Certbot: nginx is clobbering apaching

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

PROBLEM:
I have certbot running but I think it is kicking off nginx and clobbering my apache2 so my web pages are no longer being served. I have to hand kill nginx but it keeps coming back. I thought I had set certbot up to use apache so not sure why nginx is running. It looks like python3-certbox-nginx is installed. The SSL does seem to be working for the domain below. I just need to get rid of nginx. I tried
apt-cache rdepends nginx --installed
and got the results shown below.

  • Can I remove nginx-core without breaking certbot?
  • How to verify that certbot is using Apache?

certbot install on Debian 11 Dell R230 (i686) -
Debian 11.2
certbot 1.12.0
My domain is: blog.emily-gasster.com

$ apt-cache rdepends nginx --installed
nginx
Reverse Depends:
  nginx-core
  python3-certbot-nginx
    nginx-core
    nginx-extras
    nginx-full
    nginx-light
  libnginx-mod-stream-geoip
    nginx-core
    nginx-extras
    nginx-full
    nginx-light
  libnginx-mod-stream
    nginx-core
    nginx-extras
    nginx-full
    nginx-light
  libnginx-mod-mail
    nginx-core
    nginx-extras
    nginx-full
    nginx-light
  libnginx-mod-http-xslt-filter
    nginx-core
    nginx-extras
    nginx-full
    nginx-light
  libnginx-mod-http-image-filter
    nginx-core
    nginx-extras
    nginx-full
    nginx-light
  libnginx-mod-http-geoip
    nginx-core
    nginx-extras
    nginx-full
    nginx-light
  fcgiwrap
    nginx-core
    nginx-extras
    nginx-full
    nginx-light
1 Like

Let's start with seeing what certs Certbot handles. Can you show output from:

certbot certificates
2 Likes

If you don't need nginx at all, then remove python3-certbot-nginx, remove nginx, and install python3-certbot-apache.

As long as you have python3-certbot-nginx installed, you will have the rdependency on nginx. This is due to how the Debian packagers have packaged Certbot. It sounds like you don't need either.

It sounds like at least one of your certificates is setup to secure an nginx website.

You can try see which ones with:

 grep -R nginx /etc/letsencrypt/renewal/
3 Likes
$ grep -R nginx /etc/letsencrypt/renewal/

returned noting.
Next I tried to check apache:

$ grep -R apache /etc/letsencrypt/renewal/
/etc/letsencrypt/renewal/blog.emily-gasster.com.conf:authenticator = apache
/etc/letsencrypt/renewal/blog.emily-gasster.com.conf:installer = apache

so it looks like it is setup for apache. Perhaps I installed nginx by mistake.
I checked and python3-certbot-apache is also installed. So I'll try your suggestions. Thank you very much for the help.

1 Like
Found the following certs:
  Certificate Name: blog.emily-gasster.com
    Serial Number: 3eb4482eddbb1ef97c1110c0cdc594c14d1
    Key Type: RSA
    Domains: blog.emily-gasster.com
    Expiry Date: 2022-04-04 04:00:20+00:00 (VALID: 80 days)
    Certificate Path: /etc/letsencrypt/live/blog.emily-gasster.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/blog.emily-gasster.com/privkey.pem
2 Likes

Yes, that confirms what you found with the grep suggested by _az

Looks like your plan to remove nginx is fine. You don't want or need it so ... :slight_smile:

4 Likes

Thank you for the assistance.

-- Sam

4 Likes