Certbot causing apache shutdown on debian 9 stretch (SIGTERM)

Sofianio · February 10, 2019, 9:23am

My domain is: api.greengy.fr

I ran this command: sudo certbot --apatch

It produced this output: caught SIGTERM, shutting down

My web server is: apache 2.4.25

The operating system my web server runs on is: Debian 9 stretch

My hosting provider, if applicable, is: LWS

I can login to a root shell on my machine: yes

I’m using a control panel to manage my site: no

The version of my client is: 0.28.0

Hello,
I’m having an issue where my apache server stops automatically everyday at around 2am with last error log being caught SIGTERM, shutting down

This happened to me on 2 servers after installing certbot, after some digging / googling I found many similar issues but none of them describe a clear solution, so I came to the pros for help

error.log

[Sat Feb 09 11:12:10.004622 2019] [mpm_worker:notice] [pid 18958:tid 140271036855488] AH00292: Apache/2.4.25 (Debian) mod_fcgid/2.3.9 Phusion_Passenger/5.0.30 mod_python/3.3.1 Python/2.7.13 OpenSSL/1.0.2q configured -- resuming normal operations
[Sat Feb 09 11:12:10.004654 2019] [core:notice] [pid 18958:tid 140271036855488] AH00094: Command line: '/usr/sbin/apache2'
[Sun Feb 10 02:05:42.571375 2019] [mpm_worker:notice] [pid 18958:tid 140271036855488] AH00295: caught SIGTERM, shutting down

[ 2019-02-10 02:05:42.5848 18964/7f4145ac8700 age/Cor/CoreMain.cpp:532 ]: Signal received. Gracefully shutting down... (send signal 2 more time(s) to force shutdown)

[ 2019-02-10 02:05:42.5848 18971/7fb4ca6e5700 age/Ust/UstRouterMain.cpp:422 ]: Signal received. Gracefully shutting down... (send signal 2 more time(s) to force shutdown)
[ 2019-02-10 02:05:42.5849 18971/7fb4d0d2c780 age/Ust/UstRouterMain.cpp:492 ]: Received command to shutdown gracefully. Waiting until all clients have disconnected...
[ 2019-02-10 02:05:42.5849 18971/7fb4c9ce4700 Ser/Server.h:817 ]: [UstRouterApiServer] Freed 0 spare client objects
[ 2019-02-10 02:05:42.5849 18971/7fb4c9ce4700 Ser/Server.h:464 ]: [UstRouterApiServer] Shutdown finished
[ 2019-02-10 02:05:42.5849 18964/7f414c4ea780 age/Cor/CoreMain.cpp:901 ]: Received command to shutdown gracefully. Waiting until all clients have disconnected...
[ 2019-02-10 02:05:42.5850 18964/7f41450c7700 Ser/Server.h:817 ]: [ServerThr.2] Freed 128 spare client objects
[ 2019-02-10 02:05:42.5850 18964/7f41450c7700 Ser/Server.h:464 ]: [ServerThr.2] Shutdown finished
[ 2019-02-10 02:05:42.5854 18964/7f413ffff700 Ser/Server.h:817 ]: [ApiServer] Freed 0 spare client objects
[ 2019-02-10 02:05:42.5854 18964/7f413ffff700 Ser/Server.h:464 ]: [ApiServer] Shutdown finished
[ 2019-02-10 02:05:42.5854 18971/7fb4ca6e5700 Ser/Server.h:464 ]: [UstRouter] Shutdown finished
[ 2019-02-10 02:05:42.5856 18964/7f4145ac8700 Ser/Server.h:817 ]: [ServerThr.1] Freed 128 spare client objects
[ 2019-02-10 02:05:42.5856 18964/7f4145ac8700 Ser/Server.h:464 ]: [ServerThr.1] Shutdown finished
[ 2019-02-10 02:05:42.5858 18971/7fb4d0d2c780 age/Ust/UstRouterMain.cpp:523 ]: Passenger UstRouter shutdown finished
[ 2019-02-10 02:05:42.6190 18964/7f414c4ea780 age/Cor/CoreMain.cpp:967 ]: Passenger core shutdown finished

Thanks in advance.

_az · February 10, 2019, 10:08am

Can you find the related logfile from the same time, in /var/log/letsencrypt/ ?

It would illuminate what’s happening to your Apache server.

