`certbot-auto renew` stopped unexpectedly, no error reported


#1

Hi guys,

I am trying to renew a certificate using the command ./certbot-auto renew --pre-hook "service nginx stop" --post-hook "service nginx start" and I get the following output from command line:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/staging-api.actigage.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Running pre-hook command: service nginx stop
Renewing an existing certificate

It stops right there and I immediately got logged out from the docker container. I find no clue as to what happens or if there’s an error that interrupted the process, even upon checking the debug log. Here’s the debug log for reference:

2017-03-15 00:38:57,952:DEBUG:certbot.main:Root logging level set at 20
2017-03-15 00:38:57,953:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-03-15 00:38:57,961:DEBUG:certbot.main:certbot version: 0.12.0
2017-03-15 00:38:57,961:DEBUG:certbot.main:Arguments: ['--pre-hook', 'service nginx stop', '--post-hook', 'service nginx start']
2017-03-15 00:38:57,962:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#standalone,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#webroot,PluginEntryPoint#apache,PluginEntryPoint#null)
2017-03-15 00:38:58,017:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2017-03-15 14:31:00 UTC.
2017-03-15 00:38:58,018:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2017-03-15 00:38:58,104:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2017-03-15 00:38:58,710:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7f84eeed6a90>
Prep: True
2017-03-15 00:38:58,714:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7f84eeed6a90> and installer None
2017-03-15 00:38:58,722:DEBUG:certbot.main:Picked account: <Account(848bff8fceb731d8de9bf09a2b4a050c)>
2017-03-15 00:38:58,728:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2017-03-15 00:38:58,750:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-03-15 00:38:59,035:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 352
2017-03-15 00:38:59,037:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 352
Boulder-Request-Id: 4dIX2xF_WoxCcn07n_rVZc0_9wozomxgIqJE3kT0sB4
Replay-Nonce: ygCRKaNp1bXfeIIYOYhCKO0ZLO0XFy0mt704JG64Q_g
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 15 Mar 2017 00:38:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 15 Mar 2017 00:38:59 GMT
Connection: keep-alive

{
  "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
}
2017-03-15 00:38:59,037:INFO:certbot.hooks:Running pre-hook command: service nginx stop
2017-03-15 00:38:59,061:INFO:certbot.main:Renewing an existing certificate
2017-03-15 00:38:59,066:DEBUG:acme.client:Requesting fresh nonce
2017-03-15 00:38:59,067:DEBUG:acme.client:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.

We are using Ubuntu with docker and I am executing the command inside the nginx-proxy container (https://github.com/jwilder/nginx-proxy) if that matters. I inherited the job from a previous dev without knowing how he initially created the certificate, so its just all a smart guess.

Have any of you guys experience the same issue? Any help would be greatly appreciated, thanks in advance!

James


#2

So, I just found out certbot will not work immediately with Docker - https://certbot.eff.org/docs/install.html#running-with-docker. I still don’t fully get it, an example will greatly help. Anyway, I will update this again in case I found something new.


#3

I suspect the method you’re using is not working because Docker is terminating the container when nginx stops.

The README for that docker proxy thing seems to suggest https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion as a way to obtain Let’s Encrypt certificates to use with it. Did you try that?


#4

I came across it yesterday as I was searching for similar topics from jwilder/nginx-proxy which also offers several workarounds: https://github.com/jwilder/nginx-proxy/issues/274. Apparently, my PM has decided not to put any more efforts with this since the company is buying a wildcard certificate soon (ugh!). Thank you for your help though!


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.