Cerbot renew fail on Debian


#1

Hello,

I have a cron job for renewing certificates on my server. I have many vhost on this server.
Here is the script :
certbot renew --pre-hook "/etc/init.d/apache2 stop" --post-hook "/etc/init.d/apache2 start"

Here is the configuration example for all vhost :
“/etc/letsencrypt/renewal/www.mydomain.com.conf” :

[renewalparams]
authenticator = standalone
installer = apache
account = XXXX

When I run the renew job, first certificate is renewed without any issue, but other following up fails with this error :

2018-09-07 07:21:42,223:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 111, in _solve_challenges
    resp = self.auth.perform(self.achalls)
  File "/usr/lib/python2.7/dist-packages/certbot/plugins/standalone.py", line 234, in perform
    self._verify_ports_are_available(achalls)
  File "/usr/lib/python2.7/dist-packages/certbot/plugins/standalone.py", line 231, in _verify_ports_are_available
    "At least one of the required ports is already taken.")
MisconfigurationError: At least one of the required ports is already taken.

Any idea on what is wrong here ?
This lead to crash my apache2 has it didn’t start apache2 after that.

certbot version is 0.10.2-1~bpo8+1 on Debian 8.11


#2

Hi @romgo

look there:

standalone: Spin up a temporary webserver

So certbot starts a new webserver that blocks the port.

Is it possible that you use --webroot and the existing webserver? So you don’t need to stop your webserver (but a restart when finished).


#3

Hi,

yes the temporary webserver start correctly for the first domain to renew, but if there is a second domain to renew, maybe it tries to start a new webserver and the last webserver is still running… is this a bug ?

I don’t want to use webroot mode for now, will look at this setup later.


#4

The apache installer reloads apache in order for the renewed certificate to be picked up, I guess maybe that’s starting apache again before the second cert is renewed? Since you’re already stopping and starting apache in your pre/post hooks you don’t need the apache installer to restart it separately, so you could change it to installer = None

The webroot authenticator is probably a better choice, though, as you wouldn’t have to fully stop apache at all, and you could still use the apache installer with it for new certificates.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.