Certbot failed to restart apache

romgo · December 10, 2018, 9:23am

Hello,

I'm running a webserver apache2 version 2.4.10-10+deb8u12
certbot 0.10.2-1~bpo8+1
OS Debian 8.11

the certificate was renewed without issue but the post script wasn't able to restart apache server which cause a serious outage.

Logs show up the following :

2018-12-09 11:04:27,577:ERROR:certbot.hooks:Hook command "apachectl -k start" returned error code 1
2018-12-09 11:04:27,577:ERROR:certbot.hooks:Error output from apachectl:
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Generally when apache couldn't bind, it is because certbot is still running someway.

Do you have any information about that kind of bug ?

JuergenAuer · December 10, 2018, 9:34am

Hi @romgo

please share your renew configuration, located

/etc/letsencrypt/renewal

Perhaps you have used standalone with tls-sni-01 - validation. This validation is deprecated, support ends 2019-02-13.

If certbot switches to http validation, perhaps you must change your configuration.

romgo · December 10, 2018, 9:42am

Hi,

Options used in the renewal process

[renewalparams]
authenticator = standalone
post_hook = apachectl -k start
account = *****
pre_hook = apachectl -k stop
installer = apache

Has the renew worked I guess config is right no ?

_az · December 10, 2018, 9:50am

I think that this type of configuration is known to be a problem.

I would suggest changing the authenticator to apache, and removing the hooks:

Then try a certbot renew --dry-run.

JuergenAuer · December 10, 2018, 10:29am

If you use standalone, Certbot creates a temporary webserver. So you must stop and start your own server -> you have a timeout.

So try to switch to apache as authenticator. Or (my preferred version) use webroot.

romgo · December 10, 2018, 12:17pm

Hi,

authenticator = apache should not be used in my case :

romgo · December 10, 2018, 12:19pm

Yes, that the issue certbot temporary webserver didn’t stop on time.
The issue here is that certbot try to restart my apache server when is webserver wans’t stoppe successfully. So I guess there is something wrong with standalone mode.

rg305 · December 10, 2018, 5:58pm

If you can use webroot, you won't have to stop, nor restart, your apache server.

system · January 9, 2019, 5:58pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.