Certbot on Amazon Linux - Process Already Bound to Port 443 and TLS-SNI Challenge Doesn't Pass


Came here to ask a question but solved it before finishing. On Amazon Linux (experimental) I setup, got initial cert and renewed, but only in standalone mode (need to shut down webserver). There was no cli.ini in my letsencrypt folder so I created one. Still no dice. Finally I read the manual (!) and just passed on command-line. This works:

/opt/letsencrypt/certbot-auto renew --debug --dry-run --webroot -w /var/www/html/

Original Error:

Performing the following challenges:
tls-sni-01 challenge for sugarlock.com
tls-sni-01 challenge for www.sugarlock.com
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/sugarlock.com.conf produced an unexpected error: Could not bind TCP port 443 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again… Skipping.


If you want to use standalone mode and you have a webserver that you need to shut down, you can use --pre-hook and --post-hook to specify the commands to stop and restart the webserver. But if your web server serving files on port 80 from a directory, webroot mode is often cleaner than standalone mode and often preferable to it, apparently as in your case.


Hi Schoen. We redirect everything over SSL. I’ll take a look at pre/post hook. Thanks for the heads up.


Hi @ianv, the way you’ve done things is correct and appropriate. (The redirection from HTTP to HTTPS is no problem because the certificate authority will follow that redirection during the verification process.)

I was just mentioning the hooks for reference in case you had a specific reason to want to use standalone mode. But I believe standalone mode is a worse choice for most users, because it produces an outage on their web servers, while webroot mode doesn’t have that side effect. Since you got webroot to work properly, you’re probably better off sticking with it!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.