Osiris · February 10, 2019, 10:20am

Also please provide:

/etc/letsencrypt/cli.ini (if it exists)
the contents of the files in /etc/letsencrypt/renewal/

Sofianio · February 10, 2019, 1:19pm

Thanks for the reply @Osiris @_az
Here are the requested files:
cli.ini

# Because we are using logrotate for greater flexibility, disable the
# internal certbot logrotation.
max-log-backups = 0

/etc/letsencrypt/renewal/api.greengy.fr.conf

# renew_before_expiry = 30 days
version = 0.28.0
archive_dir = /etc/letsencrypt/archive/api.greengy.fr
cert = /etc/letsencrypt/live/api.greengy.fr/cert.pem
privkey = /etc/letsencrypt/live/api.greengy.fr/privkey.pem
chain = /etc/letsencrypt/live/api.greengy.fr/chain.pem
fullchain = /etc/letsencrypt/live/api.greengy.fr/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = ccc0ba2a40d4afdfedfb2647072adafe
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = apache

/var/log/letsencrypt for the day of the crash

2019-02-10 02:55:38,498:DEBUG:certbot.main:certbot version: 0.28.0
2019-02-10 02:55:38,499:DEBUG:certbot.main:Arguments: ['-q']
2019-02-10 02:55:38,500:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-02-10 02:55:38,516:DEBUG:certbot.log:Root logging level set at 30
2019-02-10 02:55:38,517:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-02-10 02:55:38,533:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7f28a09d7b00> and installer <certbot.cli._Default object at 0x7f28a09d7b00>
2019-02-10 02:55:38,542:INFO:certbot.renewal:Cert not yet due for renewal
2019-02-10 02:55:38,543:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2019-02-10 02:55:38,543:DEBUG:certbot.plugins.selection:Selecting plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f28a09da6a0>
2019-02-10 02:55:38,545:DEBUG:certbot.plugins.storage:Plugin storage file /etc/letsencrypt/.pluginstorage.json was empty, no values loaded
2019-02-10 02:55:38,545:DEBUG:certbot.renewal:no renewal failures
2019-02-10 04:00:56,413:DEBUG:certbot.main:certbot version: 0.28.0
2019-02-10 04:00:56,422:DEBUG:certbot.main:Arguments: ['-n', '--post-hook', "echo '1' > /usr/local/ispconfig/server/le.restart"]
2019-02-10 04:00:56,423:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-02-10 04:00:56,461:DEBUG:certbot.log:Root logging level set at 20
2019-02-10 04:00:56,462:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-02-10 04:00:56,506:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7fcf94b2b4a8> and installer <certbot.cli._Default object at 0x7fcf94b2b4a8>
2019-02-10 04:00:56,538:INFO:certbot.renewal:Cert not yet due for renewal
2019-02-10 04:00:56,539:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2019-02-10 04:00:56,540:DEBUG:certbot.plugins.selection:Selecting plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7fcf94b82fd0>
2019-02-10 04:00:56,541:DEBUG:certbot.plugins.storage:Plugin storage file /etc/letsencrypt/.pluginstorage.json was empty, no values loaded
2019-02-10 04:00:56,561:DEBUG:certbot.renewal:no renewal failures

I hope this helps

Osiris · February 10, 2019, 4:21pm

This line intrigues me: apparently, your system uses the ispconfig control panel. And apparently, something added that 'post-hook' to certbot.

However, the post-hook shouldn't have ran, as there were no renewal attempts.

But perhaps you can see what the contents of /usr/local/ispconfig/server/le.restart is? I assume if it's set to "1", some other component on your server will restart Apache.

Sofianio · February 10, 2019, 4:26pm

@Osiris I didn't find the file

Osiris · February 10, 2019, 4:58pm

I noticed the times don't really add up. Certbot runs at 02:55:38 and at 04:00:56 (which, by the way, is strange, so soon after each other). And Apache stops at 02:05:42, which is 50 minutes before certbot runs.

So my guess is there isn't actually a relationship between certbot and Apache.

rg305 · February 10, 2019, 11:19pm

Is that a TYPO?
[please confirm actual command]

Please check that you are not running more than one daily renewal job:
crontab -l
sudo crontan -l
systemctl list-timers

Sofianio · February 11, 2019, 8:44am

Yes that was a typo,
I checked and found no certbot cronjob and 1 certbot.timer

system · March 13, 2019, 8:44am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.