Certbot standalone not issuing new certificaes and cert manager not issuing certificates too

Help
1

I am running Certbot for Let's Encrypt certificate management and Certmanager for Kubernetes-based automatic certificate management. Both tools are trying to manage certificates on the same server, but I am concerned about potential conflicts between them.

The issue I’m facing is that while I’ve successfully issued certificates using both tools, I am unsure if they’re interfering with each other when it comes to automatic renewal. I have observed the following:

  1. Certbot Renewal Failures: The automatic renewal process via Certbot does not seem to work reliably, and I occasionally see errors indicating that Certbot is unable to renew the certificate.
  2. Port 80 Issues: When Certbot tries to renew certificates, port 80 (HTTP-01 challenge) seems to be occupied by either Nginx or Certmanager, causing certificate issuance/renewal to fail.
  3. Conflicting Services: When I check for processes related to Certbot and Certmanager, they both seem to be trying to use port 80 and could be interfering with each other’s renewal process.

Checked Nginx Processes:
I verified Nginx processes are running on port 80, which could be blocking the HTTP challenge used by Certbot.
Output of ps aux | grep nginx shows active Nginx processes, including master and worker processes using port 80.
Checked Certbot Logs:
In the Certbot logs, I see the following error:
Error: Could not bind to port 80: Another process is already listening on this port.
This error suggests Certbot cannot access port 80 during renewal, likely because Certmanager or Nginx is already using it.
Checked Certmanager Logs:
Certmanager logs seem to indicate that it’s attempting to manage certificates within the Kubernetes cluster, and there’s some overlap in terms of certificate domains with Certbot.

2

Welcome @eazynoble3 First, I moved your post into the Help category which is a better place for this. Below is a form you would have been shown but I think we might resolve this without needing that info.

Why are you using Certbot at all? Cert-Manager should work just fine all by itself.

But, yes, the Certbot --standalone option requires exclusive use of port 80. If you need it for something cert-manager can't handle you should look at using a DNS Challenge or an HTTP Challenge using --webroot or maybe even --nginx.

==========================================

This was the form you would have been shown posting in Help section

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1 Like
3

My domain is: argocd.wesolved.cloud

I ran this command: certbot renew since I created he certificates with certbot befre now installing certmanager for managing load balancing in my kubernetes cluster.

It produced this output:certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/argocd.wesolved.cloud.conf

Renewing an existing certificate for argocd.wesolved.cloud

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: argocd.wesolved.cloud
Type: unauthorized
Detail: 51.159.211.153: Invalid response from http://argocd.wesolved.cloud/.well-known/acme-challenge/iiY55M_xv3BMroJx2iJtV5IxEnC4IS2dPUs_Bmrvaic: 404

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Failed to renew certificate argocd.wesolved.cloud with error: Some challenges have failed.

Seems something is blocking port 80, but I assure you nothing is, no nginx no apache I already checked with thenetsta and tulnp and netcat and all necessary, port 80 is open just like 443

My web server is (include version):

The operating system my web server runs on is (include version): I am running on a debian server

My hosting provider, if applicable, is: 02switch dig +short argocd.wesolved.cloud
51.159.211.153
Whihch is the right IP for my server

I can login to a root shell on my machine (yes or no, or I don't know):open_mouth: f course I have root access

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot --version
certbot 2.1.0

NB I recently uninstalled old version of my certbot and is using the new version without deleting the stored certificates. I am plainly surprise at this blockage.

4

We can check what is listening on port 80. But, HTTP requests to your domain right now get a reply from a server identifying as

Request to: argocd.wesolved.cloud/51.159.211.153, Result: [Address=51.159.211.153,Address Type=IPv4,Server=Werkzeug/3.0.1 Python/3.12.8

Do you know what Werkzeug is?

1 Like
5

I have only come in contact with it when it comes to installing and using it, haven't really built an app that uses it but I have used it in already made app, like Odoo.

6

Well, it is running right now and using port 80. That is the conflict with Certbot --standalone

Show output of:

sudo ss -pant | grep -i listen | grep -Ei ':80|werk'
1 Like
7

it outputed nothing. blank

8

I am still seeing that Werkzeug server replying. Are you running those commands on the server handling this public IP?

Request to: argocd.wesolved.cloud/51.159.211.153, Result: [Address=51.159.211.153,Address Type=IPv4,Server=Werkzeug/3.0.1 Python/3.12.8,HTTP Status=404]

Do you have any container or similar that would get the port 80 requests that was not visible to that ss command?

Certbot says port 80 is in use. HTTP requests to port 80 from the public internet get a reply from Werkzeug. These are clear indications something is using it :slight_smile:

1 Like
9

could metallb or cert manager running in a kubernetes pod be blocking it??

10

or nginx ingress controller for k8s cluster??

11

You would know your server's traffic flows better than I but something must be.

As I noted earlier, if you absolutely need Certbot you may need to use a DNS Challenge or possibly HTTP Challenge if you can coordinate with whatever listens on port 80.

Your DNS provider Cloudflare integrates nicely with Certbot (and other ACME Clients) to allow DNS Challenges. See: Welcome to certbot-dns-cloudflare’s documentation! — certbot-dns-cloudflare 0 documentation

A different volunteer may have other suggestions. That's the best I can do.

2 Likes