Certbot hangs on stopping server

My domain is: dongap.ir / dongap.com

I ran this command: sudo kill -9 27915 && sudo certbot certonly --standalone

It produced this output:
It hangs on cleaning challenges.
The last log is: “DEBUG:certbot.plugins.standalone:Stopping server at :::80…”

My web server is (include version): No webserver

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: haio.cloud

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

Hi @emran.bm

looks like you have a running webserver with ipv6, Certbot can't stop that webserver.

Check your system and stop that webserver manual.

Do you know whether anything is bound to port 80 at the time when Certbot is hung?

For example, is it listed by:

ss -tlnp | grep ":80"

This would be useful to distinguish whether the standalone server is still actually running, or whether Certbot has moved onto something else (but hasn't logged about it).

One reason that the underlying shutdown() operation of the standalone server may hang is if there is a client connected to it who is not disconnecting. You could confirm this by running the following when it is hung:

ss -tn | grep ":80"

If there is a client connected, it should be listed by the above, and it would explain why Certbot would be hung: it is waiting for the client to disconnect before it stops the standalone server entirely.

Tnx for your reply.
Yes there are bound connections. 3 in STABLISHED state and 4 in CLOSE_WAIT.
What should I do?

Those are connections inbound to the local port 80 server, right?

Where are the connections coming from? You might be able to deduce more information by adding a -p (process) parameter to ss.

Unfortunately I'm 99% sure this is a Certbot bug. It should not wait indefinitely to drain unexpected client connections when shutting down the standalone server. I've reproduced it locally and I'm about to file an issue.

The question is, where are those ESTABLISHED connections coming from? They're causing the problems :frowning: .

Here is the result of ss -tnp | grep ":80":

CLOSE-WAIT 2486   0        ::ffff:                   ::ffff:              
CLOSE-WAIT 6812   0        ::ffff:                  ::ffff:              
ESTAB      0      0        ::ffff:                   ::ffff:              
ESTAB      0      0        ::ffff:                    ::ffff:              
ESTAB      0      0        ::ffff:                   ::ffff:              
CLOSE-WAIT 9729   0        ::ffff:                  ::ffff:              
CLOSE-WAIT 1872   0        ::ffff:                   ::ffff:

Although previous logs say that the challenges failed because they didn’t reach the server!

certbot.errors.FailedChallenges: Failed authorization procedure. dongap.ir (http-01):  urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain  :: Fetching http://dongap.ir/.well-known/acme-challenge/12hUISBU3M2fQRZ1EE_Z1vuR1-7H8wF_ajIwcAehQP8: Timeout during connect (likely firewall problem)

I tried to curl the challenge url (when hung), from my pc; it says:
curl: (56) Recv failure: Connection reset by peer

I’m not quite sure what you should do, other than kill -9 the Certbot process.

If those 3 ESTABLISHED connections stay open, so will Certbot .

I’ve now filed the bug (https://github.com/certbot/certbot/issues/7386) but I can’t really think of a good workaround, other than using a real webserver like nginx or Apache (with --nginx or --apache) and not using --standalone mode.


Killed certbot, and connections are gone…

However thanks a lot for your care.

I’ve no webserver running.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.