Certbot renewal Error

My domain is:
ccpracticum.com

I ran this command:
it is running the cron job script to autorenew certificates.

It produced this output:

My web server is (include version):

OpenLiteSpeed 1.7.16

The operating system my web server runs on is (include version):

Ubuntu 20.04

My hosting provider, if applicable, is:

AWS

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 0.40.0

==========================================
Some of the error log
==========================================

2022-10-31 01:23:33,060:DEBUG:acme.client:Storing nonce: 327Cm1yvpJyIlUG64-oWufyllokPqI2cNQYajXHLnDLAaIY
2022-10-31 01:23:33,060:INFO:certbot.auth_handler:Performing the following challenges:
2022-10-31 01:23:33,060:INFO:certbot.auth_handler:http-01 challenge for ccpracticum.com
2022-10-31 01:23:33,060:INFO:certbot.auth_handler:http-01 challenge for www.ccpracticum.com
2022-10-31 01:23:33,060:DEBUG:acme.standalone:Failed to bind to :80 using IPv6
2022-10-31 01:23:33,060:DEBUG:acme.standalone:Failed to bind to :80 using IPv4
2022-10-31 01:23:33,063:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 70, in run
    servers = acme_standalone.HTTP01DualNetworkedServers(
  File "/usr/lib/python3/dist-packages/acme/standalone.py", line 153, in __init__
    BaseDualNetworkedServers.__init__(self, HTTP01Server, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/acme/standalone.py", line 102, in __init__
    raise socket.error("Could not bind to IPv4 or IPv6.")
OSError: Could not bind to IPv4 or IPv6.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 70, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 156, in perform
    return [self._try_perform_single(achall) for achall in achalls]
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 156, in <listcomp>
    return [self._try_perform_single(achall) for achall in achalls]
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 163, in _try_perform_single
    _handle_perform_error(error)
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 210, in _handle_perform_error
    raise error
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 161, in _try_perform_single
    return self._perform_single(achall)
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 166, in _perform_single
    servers, response = self._perform_http_01(achall)
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 173, in _perform_http_01
    servers = self.servers.run(port, challenges.HTTP01, listenaddr=addr)
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 73, in run
    raise errors.StandaloneBindError(error, port)
certbot.errors.StandaloneBindError: Problem binding to port 80: Could not bind to IPv4 or IPv6.

2022-10-31 01:23:33,063:DEBUG:certbot.error_handler:Calling registered functions
2022-10-31 01:23:33,063:INFO:certbot.auth_handler:Cleaning up challenges
2022-10-31 01:23:33,063:WARNING:certbot.renewal:Attempting to renew cert (ccpracticum.com-0001) from /etc/letsencrypt/renewal/ccpracticum.com-0001.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping.
2022-10-31 01:23:33,067:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 70, in run
    servers = acme_standalone.HTTP01DualNetworkedServers(
  File "/usr/lib/python3/dist-packages/acme/standalone.py", line 153, in __init__
    BaseDualNetworkedServers.__init__(self, HTTP01Server, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/acme/standalone.py", line 102, in __init__
    raise socket.error("Could not bind to IPv4 or IPv6.")

OSError: Could not bind to IPv4 or IPv6.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 462, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1208, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 320, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 348, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 396, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 70, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 156, in perform
    return [self._try_perform_single(achall) for achall in achalls]
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 156, in <listcomp>
    return [self._try_perform_single(achall) for achall in achalls]
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 163, in _try_perform_single
    _handle_perform_error(error)
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 210, in _handle_perform_error
    raise error
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 161, in _try_perform_single
    return self._perform_single(achall)
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 166, in _perform_single
    servers, response = self._perform_http_01(achall)
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 173, in _perform_http_01
    servers = self.servers.run(port, challenges.HTTP01, listenaddr=addr)
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 73, in run
    raise errors.StandaloneBindError(error, port)
certbot.errors.StandaloneBindError: Problem binding to port 80: Could not bind to IPv4 or IPv6.

2022-10-31 01:23:33,069:INFO:certbot.renewal:Cert not yet due for renewal
2022-10-31 01:23:33,070:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2022-10-31 01:23:33,072:INFO:certbot.renewal:Cert not yet due for renewal
2022-10-31 01:23:33,072:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2022-10-31 01:23:33,074:INFO:certbot.renewal:Cert not yet due for renewal
2022-10-31 01:23:33,075:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2022-10-31 01:23:33,077:INFO:certbot.renewal:Cert not yet due for renewal
2022-10-31 01:23:33,077:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2022-10-31 01:23:33,077:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2022-10-31 01:23:33,077:ERROR:certbot.renewal:  /etc/letsencrypt/live/ccpracticum.com-0001/fullchain.pem (failure)
2022-10-31 01:23:33,077:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.40.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1382, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1287, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 486, in handle_renewal_request
    raise errors.Error("{0} renew failure(s), {1} parse failure(s)".format(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

The cron job that run the renewal is this:

0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --deploy-hook "systemctl restart lsws"
0 0 * * 3 root systemctl restart lsws

You are using an old version of Cerbot, see here for newer: Certbot 1.31.0 Release

Also make sure all your Python requirements for Certbot are met.

