Cerbot renew fail on Debian


I have a cron job for renewing certificates on my server. I have many vhost on this server.
Here is the script :
certbot renew --pre-hook "/etc/init.d/apache2 stop" --post-hook "/etc/init.d/apache2 start"

Here is the configuration example for all vhost :
“/etc/letsencrypt/renewal/www.mydomain.com.conf” :

authenticator = standalone
installer = apache
account = XXXX

When I run the renew job, first certificate is renewed without any issue, but other following up fails with this error :

2018-09-07 07:21:42,223:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 111, in _solve_challenges
    resp = self.auth.perform(self.achalls)
  File "/usr/lib/python2.7/dist-packages/certbot/plugins/standalone.py", line 234, in perform
  File "/usr/lib/python2.7/dist-packages/certbot/plugins/standalone.py", line 231, in _verify_ports_are_available
    "At least one of the required ports is already taken.")
MisconfigurationError: At least one of the required ports is already taken.

Any idea on what is wrong here ?
This lead to crash my apache2 has it didn’t start apache2 after that.

certbot version is 0.10.2-1~bpo8+1 on Debian 8.11

Hi @romgo

look there:

standalone: Spin up a temporary webserver

So certbot starts a new webserver that blocks the port.

Is it possible that you use --webroot and the existing webserver? So you don’t need to stop your webserver (but a restart when finished).


yes the temporary webserver start correctly for the first domain to renew, but if there is a second domain to renew, maybe it tries to start a new webserver and the last webserver is still running… is this a bug ?

I don’t want to use webroot mode for now, will look at this setup later.

The apache installer reloads apache in order for the renewed certificate to be picked up, I guess maybe that’s starting apache again before the second cert is renewed? Since you’re already stopping and starting apache in your pre/post hooks you don’t need the apache installer to restart it separately, so you could change it to installer = None

The webroot authenticator is probably a better choice, though, as you wouldn’t have to fully stop apache at all, and you could still use the apache installer with it for new certificates.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.