Please fill out the fields below so we can help you better.
My domain is: support.bgctnv.org
My web server is (include version): Apache/2.2.15 (Unix)
The operating system my web server runs on is (include version): CentOS release 6.8 (Final)
Hello, I have a strange issue that I’ve found that hints around multiple posts already on in the community, but no solutions seem to resolve my issue. I’m thinking it may be something more along the lines of an Apache problem than LE itself. Long story short, my certificate expired. Users are now getting the un-trusted certificate warning when browsing to my site (obviously because it’s expired). I first tried a dry run to test the certificate renewal process:
# certbot-auto renew --dry-run
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/support.bgctnv.org.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for support.bgctnv.org
Waiting for verification...
Cleaning up challenges
-------------------------------------------------------------------------------
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/support.bgctnv.org/fullchain.pem
-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/support.bgctnv.org/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
Seeing a successful dry run, I then ran a proper renewal:
# /root/certbot-auto renew
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: Depr ecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade yo ur Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/support.bgctnv.org.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for support.bgctnv.org
Error while running apachectl graceful.
httpd not running, trying to start
(98)Address already in use: make_sock: could not bind to address 192.168.1.30:80
no listening sockets available, shutting down
Unable to open logs
Cleaning up challenges
Error while running apachectl graceful.
httpd not running, trying to start
(98)Address already in use: make_sock: could not bind to address 192.168.1.30:80
no listening sockets available, shutting down
Unable to open logs
Encountered exception during recovery
Error while running apachectl graceful.
httpd not running, trying to start
(98)Address already in use: make_sock: could not bind to address 192.168.1.30:80
no listening sockets available, shutting down
Unable to open logs
Traceback (most recent call last):
File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/error_handler.py" , line 99, in _call_registered
self.funcs[-1]()
File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/auth_handler.py", line 284, in _cleanup_challenges
self.auth.cleanup(achalls)
File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot_apache/configurat or.py", line 1908, in cleanup
self.restart()
File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot_apache/configurat or.py", line 1797, in restart
self._reload()
File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot_apache/configurat or.py", line 1808, in _reload
raise errors.MisconfigurationError(str(err))
MisconfigurationError: Error while running apachectl graceful.
httpd not running, trying to start
(98)Address already in use: make_sock: could not bind to address 192.168.1.30:80
no listening sockets available, shutting down
Unable to open logs
Attempting to renew cert from /etc/letsencrypt/renewal/support.bgctnv.org.conf produced an u nexpected error: Error while running apachectl graceful.
httpd not running, trying to start
(98)Address already in use: make_sock: could not bind to address 192.168.1.30:80
no listening sockets available, shutting down
Unable to open logs
. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/support.bgctnv.org/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
After the renewals fail, Apache is in a dead state:
# service httpd status
httpd dead but pid file exists
Here’s a snippet of the latest httpd error_log file. I can attach the full log, if need be:
[Wed Jun 07 12:24:57 2017] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Wed Jun 07 12:24:57 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Jun 07 12:24:57 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Jun 07 12:24:57 2017] [warn] RSA server certificate CommonName (CN) `dummy' does NOT match server name!?
[Wed Jun 07 12:24:57 2017] [notice] Digest: generating secret for digest authentication ...
[Wed Jun 07 12:24:57 2017] [notice] Digest: done
[Wed Jun 07 12:25:20 2017] [error] (2)No such file or directory: Init: Can't open server certificate file /var/lib/letsencrypt/ft8SmUcXLt8bCTMttOLAoCte3JR2BYzmhfDFM46kGMA.crt
[Wed Jun 07 12:25:24 2017] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Wed Jun 07 12:25:24 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Jun 07 12:25:24 2017] [notice] Digest: generating secret for digest authentication ...
[Wed Jun 07 12:25:24 2017] [notice] Digest: done
[Wed Jun 07 12:25:48 2017] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.6.30 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations
[Wed Jun 07 12:26:15 2017] [notice] Graceful restart requested, doing restart
[Wed Jun 07 12:26:15 2017] [notice] Digest: generating secret for digest authentication ...
[Wed Jun 07 12:26:15 2017] [notice] Digest: done
[Wed Jun 07 12:26:37 2017] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.6.30 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations
[Wed Jun 07 12:26:39 2017] [notice] Graceful restart requested, doing restart
[Wed Jun 07 12:26:40 2017] [notice] Digest: generating secret for digest authentication ...
[Wed Jun 07 12:26:40 2017] [notice] Digest: done
[Wed Jun 07 12:27:03 2017] [error] (2)No such file or directory: Init: Can't open server certificate file /var/lib/letsencrypt/QBBH0mrbN_aDYPt2kvb3r0UXzo12si6xDnWc1CwpOpA.crt
[Wed Jun 07 12:45:12 2017] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Wed Jun 07 12:45:12 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Jun 07 12:45:12 2017] [notice] Digest: generating secret for digest authentication ...
[Wed Jun 07 12:45:12 2017] [notice] Digest: done
[Wed Jun 07 12:45:36 2017] [warn] pid file /etc/httpd/run/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
[Wed Jun 07 12:45:36 2017] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.6.30 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations
It hints around a certificate file that cannot be found??
Manually starting Apache is successful, however re-running certbot-auto renew fails with the same errors. Any advice or help to point me in the right direction will be more than appreciated!