Cert Expired and Certbot Fails

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: Dextr.Cloud and www.Dextr.Cloud (cert expired today)

I ran this command:
Sudo Certbot

It produced this output:
bitnami@ip-172-16-2-250 : /usr/sbin $ sudo certbot

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?


1: dextr.cloud

2: www.dextr.cloud


Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter ‘c’ to cancel):

Cert is due for renewal, auto-renewing…

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for dextr.cloud

http-01 challenge for www.dextr.cloud

Error while running apache2ctl graceful.

httpd not running, trying to start

Action ‘graceful’ failed.

The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80

(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80

no listening sockets available, shutting down

AH00015: Unable to open logs

Unable to restart apache using [‘apache2ctl’, ‘graceful’]

Cleaning up challenges

Error while running apache2ctl graceful.

httpd not running, trying to start

Action ‘graceful’ failed.

The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80

(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80

no listening sockets available, shutting down

AH00015: Unable to open logs

Unable to restart apache using [‘apache2ctl’, ‘graceful’]

Encountered exception during recovery:

Traceback (most recent call last):

File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2185, in _reload

util.run_script(self.option(“restart_cmd”))

File “/usr/lib/python3/dist-packages/certbot/util.py”, line 86, in run_script

raise errors.SubprocessError(msg)

certbot.errors.SubprocessError: Error while running apache2ctl graceful.

httpd not running, trying to start

Action ‘graceful’ failed.

The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80

(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80

no listening sockets available, shutting down

AH00015: Unable to open logs

During handling of the above exception, another exception occurred:

Traceback (most recent call last):

File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 75, in handle_authorizations

resp = self._solve_challenges(aauthzrs)

File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 139, in _solve_challenges

resp = self.auth.perform(all_achalls)

File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2287, in perform

self.restart()

File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2175, in restart

self._reload()

File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2203, in _reload

raise errors.MisconfigurationError(error)

certbot.errors.MisconfigurationError: Error while running apache2ctl graceful.

httpd not running, trying to start

Action ‘graceful’ failed.

The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80

(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80

no listening sockets available, shutting down

AH00015: Unable to open logs

During handling of the above exception, another exception occurred:

Traceback (most recent call last):

File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2185, in _reload

util.run_script(self.option(“restart_cmd”))

File “/usr/lib/python3/dist-packages/certbot/util.py”, line 86, in run_script

raise errors.SubprocessError(msg)

certbot.errors.SubprocessError: Error while running apache2ctl graceful.

httpd not running, trying to start

Action ‘graceful’ failed.

The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80

(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80

no listening sockets available, shutting down

AH00015: Unable to open logs

During handling of the above exception, another exception occurred:

Traceback (most recent call last):

File “/usr/lib/python3/dist-packages/certbot/error_handler.py”, line 108, in _call_registered

self.funcs-1

File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 323, in _cleanup_challenges

self.auth.cleanup(achalls)

File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2312, in cleanup

self.restart()

File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2175, in restart

self._reload()

File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2203, in _reload

raise errors.MisconfigurationError(error)

certbot.errors.MisconfigurationError: Error while running apache2ctl graceful.

httpd not running, trying to start

Action ‘graceful’ failed.

The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80

(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80

no listening sockets available, shutting down

AH00015: Unable to open logs

Error while running apache2ctl graceful.

httpd not running, trying to start

Action ‘graceful’ failed.

The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80

(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80

no listening sockets available, shutting down

(the site is still up and Apache is still running)

AH00015: Unable to open logsy web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): YES I can SSL no issue

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): AWS CLI only, though I have webmin option

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like

Hi @DrVoIP!
For starters it looks like a ServerName and ServerAlias may need to be set in your configuration.
Can you share the output from:

  1. apache2ctl -S
  2. apache2ctl -t -D DUMP_VHOSTS

Thanks
Rip

1 Like

bitnami@ip-172-16-2-250 : /opt/bitnami/apache2 $ apache2ctl -S

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message

VirtualHost configuration:

*:80 dextr.cloud (/etc/apache2/sites-enabled/dextr.cloud.conf:1)

ServerRoot: “/etc/apache2”

Main DocumentRoot: “/var/www/html”

Main ErrorLog: “/var/log/apache2/error.log”

Mutex watchdog-callback: using_defaults

Mutex rewrite-map: using_defaults

Mutex default: dir="/var/lock/apache2" mechanism=fcntl

PidFile: “/var/run/apache2/apache2.pid”

Define: DUMP_VHOSTS

Define: DUMP_RUN_CFG

User: name=“www-data” id=33 not_used

Group: name=“www-data” id=33 not_used

bitnami@ip-172-16-2-250 : /opt/bitnami/apache2 $ apache2ctl -t -D DUMP_VHOSTS

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message

VirtualHost configuration:

*:80 dextr.cloud (/etc/apache2/sites-enabled/dextr.cloud.conf:1)

bitnami@ip-172-16-2-250 : /opt/bitnami/apache2 $

1 Like

This is an AWS Linux AMI running a Wordpress Stack from Bitnami. It has been operational for some time, but I know that Bitnami lays things out a bit different than a linux server would otherwise organize files. It does appear to be Apache2 however not httpd?

