Certbot Autorenew causing issues


#1

I have set up autorenewal for my security certificates. However this caused my site to go down when the autorenewal occurred. I was able to fix this with

sudo systemctl nginx restart

but I do not want this problem to occur again. This is what I see when I run

sudo certbot renew --dry-run

nginx: [error] invalid PID number “” in “/run/nginx.pid”
Encountered exception during recovery
nginx restart failed:

Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/certbot/error_handler.py”, line 99, in _call_registered
self.funcs-1
File “/usr/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 284, in _cleanup_challenges
self.auth.cleanup(achalls)
File “/usr/lib/python2.7/dist-packages/certbot_nginx/configurator.py”, line 824, in cleanup
self.restart()
File “/usr/lib/python2.7/dist-packages/certbot_nginx/configurator.py”, line 590, in restart
nginx_restart(self.conf(‘ctl’), self.nginx_conf)
File “/usr/lib/python2.7/dist-packages/certbot_nginx/configurator.py”, line 853, in nginx_restart
“nginx restart failed:\n%s\n%s” % (out.read(), err.read()))
MisconfigurationError: nginx restart failed:

Attempting to renew cert (ultimaterehabestimator.com) from /etc/letsencrypt/renewal/ultimaterehabestimator.com.conf produced an unexpected error: nginx restart failed:

. Skipping.
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ultimaterehabestimator.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)


#2

Hi @RobinReborn

you have new certificates created 2018-10-04:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:ultimaterehabestimator.com&lu=cert_search

So it looks ok.

–dry-run has some limitations.

Perform a test run of the client, obtaining test (invalid) certificates but not saving them to disk. This can currently only be used with the ‘certonly’ and ‘renew’ subcommands. Note: Although --dry-run tries to avoid making any persistent changes on a system, it is not completely side-effect free: if used with webserver authenticator plugins like apache and nginx, it makes and then reverts temporary config changes in order to obtain test certificates, and reloads webservers to deploy and then roll back those changes. It also calls --pre-hook and --post-hook commands if they are defined because they may be necessary to accurately simulate renewal. --deploy-hook commands are not called. (default: False)

What command did you use to create the first certificate? Share your config - file ( /etc/letsencrypt/renewal).


#3

Here’s my .conf file:

renew_before_expiry = 30 days

cert = /etc/letsencrypt/live/ultimaterehabestimator.com/cert.pem
privkey = /etc/letsencrypt/live/ultimaterehabestimator.com/privkey.pem
chain = /etc/letsencrypt/live/ultimaterehabestimator.com/chain.pem
fullchain = /etc/letsencrypt/live/ultimaterehabestimator.com/fullchain.pem
version = 0.17.0
archive_dir = /etc/letsencrypt/archive/ultimaterehabestimator.com

Options and defaults used in the renewal process

[renewalparams]
installer = nginx
authenticator = nginx
account = aa6e30c1172b7d6dbfdd3e9b7c2ad224


#4

Your certbot looks old. There is a version 0.27.1. The documentation

has 0.26 (title-element).

You may change your configuration from

authenticator = nginx

to

authenticator = webroot

Then you need a running webserver. After that, a reload is enough.

nginx -s reload

#5

Am I supposed to run

nginx -s reload

as a post-hook?

currently getting this error:

Attempting to renew cert (domain.com) from /etc/letsencrypt/renewal/ultimaterehabestimator.com.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for backend.ultimaterehabestimator.com:. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ultimaterehabestimator.com/fullchain.pem (failure)


#6

Please read your error message:

You have to add your webroot as parameter -w yourwebroot.

Use it as --deploy-hook - this is executed only one time, this is enough.


#7

Sorry, I’m still confused, I do not understand what webroot is supposed to point to.

I am trying to have my certificates autorenew and not cause nginx errors, should I add a post hook .sh file and point to it in my .conf file?

I do not understand how the --deploy-hook will work, or how the certificates are automatically renewed.


#8

The -w parameter ist the path to your webroot, the “root” - value of your nginx - server.

You have new certificates created 2018-10-04, --dry-run has some limitations.

So update your certbot and check, if the renew 2018-12-04 works.

Please read that:

Note: Although --dry-run tries to avoid making any persistent changes on a system, it is not completely side-effect free: if used with webserver authenticator plugins like apache and nginx, it makes and then reverts temporary config changes in order to obtain test certificates, and reloads webservers to deploy and then roll back those changes.

You have such a “recovery error”:

–dry-run may produce errors used with special configurations (or with your too old certbot), so you should ignore such a problem if you have active and valide certificates.

–webroot may have less side effects then --nginx.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.