Error after certbot

my domain : ecouteancienne.fr
My web server is (include version): Gninx
The operating system my web server runs on is (include version): Debian 12 Bookworm
My hosting provider, if applicable, is: myself
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): the last version

Hello at all,
This morning I installed Certbot for my certificate. After restarting my nginx server I got this error message:

Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xeu nginx.service" for details.

the results after first command :

mand@debian:~$ systemctl status nginx.service
Γ— nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; preset: enabled)
Active: failed (Result: exit-code) since Tue 2024-05-28 13:23:44 CEST; 11s ago
Duration: 46min 19.493s
Docs: man:nginx(8)
Process: 54508 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited>
Process: 54509 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=>
CPU: 37ms

and the results after second command:

mand@debian:~$ journalctl -xeu nginx.service
Hint: You are currently not seeing messages from other users and the system.
Users in groups 'adm', 'systemd-journal' can see all messages.
Pass -q to turn off this notice.

I looked at NGINX (8) but what should I do?
I have the impression that there is a port conflict with Azuracast. Azuracast uses ports 80, 8080 and 443 for information.
I'm hesitant to do something radical: delete everything (nginx) and reinstall, because I'm afraid that at the SSL certificate level it will cause me problems afterwards.

ote

How exactly?

Unfortunately the error message(s) don't really show any error. You might need to run those 2 commands as root or with sudo in front of it.

How are "Gninx" (what's that anyway?), "nginx" and "Azuracast" related exactly? Can you explain more about the setup you're running?

1 Like

Hi Osiris,

I installed Certbot from the command line:

sudo apt-get install certbot python3-certbot-nginx -y

Indeed, you are right for the results with "sudo":

sudo systemctl status nginx.service
Γ— nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; preset: enabled)
Active: failed (Result: exit-code) since Tue 2024-05-28 13:23:44 CEST; 50min ago
Duration: 46min 19.493s
Docs: man:nginx(8)
Process: 54508 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 54509 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=1/FAILURE)
CPU: 37ms
mai 28 13:23:43 debian nginx[54509]: nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
mai 28 13:23:43 debian nginx[54509]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
mai 28 13:23:43 debian nginx[54509]: nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
mai 28 13:23:43 debian nginx[54509]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
mai 28 13:23:44 debian nginx[54509]: nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
mai 28 13:23:44 debian nginx[54509]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
mai 28 13:23:44 debian nginx[54509]: nginx: [emerg] still could not bind()
mai 28 13:23:44 debian systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
mai 28 13:23:44 debian systemd[1]: nginx.service: Failed with result 'exit-code'.
mai 28 13:23:44 debian systemd[1]: Failed to start nginx.service - A high performance web server and a reverse proxy server.
mand@debian:~$

and:

sudo journalctl -xeu nginx.service
mai 28 13:23:43 debian nginx[54509]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address alrea>
mai 28 13:23:44 debian nginx[54509]: nginx: [emerg] bind() to [::]:443 failed (98: Address already >
mai 28 13:23:44 debian nginx[54509]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address alrea>
mai 28 13:23:44 debian nginx[54509]: nginx: [emerg] still could not bind()
mai 28 13:23:44 debian systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAI>
β–‘β–‘ Subject: Unit process exited
β–‘β–‘ Defined-By: systemd
β–‘β–‘ Support: https://www.debian.org/support
β–‘β–‘
β–‘β–‘ An ExecStart= process belonging to unit nginx.service has exited.
β–‘β–‘
β–‘β–‘ The process' exit code is 'exited' and its exit status is 1.
mai 28 13:23:44 debian systemd[1]: nginx.service: Failed with result 'exit-code'.
β–‘β–‘ Subject: Unit failed
β–‘β–‘ Defined-By: systemd
β–‘β–‘ Support: https://www.debian.org/support
β–‘β–‘
β–‘β–‘ The unit nginx.service has entered the 'failed' state with result 'exit-code'.
mai 28 13:23:44 debian systemd[1]: Failed to start nginx.service - A high performance web server an>
β–‘β–‘ Subject: L'unitΓ© (unit) nginx.service a Γ©chouΓ©
β–‘β–‘ Defined-By: systemd
β–‘β–‘ Support: https://www.debian.org/support
β–‘β–‘
β–‘β–‘ L'unitΓ© (unit) nginx.service a Γ©chouΓ©, avec le rΓ©sultat failed

There is no real connection between Azuracast (which is audio streaming software) and Nginx. Nginx is an http server. I use it because I host my site with this server. Azuracast also has an nginx server but I don't use it. One is independent of the other.

