I have set up autorenewal for my security certificates. However this caused my site to go down when the autorenewal occurred. I was able to fix this with
sudo systemctl nginx restart
but I do not want this problem to occur again. This is what I see when I run
sudo certbot renew --dry-run
nginx: [error] invalid PID number "" in "/run/nginx.pid"
Encountered exception during recovery
nginx restart failed:
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/certbot/error_handler.py", line 99, in _call_registered
self.funcs-1
File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 284, in _cleanup_challenges
self.auth.cleanup(achalls)
File "/usr/lib/python2.7/dist-packages/certbot_nginx/configurator.py", line 824, in cleanup
self.restart()
File "/usr/lib/python2.7/dist-packages/certbot_nginx/configurator.py", line 590, in restart
nginx_restart(self.conf('ctl'), self.nginx_conf)
File "/usr/lib/python2.7/dist-packages/certbot_nginx/configurator.py", line 853, in nginx_restart
"nginx restart failed:\n%s\n%s" % (out.read(), err.read()))
MisconfigurationError: nginx restart failed:
Attempting to renew cert (ultimaterehabestimator.com) from /etc/letsencrypt/renewal/ultimaterehabestimator.com.conf produced an unexpected error: nginx restart failed:
. Skipping.
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ultimaterehabestimator.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)
Perform a test run of the client, obtaining test (invalid) certificates but not saving them to disk. This can currently only be used with the 'certonly' and 'renew' subcommands. Note: Although --dry-run tries to avoid making any persistent changes on a system, it is not completely side-effect free: if used with webserver authenticator plugins like apache and nginx, it makes and then reverts temporary config changes in order to obtain test certificates, and reloads webservers to deploy and then roll back those changes. It also calls --pre-hook and --post-hook commands if they are defined because they may be necessary to accurately simulate renewal. --deploy-hook commands are not called. (default: False)
What command did you use to create the first certificate? Share your config - file ( /etc/letsencrypt/renewal).
Attempting to renew cert (domain.com) from /etc/letsencrypt/renewal/ultimaterehabestimator.com.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for backend.ultimaterehabestimator.com:. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ultimaterehabestimator.com/fullchain.pem (failure)
The -w parameter ist the path to your webroot, the "root" - value of your nginx - server.
You have new certificates created 2018-10-04, --dry-run has some limitations.
So update your certbot and check, if the renew 2018-12-04 works.
Please read that:
Note: Although --dry-run tries to avoid making any persistent changes on a system, it is not completely side-effect free: if used with webserver authenticator plugins like apache and nginx, it makes and then reverts temporary config changes in order to obtain test certificates, and reloads webservers to deploy and then roll back those changes.
You have such a "recovery error":
--dry-run may produce errors used with special configurations (or with your too old certbot), so you should ignore such a problem if you have active and valide certificates.
--webroot may have less side effects then --nginx.