1 Like

When you use the standalone authentication it needs access to port 80. That failed as you must have something already using that port (maybe litespeed?).

I see you have some history getting a cert for this domain. Did you change your method or sequence of steps?

If litespeed is using port 80, just stop it before running the renewal and start it after.

4 Likes

https://letsdebug.net/

  1. HTTPS-01 Let's Debug
  2. DNS-01 Let's Debug
  3. TLS-ALPN-01 Let's Debug

All 3 seem Green OK.

1 Like

Yeah it seems they do have server: LiteSpeed still running.
Using https://www.redirect-checker.org/

And SSL Server Test: ccpracticum.com (Powered by Qualys SSL Labs) too.

1 Like

Thanks @MikeMcQ for your time.

Yes, I have history renewing this cert but it usually makes problem to do it automatically and to solve the urgency I update manually, putting down my webserver and running certbot from the console but I really would like to leverage the auto renewal functionality. I have other domains running in the same server but those work fine and auto-renew the certs without problems.

It always has been standalone.

1 Like

Thank you @Bruce5051 , the issue is that the cert is in time for renewal, the current cert expire Nov 28th and it is not renewed automatically.

2 Likes

Did you put down your webserver before trying to renew manually? Because something is using port 80

Can you show output of this command before trying manual renewal?

sudo ss -pant | grep ':80'

And, please show the certbot command you use for this manual renewal

3 Likes

/etc/letsencrypt/renewal# sudo ss -pant | grep ':80'

LISTEN 0 4096 0.0.0.0:80 0.0.0.0:* users:(("litespeed",pid=483359,fd=17),("litespeed",pid=483354,fd=17))
LISTEN 0 4096 0.0.0.0:80 0.0.0.0:* users:(("litespeed",pid=483358,fd=16),("litespeed",pid=483354,fd=16))
LISTEN 0 4096 0.0.0.0:80 0.0.0.0:* users:(("litespeed",pid=483357,fd=15),("litespeed",pid=483354,fd=15))
LISTEN 0 4096 0.0.0.0:80 0.0.0.0:* users:(("litespeed",pid=483356,fd=14),("litespeed",pid=483354,fd=14))
LISTEN 0 4096 0.0.0.0:8088 0.0.0.0:* users:(("litespeed",pid=483359,fd=11),("litespeed",pid=483354,fd=11))
LISTEN 0 4096 0.0.0.0:8088 0.0.0.0:* users:(("litespeed",pid=483358,fd=10),("litespeed",pid=483354,fd=10))
LISTEN 0 4096 0.0.0.0:8088 0.0.0.0:* users:(("litespeed",pid=483357,fd=9),("litespeed",pid=483354,fd=9))
LISTEN 0 4096 0.0.0.0:8088 0.0.0.0:* users:(("litespeed",pid=483356,fd=8),("litespeed",pid=483354,fd=8))

And the command that I use to renew is:

certbot renew

It looks like litespeed is still running. Note the LISTEN for port 80 for litespeed

You must stop litespeed for standalone to work.

The best solution is probably to change from standalone to webroot authentication. That means you don't have to stop litespeed and start it after. Docs are here

I'd recommend stopping litespeed and doing your renew before converting to webroot so you have fresh certs and more time to get that changed.

4 Likes

Mike, you are correct. When I renew certs manually I stop litespeed and it works fine, but I would like to have automatic renewal.

I posted the cron job that run the renewal. Its supposed that it stop litespeed but for any reason it does not work fine.

1 Like

I did not see any command in that cron job that stopped litespeed. Maybe I misunderstand

You could setup your own script that did something like this. And, run this new script from cron instead of the commands you have

EDIT: This below is just a concept. It would not work well as shown given the good practice of a random sleep. You might also be able to do the stop and start with certbot's pre-hook and post-hook. But, webroot is your best long-term answer.

systemctl stop lsws
root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew 
systemctl start lsws
4 Likes

I second the motion.
lol

3 Likes

@MikeMcQ , thanks for all your help, I really appreciate this.

I will take your advice, when you say webroot is the best solution I would like to know if you are talking about changing this parameter

[renewalparams]
authenticator = standalone

in the renewal configuration file of this domain, Is there any other file or parameter that I have to add or include in the renewal configuration file?

Thanks again.

2 Likes

It is best to update the renewal conf files only with certbot commands. Subtle errors can occur otherwise.

You can test a webroot with this format

sudo certbot certonly --dry-run --cert-name ccpracticum.com-0001 --webroot -w (folder) 

Where the -w (folder) is the root folder for litespeed to serve files.

The --dry-run is a test. If it works remove --dry-run and do it again for a real cert. If that works the renewal conf is updated with these new options. Any later "renew" command will use these new options

Then, repeat for other certs shown by sudo certbot certificates

4 Likes