1 Like

Take a look at this information and apply it to your vhost configuration:
ServerName - (Give your server an identity)
Might Help
Rip

1 Like

bitnami@ip-172-16-2-250 : /opt/bitnami/apache2 $ sudo hostname dextr.cloud

bitnami@ip-172-16-2-250 : /opt/bitnami/apache2 $ hostname

dextr.cloud

bitnami@ip-172-16-2-250 : /opt/bitnami/apache2 $

bitnami@ip-172-16-2-250 : /opt/bitnami/apache2 $

bitnami@ip-172-16-2-250 : /opt/bitnami/apache2 $ sudo certbot renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/dextr.cloud.conf


Cert is due for renewal, auto-renewing…

Plugins selected: Authenticator standalone, Installer None

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for dextr.cloud

http-01 challenge for www.dextr.cloud

Cleaning up challenges

Attempting to renew cert (dextr.cloud) from /etc/letsencrypt/renewal/dextr.cloud.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6… Skipping.

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/dextr.cloud/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/dextr.cloud/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

I think this is a single domain apache2 server with no VirtualHosts names. Scanning through the httpd.conf i see ServerName dextr.cloud:443 so I am not sure why it is trying to bind to port 80?

1 Like

Hi @DrVoIP

you use --standalone, that starts a new webserver.

So a not used port 80 is required. You have to stop your running webserver, so port 80 is free. Or switch to another authenticator.

1 Like

How do I know for sure that this is standalone and does not have VirtualHost files, I cant find them and this is our server and the only website on it. I am understanding that you suggest stopping Apache2 service then running “sudo certbot renew”. do I have that understood correctly?

tried to run certbot with apache2 stopped and still get the same error:


Processing /etc/letsencrypt/renewal/dextr.cloud.conf


Cert is due for renewal, auto-renewing…

Plugins selected: Authenticator standalone, Installer None

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for dextr.cloud

http-01 challenge for www.dextr.cloud

Cleaning up challenges

Attempting to renew cert (dextr.cloud) from /etc/letsencrypt/renewal/dextr.cloud.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6… Skipping.

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/dextr.cloud/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/dextr.cloud/fullchain.pem (failure)

bitnami@ip-172-16-2-250 : /etc/letsencrypt/renewal $ cat dextr.cloud.conf

renew_before_expiry = 30 days

version = 0.31.0

archive_dir = /etc/letsencrypt/archive/dextr.cloud

cert = /etc/letsencrypt/live/dextr.cloud/cert.pem

privkey = /etc/letsencrypt/live/dextr.cloud/privkey.pem

chain = /etc/letsencrypt/live/dextr.cloud/chain.pem

fullchain = /etc/letsencrypt/live/dextr.cloud/fullchain.pem

Options used in the renewal process

[renewalparams]

authenticator = standalone

account = ffb0f39ca8c8eeb6…
server = https://acme-v02.api.letsencrypt.org/directory

stopping the apache2 service with ‘sudo systemctl stop apache2’ then running sudo certbot renew generates the following error:
Processing /etc/letsencrypt/renewal/dextr.cloud.conf


Cert is due for renewal, auto-renewing…

Plugins selected: Authenticator standalone, Installer None

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for dextr.cloud

http-01 challenge for www.dextr.cloud

Cleaning up challenges

Attempting to renew cert (dextr.cloud) from /etc/letsencrypt/renewal/dextr.cloud.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6… Skipping.

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/dextr.cloud/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/dextr.cloud/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

I also note there is a ctl.sh script but I do not know how to use it.

figured out how to make use of ctl.sh but still get the same error:
Cert is due for renewal, auto-renewing…

Plugins selected: Authenticator standalone, Installer None

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for dextr.cloud

http-01 challenge for www.dextr.cloud

Cleaning up challenges

Attempting to renew cert (dextr.cloud) from /etc/letsencrypt/renewal/dextr.cloud.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6… Skipping.

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/dextr.cloud/fullchain.pem (failure)

Changing the listen port in httpd.conf seems to have no effect; changing the servername also has no effect ‘servername dextr.cloud:443’ or port 80, not effect.

I think it is important to note that the conf files had not changed and were previously running letsencrypt ssl with no issue. Just the renew. Is it possible that you can not renew an ssl once it expires? mine expired today.

So certbot is trying to “bind” to port 80 via IPV4 OR IPV6. This has to happen or it wont work.

You have shell access yes? Look at the output of:

netstat -plunt 

and see what is tying up port 80. Im not experienced with bitnami or it’s closest relatives so you’ll have to fill in the blanks. What is using port 80 (that wasn’t using it before?)

Rip

I was able to resolve this. Quite the learning experience and I thank those who offered help and guidance. Lessons learned:
1 - dont give up!
2 - Learn the layout of your apache file system
3 - Learn ctlscript use
4 - turn off Apache server before running certbot!
Once I figured all this out, it took about 25 seconds to renew the certs!

2 Likes

Glad to hear you got the cert renewed!
Good Luck!

Cheers
Rip

1 Like

That’s

the most important thing. standalone -> port 80 must be free -> port 80 is blocked. So you have to find that instance that uses port 80.

Happy to read you have found a solution :+1:

1 Like

Post Script - I ran the command to stop the Apache service, but I noted that the site was still up. The CLI command responded appropriately with no error, but the service apparently was still running or auto starting not sure. It was only when I dug down and studied the httpd.conf file that I noted there were some ctlscripts. It was only after I understood that using this script actually stopped the service that I was able to use certbot renew. Again I thank the community and your leadership for all you do. I also make a donation whenever I open a help request and would encourage all that can, to do so also. This is a meaningful project and we should all find a way to contribute even if it is only money! Much thanks.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.