Cannot run nginx - certbot on Ubuntu 22.04.1 LTS Jelly

Do not yet run certbot !

4 Likes

No. You have a perfectly fine certificate, Certbot should not be used at this point.

3 Likes

@MikeMcQ I restarted nginx and it is now running fine.

Just a last question: to add a server responding on port 3001, is the best thing just duplicate and rename the default file and adjust it?

Slow down. We have other items to check. Just let me check your running nginx :slight_smile:

4 Likes

Ok. I'll slow down!

Let's test your certbot renewal now.

sudo certbot renew --dry-run

What does that say?

4 Likes
sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.pikeen.it.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for pikeen.it and www.pikeen.it

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded: 
  /etc/letsencrypt/live/www.pikeen.it/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Terrific! You should make sure the renew is schedule to run. It was probably setup by certbot already but you can check with these instructions:
https://eff-certbot.readthedocs.io/en/stable/using.html#automated-renewals
Let us know if you have questions about that.

As for your port 3001, what is that for? The same domain names just a different port? Will you be using https for that?

3 Likes

doesn't look nice:

SLEEPTIME=$(awk 'BEGIN{srand(); print int(rand()*(3600+1))}'); echo "0 0,12 * * * root sleep $SLEEPTIME && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null
neo4j@neo4j:~$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.pikeen.it.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Hook 'pre-hook' reported error code 5
Hook 'pre-hook' ran with error output:
 Failed to stop haproxy.service: Unit haproxy.service not loaded.
Simulating renewal of an existing certificate for pikeen.it and www.pikeen.it

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded: 
  /etc/letsencrypt/live/www.pikeen.it/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Hook 'post-hook' reported error code 5
Hook 'post-hook' ran with error output:
 Failed to start haproxy.service: Unit haproxy.service not found.

The port 3001, is for another site with another domain name (appserver.pikeen.it) running a different application

@MikeMcQ Have you already checked the nginx installer plugin is being used for this cert?

3 Likes

I remember to have used --something-**dns**

I did not double-check the renewal config file used the nginx plug-in - if that's what you meant. We did a dry-run that worked, the server block was touched by the plug-in and other examples used it so I drew conclusions from that.

Would not hurt to double-check but I don't get what's happening with these hooks now.

Do you have time to take over from here?

4 Likes

we can go ahead tomorrow. I'll try to load the new 3001 server with another config file.

The question now is: will be those certs renewed when they'll expire?

Anyway, thank you for your cooperation and assistance.

Paolo

The dry-run in post #47 worked fine. But, your dry-run in #49 failed with hook failure for haproxy.

Do you know what changed between those two tests?

And, let's look at your renewal config. Please show

/etc/letsencrypt/renewal/www.pikeen.it.conf
4 Likes

I'm afraid not, doing all this on my phone infrequently currently.

3 Likes

I see the instructions I referred you to about auto-renew had an example about stopping and starting haproxy when needed. But, you are not using that and don't need to. You should remove the hook files you created.

/etc/letsencrypt/renewal-hooks/pre/haproxy.sh
/etc/letsencrypt/renewal-hooks/post/haproxy.sh
3 Likes

Yes, they should. Remove those haproxy files I noted a couple posts ago.

And, review the below doc (again). You might have already had the auto renew setup by certbot but it looks like you manually created another one. You should remove a duplicate auto renew command to avoid problems that would occur if they happened to run at the same time.

You can review the various ways certbot auto-renew might work (either cron or systemd timers basically). See item #8 here

Ask if any questions about exactly what you should do.

3 Likes

Why, if the dry-run in post #47 worked well, you answered Terrific? It gives the idea of a completely wrong output.

Here is the output of sudo cat /etc/letsencrypt/renewal/www.pikeen.it.conf:

# renew_before_expiry = 30 days
version = 1.21.0
archive_dir = /etc/letsencrypt/archive/www.pikeen.it
cert = /etc/letsencrypt/live/www.pikeen.it/cert.pem
privkey = /etc/letsencrypt/live/www.pikeen.it/privkey.pem
chain = /etc/letsencrypt/live/www.pikeen.it/chain.pem
fullchain = /etc/letsencrypt/live/www.pikeen.it/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 7f360610fe9e0500486987cff6485eb5
authenticator = nginx
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory

The renewal configuration file looks good :slight_smile:

3 Likes