Can't create a certificare or renew


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: beiramarimoveis.com.br

I ran this command: sudo certbot --apache -d beiramarimoveis.com.br -d www.beiramarimoveis.com.br

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for beiramarimoveis.com.br
tls-sni-01 challenge for www.beiramarimoveis.com.br
Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist
AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist
(98)Address already in use: AH00072: make_sock: could not bind to address 10.158.0.2:443
no listening sockets available, shutting down
AH00015: Unable to open logs

Cleaning up challenges
Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address 10.158.0.2:443
no listening sockets available, shutting down
AH00015: Unable to open logs

Encountered exception during recovery
Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address 10.158.0.2:443
no listening sockets available, shutting down
AH00015: Unable to open logs
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/certbot/error_handler.py”, line 100, in _call_registered
self.funcs-1
File “/usr/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 284, in _cleanup_challenges
self.auth.cleanup(achalls)
File “/usr/lib/python2.7/dist-packages/certbot_apache/configurator.py”, line 1945, in cleanup
self.restart()
File “/usr/lib/python2.7/dist-packages/certbot_apache/configurator.py”, line 1834, in restart
self._reload()
File “/usr/lib/python2.7/dist-packages/certbot_apache/configurator.py”, line 1845, in _reload
raise errors.MisconfigurationError(str(err))
MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address 10.158.0.2:443
no listening sockets available, shutting down
AH00015: Unable to open logs

Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist
AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist
(98)Address already in use: AH00072: make_sock: could not bind to address 10.158.0.2:443
no listening sockets available, shutting down
AH00015: Unable to open logs

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: .

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Vesta and cannot renew or create any domain on this server and others.

Note: I’m use this guide and always works, buts now stop: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04


#2

Are you sure the server is actually running Apache on port 443? It looks like it may be using Nginx.

Check with, for example, “sudo lsof -ni :443”.


#3

I checked with the command you told me and Ngix appeared.

Look what appeared:

root@painel-vestasp:/home/gabriel_rsm# sudo lsof -ni :443
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nginx 22126 root 28u IPv4 22902181 0t0 TCP 10.158.0.2:https (LISTEN)
nginx 22130 www-data 28u IPv4 22902181 0t0 TCP 10.158.0.2:https (LISTEN)

Is that why it’s not working? Could you help me solve it?

Thank you.

Edited: I could resolved with this follow command:
./certbot-auto certonly --webroot -w /home/beiramar/web/beiramarimoveis.com.br/public_html/ -d beiramarimoveis.com.br -d www.beiramarimoveis.com.br

But i think the renew command on Cron will not work. Can you help me?

Thanks!


#4

Since you are using nginx rather than apache, instead of using

you should be using

sudo certbot --nginx


#5

Serverco, with this commands works too, but when i using this: sudo certbot renew --dry-run

Occour this error:

Processing /etc/letsencrypt/renewal/beiramarimoveis.com.br-0001.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for beiramarimoveis.com.br
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (beiramarimoveis.com.br-0001) from /etc/letsencrypt/renewal/beiramarimoveis.com.br-0001.conf produced an unexpected error: Failed authorization procedure. beiramarimoveis.com.br (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://beiramarimoveis.com.br/.well-known/acme-challenge/KKApWz40hgxOpuGqKVTlRca11Fq1DeeSTmyIxgqm3T4: "

<meta name="viewport" content="wi". Skipping.

Processing /etc/letsencrypt/renewal/beiramarimoveis.com.br.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for beiramarimoveis.com.br
tls-sni-01 challenge for www.beiramarimoveis.com.br
Waiting for verification…
Cleaning up challenges
Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address 172.31.16.169:443
no listening sockets available, shutting down
AH00015: Unable to open logs

Attempting to renew cert (beiramarimoveis.com.br) from /etc/letsencrypt/renewal/beiramarimoveis.com.br.conf produced an unexpected error: Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address 172.31.16.169:443
no listening sockets available, shutting down
AH00015: Unable to open logs
. Skipping.


Processing /etc/letsencrypt/renewal/sintrajufe.org.br.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http://beiramarimoveis.com.br/.well-known/acme-challenge/KKApWz40hgxOpuGqKVTlRca11Fq1DeeSTmyIxgqm3T4:
"

<meta name="viewport" content="wi"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

  • The following errors were reported by the server:

    Domain: www.beiramarimoveis.com.br
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    b90c51b9db24750c8b2069a6a13e0215.79620579e3b04278b5b3b4fa417c0861.acme.invalid
    from 35.198.1.7:443. Received 3 certificate(s), first certificate
    had names "beiramarimoveis.com.br, www.beiramarimoveis.com.br"
    Domain: beiramarimoveis.com.br
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    3fe75e931c188d55f094de3d477f79e2.07ba7eae5848d09556cd4dbe6695329c.acme.invalid
    from 35.198.1.7:443. Received 3 certificate(s), first certificate
    had names “beiramarimoveis.com.br, www.beiramarimoveis.com.br

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

And worth, the Web servers stops and i’ve to start Apache again.

Any solutions?

Thanks


#6

Can you describe fully what your setup is please ? Are you using Apache as well as nginx ?


#7

Yes, i’m using both.

When installing Vesta CP (https://vestacp.com/install/). I usually install both, but this kind of problem never occured before.


#8

certbot is probably getting confused with both Apache and Nginx running, since this isn’t a common setup.

You probably want to use this VestaCP/Let’s Encrypt integration project, as it appears to have code to deal with VestaCP having both servers running:


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.