Cert renewal writes duplicate blocks in nginx.conf, crashes website

Hi I have Certbot installed as a snap. https://iatse118.com/ is on Ubuntu Bionic for a Laravel website on Vultr, using Nginx as the webserver.

I have things set up now but I want to report my issue anyway because I want to do better at this, or maybe someone else has the same problem.

I got an email about the certificate expiring in a couple of days, so I went and manually ran the certificate renewal from the shell and it crashed the site.

With a little help, I was able to learn that running certbot renew –quiet had added additional identical directive blocks in nginx.conf .

The problem was resolved by removing the clone blocks from nginx.conf and installing a root cron for Certbot renewal in /etc/cron.d/certbot instead of trying to execute the renewal as the regular user.

The cron looks like this:
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

then it worked, problem solved.

This cron gets installed, I understand, when installing the apt-get Certbot package, but not the snap. Not sure what is going on here.

I realize the issue may be in part due to my knowledge. However I set up a Certbot cert on a DO server some time back and have had no problems with it, renewals run by cron for regular user.

2 Likes

Do you recall what the duplicate directives were? We'd like to fix this if possible.

The snap creates a systemd timer of its own, rather than a cron job.

systemctl status snap.certbot.renew.timer

There's no harm in having a cron job on top of it, but I don't believe that it'd be related to your problem.

4 Likes

Hi, attached is my nginx.conf file from the site. They were duplicate server directives.

iatse118.com-backup-mangled-jul28.nginx.conf.txt (6.1 KB)


systemctl status snap.certbot.renew.timer
● snap.certbot.renew.timer - Timer renew for snap application certbot.renew
Loaded: loaded (/etc/systemd/system/snap.certbot.renew.timer; enabled; vendor preset: enabled)
Active: active (waiting) since Wed 2021-07-28 17:50:34 UTC; 5 days ago
Trigger: Tue 2021-08-03 17:24:00 UTC; 12h left

Jul 28 17:50:34 PBGSWD1 systemd[1]: Started Timer renew for snap application certbot.renew.

2 Likes

Please share the original configuration file as well.

1 Like

Thank you for posting that.

It is hard to say for sure without seeing the original configuration (which might still be available in /var/lib/letsencrypt/backups by the way).

My suspicion is that the nginx confguration already had duplicate port 80 server blocks for server_name iatse118.com. It may well be the case that it was working fine before (by pure coincidence), and then when Certbot made its modifications, things flipped around and it was no longer working.

I am assuming that when you say that "it crashed the site" that nginx was still able to run but your website was broken, not that the nginx itself refused to start.

3 Likes

Hi _az,
The site was working fine before but I may have not got it completely right. Its not like I set up servers every day or anything.

Nginx was not displaying, just a firefox message about too many redirects or something, which I dont have now. Nginx was running, I believe, with a bad config, but it wasnt able to respond to the request properly.

I have 10 backups in /var/lib/letsencrypt/backups

ls /var/lib/letsencrypt/backups/1619902313.7718935
50-mod-http-geoip.conf_0         50-mod-mail.conf_10   70-mod-stream-geoip.conf_3  FILEPATHS       nginx.conf_6
50-mod-http-image-filter.conf_7  50-mod-ssl-ct.conf_8  CHANGES_SINCE               iatse118.com_9  options-ssl-nginx.conf_5
50-mod-http-xslt-filter.conf_11  50-mod-stream.conf_1  default_2                   mime.types_4

here is the nginx conf from May 1.
nginx.conf_6.txt (1.5 KB)

I dont feel I am doing a bang up job of describing this as best as I can, so thank you for your patience with this one.

2 Likes

Thank you once again.

I think the files that would be useful to upload here are:

  • default_2
  • iatse118.com_9
2 Likes

Hi _az files attached.

iatse118.com_9.txt (5.8 KB)
default_2.txt (5.8 KB)

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.