Certificate Renewal and Apache

Please fill out the fields below so we can help you better.

My domain is: support.bgctnv.org

My web server is (include version): Apache/2.2.15 (Unix)

The operating system my web server runs on is (include version): CentOS release 6.8 (Final)

Hello, I have a strange issue that I’ve found that hints around multiple posts already on in the community, but no solutions seem to resolve my issue. I’m thinking it may be something more along the lines of an Apache problem than LE itself. Long story short, my certificate expired. Users are now getting the un-trusted certificate warning when browsing to my site (obviously because it’s expired). I first tried a dry run to test the certificate renewal process:

# certbot-auto renew --dry-run
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
  DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/support.bgctnv.org.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for support.bgctnv.org
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/support.bgctnv.org/fullchain.pem
-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/support.bgctnv.org/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)

Seeing a successful dry run, I then ran a proper renewal:

# /root/certbot-auto renew
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: Depr                   ecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade yo                   ur Python. A future version of cryptography will drop support for Python 2.6
  DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/support.bgctnv.org.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for support.bgctnv.org
Error while running apachectl graceful.
httpd not running, trying to start

(98)Address already in use: make_sock: could not bind to address 192.168.1.30:80
no listening sockets available, shutting down
Unable to open logs

Cleaning up challenges
Error while running apachectl graceful.
httpd not running, trying to start

(98)Address already in use: make_sock: could not bind to address 192.168.1.30:80
no listening sockets available, shutting down
Unable to open logs

Encountered exception during recovery
Error while running apachectl graceful.
httpd not running, trying to start

(98)Address already in use: make_sock: could not bind to address 192.168.1.30:80
no listening sockets available, shutting down
Unable to open logs
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/error_handler.py"                   , line 99, in _call_registered
    self.funcs[-1]()
  File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/auth_handler.py",                    line 284, in _cleanup_challenges
    self.auth.cleanup(achalls)
  File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot_apache/configurat                   or.py", line 1908, in cleanup
    self.restart()
  File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot_apache/configurat                   or.py", line 1797, in restart
    self._reload()
  File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot_apache/configurat                   or.py", line 1808, in _reload
    raise errors.MisconfigurationError(str(err))
MisconfigurationError: Error while running apachectl graceful.
httpd not running, trying to start

(98)Address already in use: make_sock: could not bind to address 192.168.1.30:80
no listening sockets available, shutting down
Unable to open logs

Attempting to renew cert from /etc/letsencrypt/renewal/support.bgctnv.org.conf produced an u       nexpected error: Error while running apachectl graceful.
httpd not running, trying to start

(98)Address already in use: make_sock: could not bind to address 192.168.1.30:80
no listening sockets available, shutting down
Unable to open logs
. Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/support.bgctnv.org/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

After the renewals fail, Apache is in a dead state:

# service httpd status
httpd dead but pid file exists

Here’s a snippet of the latest httpd error_log file. I can attach the full log, if need be:

[Wed Jun 07 12:24:57 2017] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Wed Jun 07 12:24:57 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Jun 07 12:24:57 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Jun 07 12:24:57 2017] [warn] RSA server certificate CommonName (CN) `dummy' does NOT match server name!?
[Wed Jun 07 12:24:57 2017] [notice] Digest: generating secret for digest authentication ...
[Wed Jun 07 12:24:57 2017] [notice] Digest: done
[Wed Jun 07 12:25:20 2017] [error] (2)No such file or directory: Init: Can't open server certificate file /var/lib/letsencrypt/ft8SmUcXLt8bCTMttOLAoCte3JR2BYzmhfDFM46kGMA.crt
[Wed Jun 07 12:25:24 2017] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Wed Jun 07 12:25:24 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Jun 07 12:25:24 2017] [notice] Digest: generating secret for digest authentication ...
[Wed Jun 07 12:25:24 2017] [notice] Digest: done
[Wed Jun 07 12:25:48 2017] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.6.30 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations
[Wed Jun 07 12:26:15 2017] [notice] Graceful restart requested, doing restart
[Wed Jun 07 12:26:15 2017] [notice] Digest: generating secret for digest authentication ...
[Wed Jun 07 12:26:15 2017] [notice] Digest: done
[Wed Jun 07 12:26:37 2017] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.6.30 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations
[Wed Jun 07 12:26:39 2017] [notice] Graceful restart requested, doing restart
[Wed Jun 07 12:26:40 2017] [notice] Digest: generating secret for digest authentication ...
[Wed Jun 07 12:26:40 2017] [notice] Digest: done
[Wed Jun 07 12:27:03 2017] [error] (2)No such file or directory: Init: Can't open server certificate file /var/lib/letsencrypt/QBBH0mrbN_aDYPt2kvb3r0UXzo12si6xDnWc1CwpOpA.crt
[Wed Jun 07 12:45:12 2017] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Wed Jun 07 12:45:12 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Jun 07 12:45:12 2017] [notice] Digest: generating secret for digest authentication ...
[Wed Jun 07 12:45:12 2017] [notice] Digest: done
[Wed Jun 07 12:45:36 2017] [warn] pid file /etc/httpd/run/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
[Wed Jun 07 12:45:36 2017] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.6.30 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations

It hints around a certificate file that cannot be found??

Manually starting Apache is successful, however re-running certbot-auto renew fails with the same errors. Any advice or help to point me in the right direction will be more than appreciated!

You might be able to get this going again by copying
The renewed cert:
/etc/letsencrypt/live/support.bgctnv.org/fullchain.pem
over the cert it seems to be trying to load:
/var/lib/letsencrypt/ft8SmUcXLt8bCTMttOLAoCte3JR2BYzmhfDFM46kGMA.crt

***move the second file somewhere in case you should need it back (doubt it - but better safe than sorry)

Than you can go through the code/files with 90 days leisure to find the mistake…

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.