auto renew --allow-subset-of-names \
--deploy-hook /path/to/deploy-hook-script

[you just need to make the script that contains "systemctl restart nginx"]
[OR put that last command on another cron line by itself - and run that once week]

I turned it into something like that but seems that it doesn't work either.

*/5 * * * * /var/www/letsencrypt/certbot-auto renew --allow-subset-of-names --deploy-hook /var/www/letsencrypt/deploy-hook-script.sh

Also within the letsencrypt logs I found this:

2021-07-21 08:20:02,680:DEBUG:certbot._internal.main:certbot version: 1.9.0
2021-07-21 08:20:02,680:DEBUG:certbot._internal.main:Arguments: ['--allow-subset-of-names', '--deploy-hook', '/var/www/letsencrypt/deploy-hook-script.sh']
2021-07-21 08:20:02,680:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-07-21 08:20:02,717:DEBUG:certbot._internal.log:Root logging level set at 20
2021-07-21 08:20:02,719:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-07-21 08:20:02,784:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7fe0a5827290> and installer <certbot._internal.cli.cli_utils._Default object at 0x7fe0a5827290>
2021-07-21 08:20:02,784:DEBUG:certbot._internal.cli:Var allow_subset_of_names=True (set by user).
2021-07-21 08:20:02,848:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2021-07-21 08:20:02,910:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2021-07-21 08:20:02,913:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/eigenval.ml/cert12.pem is signed by the certificate's issuer.
2021-07-21 08:20:02,919:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/eigenval.ml/cert12.pem is: OCSPCertStatus.GOOD
2021-07-21 08:20:02,924:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2021-07-22 10:49:06 UTC.
2021-07-21 08:20:02,925:INFO:certbot._internal.renewal:Cert is due for renewal, auto-renewing...
2021-07-21 08:20:02,925:INFO:certbot._internal.renewal:Non-interactive renewal: random delay of 120.184096693 seconds
2021-07-21 08:22:03,202:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer None
2021-07-21 08:22:03,214:DEBUG:certbot._internal.plugins.disco:No installation (PluginEntryPoint#nginx): Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/disco.py", line 157, in prepare
    self._initialized.prepare()
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/_internal/configurator.py", line 185, in prepare
    "Could not find a usable 'nginx' binary. Ensure nginx exists, "
NoInstallationError: Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.
2021-07-21 08:22:03,215:DEBUG:certbot._internal.plugins.selection:No candidate plugin
2021-07-21 08:22:03,215:DEBUG:certbot._internal.plugins.selection:Selected authenticator None and installer None
2021-07-21 08:22:03,215:INFO:certbot._internal.main:Could not choose appropriate plugin: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError("Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.",)
2021-07-21 08:22:03,216:WARNING:certbot._internal.renewal:Attempting to renew cert (eigenval.ml) from /etc/letsencrypt/renewal/eigenval.ml.conf produced an unexpected error: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError("Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.",). Skipping.
2021-07-21 08:22:03,218:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/renewal.py", line 472, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 1178, in renew_cert
    installer, auth = plug_sel.choose_configurator_plugins(config, plugins, "certonly")
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/selection.py", line 235, in choose_configurator_plugins
    diagnose_configurator_problem("authenticator", req_auth, plugins)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/selection.py", line 339, in diagnose_configurator_problem
    raise errors.PluginSelectionError(msg)
PluginSelectionError: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError("Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.",)

2021-07-21 08:22:03,218:ERROR:certbot._internal.renewal:All renewal attempts failed. The following certs could not be renewed:
2021-07-21 08:22:03,218:ERROR:certbot._internal.renewal:  /etc/letsencrypt/live/eigenval.ml/fullchain.pem (failure)
2021-07-21 08:22:03,219:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 1362, in main
    return config.func(config, plugins)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 1267, in renew
    renewal.handle_renewal_request(config)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/renewal.py", line 497, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)
2021-07-21 08:22:03,219:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)

nginx needs to be in your (cron users) path or you need to specify the full path to the nginx binary.

1 Like

So what I did was to change the cron line into this:

*/5 * * * * /var/www/letsencrypt/certbot-auto renew --nginx --nginx-ctl /usr/sbin/nginx --nginx-server-root /etc/nginx --allow-subset-of-names --deploy-hook /var/www/letsencrypt/deploy-hook-script.sh

I also changed the first line of the nginx.conf into: user nobody nogroup;

The renewal succeed but then it couldn't restart the nginx.

Here are the errors from the letsencrypt log file:

2021-07-21 08:53:03,848:ERROR:certbot.compat.misc:deploy-hook command "/var/www/letsencrypt/deploy-hook-script.sh" returned error code 1
2021-07-21 08:53:03,849:ERROR:certbot.compat.misc:Error output from deploy-hook command deploy-hook-script.sh:
Job for nginx.service failed. See 'systemctl status nginx.service' and 'journalctl -xn' for details.

2021-07-21 08:53:03,877:DEBUG:certbot_nginx._internal.configurator:nginx reload failed:
nginx: [error] open() "/run/nginx.pid" failed (2: No such file or directory)

2021-07-21 08:53:06,404:WARNING:certbot._internal.renewal:Attempting to renew cert (eigenval.ml) from /etc/letsencrypt/renewal/eigenval.ml.conf produced an unexpected error: nginx restart failed:
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
nginx: [emerg] still could not bind()
. Skipping.
2021-07-21 08:53:06,406:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/renewal.py", line 472, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 1196, in renew_cert
    installer.restart()
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/_internal/configurator.py", line 918, in restart
    nginx_restart(self.conf('ctl'), self.nginx_conf, self.conf('sleep-seconds'))
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/_internal/configurator.py", line 1200, in nginx_restart
    "nginx restart failed:\n%s" % out.read().decode("utf-8"))
MisconfigurationError: nginx restart failed:
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
nginx: [emerg] still could not bind()


2021-07-21 08:53:06,407:ERROR:certbot._internal.renewal:All renewal attempts failed. The following certs could not be renewed:
2021-07-21 08:53:06,407:ERROR:certbot._internal.renewal:  /etc/letsencrypt/live/eigenval.ml/fullchain.pem (failure)
2021-07-21 08:53:06,411:INFO:certbot.compat.misc:Running post-hook command: systemctl start nginx
2021-07-21 08:53:09,012:ERROR:certbot.compat.misc:post-hook command "systemctl start nginx" returned error code 1
2021-07-21 08:53:09,013:ERROR:certbot.compat.misc:Error output from post-hook command systemctl:
Job for nginx.service failed. See 'systemctl status nginx.service' and 'journalctl -xn' for details.

2021-07-21 08:53:09,013:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 1362, in main
    return config.func(config, plugins)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 1267, in renew
    renewal.handle_renewal_request(config)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/renewal.py", line 497, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)
2021-07-21 08:53:09,014:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)

Then I stopped the nginx, I removed the user nobody nogroup; and turned it into user www-data; and started it again. Everything was fine. But is there any way to avoid this with the nginx user?

  1. How did you install nginx?
  2. Try using --webroot with certonly instead of --nginx