The command “% certbot renew --dry-run” fails on Centos 7 due to problems running apachectl.
First, I noticed that certbot is attempting to use apachectl -k start (and later stop), which produce errors (“Passing arguments to httpd using apachectl is no longer supported. …”). Changing pre_hook and post_hook in /etc/letsencrypt/renewal/{domain name}.conf to use systemctl (apparently the centos7 ways of managing apache httpd) helps:
#pre_hook = apachectl -k stop
pre_hook = systemctl stop httpd
#post_hook = apachectl -k start
post_hook = systemctl start httpd
However, additional references to apachectl are buried inside the certbot code, which invokes “apachectl graceful” during the renew procedure as seen in the command’s output:
% certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/{domain name}.conf
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer apache
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Running pre-hook command: systemctl stop httpd
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for {domain name}
Waiting for verification…
Cleaning up challenges
Error while running apachectl graceful.
Job for httpd.service invalid.
Attempting to renew cert ({domain name}) from /etc/letsencrypt/renewal/{domain nam}.conf produced an unexpected error: Error while running apachectl graceful.
Job for httpd.service invalid.
. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/{domain name}/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/{domain name}.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
Running post-hook command: systemctl start httpd
1 renew failure(s), 0 parse failure(s)
OK. I patched this by editing the certbot code (/usr/lib/python2.7/site-packages/certbot_apache/override_centos.py):
# restart_cmd=[‘apachectl’, ‘graceful’],
restart_cmd=[‘systemctl’, ‘restart’, ‘httpd’],
This change appears to fix certbot (renew --dry-run finishes successfully), but potentially at the expense of graceful shutdown of existing connections.
I don’t know if my changes are correct and I worry that a certbot update will override the modified code, but I do know that something is wrong with the way the installation process and the current code interact with systemctl managed apache httpd.