What Certbot command did you run?

We can look at what is using port 443 by showing us below

sudo netstat -pant | grep -i listen | grep -Ei ':80|:443'

(use sudo ss if netstat is not available)

2 Likes

Ok MikeMcQ,
this is the result :slight_smile:

mand@debian:~$ sudo netstat -pant | grep -i listen | grep -Ei ':80|:443'
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 25531/docker-proxy
tcp 0 0 0.0.0.0:8096 0.0.0.0:* LISTEN 24921/docker-proxy
tcp 0 0 0.0.0.0:8095 0.0.0.0:* LISTEN 24941/docker-proxy
tcp 0 0 0.0.0.0:8090 0.0.0.0:* LISTEN 24961/docker-proxy
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 24982/docker-proxy
tcp 0 0 0.0.0.0:8076 0.0.0.0:* LISTEN 25001/docker-proxy
tcp 0 0 0.0.0.0:8075 0.0.0.0:* LISTEN 25021/docker-proxy
tcp 0 0 0.0.0.0:8070 0.0.0.0:* LISTEN 25042/docker-proxy
tcp 0 0 0.0.0.0:8065 0.0.0.0:* LISTEN 25087/docker-proxy
tcp 0 0 0.0.0.0:8066 0.0.0.0:* LISTEN 25064/docker-proxy
tcp 0 0 0.0.0.0:8060 0.0.0.0:* LISTEN 25106/docker-proxy
tcp 0 0 0.0.0.0:8056 0.0.0.0:* LISTEN 25127/docker-proxy
tcp 0 0 0.0.0.0:8055 0.0.0.0:* LISTEN 25149/docker-proxy
tcp 0 0 0.0.0.0:8050 0.0.0.0:* LISTEN 25170/docker-proxy
tcp 0 0 0.0.0.0:8045 0.0.0.0:* LISTEN 25213/docker-proxy
tcp 0 0 0.0.0.0:8046 0.0.0.0:* LISTEN 25193/docker-proxy
tcp 0 0 0.0.0.0:8040 0.0.0.0:* LISTEN 25235/docker-proxy
tcp 0 0 0.0.0.0:8036 0.0.0.0:* LISTEN 25256/docker-proxy
tcp 0 0 0.0.0.0:8035 0.0.0.0:* LISTEN 25278/docker-proxy
tcp 0 0 0.0.0.0:8030 0.0.0.0:* LISTEN 25301/docker-proxy
tcp 0 0 0.0.0.0:8025 0.0.0.0:* LISTEN 25344/docker-proxy
tcp 0 0 0.0.0.0:8026 0.0.0.0:* LISTEN 25322/docker-proxy
tcp 0 0 0.0.0.0:8020 0.0.0.0:* LISTEN 25364/docker-proxy
tcp 0 0 0.0.0.0:8016 0.0.0.0:* LISTEN 25383/docker-proxy
tcp 0 0 0.0.0.0:8015 0.0.0.0:* LISTEN 25403/docker-proxy
tcp 0 0 0.0.0.0:8010 0.0.0.0:* LISTEN 25425/docker-proxy
tcp 0 0 0.0.0.0:8005 0.0.0.0:* LISTEN 25468/docker-proxy
tcp 0 0 0.0.0.0:8006 0.0.0.0:* LISTEN 25445/docker-proxy
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 25490/docker-proxy
tcp6 0 0 :::443 :::* LISTEN 25537/docker-proxy
tcp6 0 0 :::8096 :::* LISTEN 24928/docker-proxy
tcp6 0 0 :::8095 :::* LISTEN 24947/docker-proxy
tcp6 0 0 :::8090 :::* LISTEN 24968/docker-proxy
tcp6 0 0 :::8080 :::* LISTEN 24988/docker-proxy
tcp6 0 0 :::8076 :::* LISTEN 25007/docker-proxy
tcp6 0 0 :::8075 :::* LISTEN 25028/docker-proxy
tcp6 0 0 :::8070 :::* LISTEN 25050/docker-proxy
tcp6 0 0 :::8065 :::* LISTEN 25094/docker-proxy
tcp6 0 0 :::8066 :::* LISTEN 25073/docker-proxy
tcp6 0 0 :::8060 :::* LISTEN 25114/docker-proxy
tcp6 0 0 :::8056 :::* LISTEN 25133/docker-proxy
tcp6 0 0 :::8055 :::* LISTEN 25157/docker-proxy
tcp6 0 0 :::8050 :::* LISTEN 25178/docker-proxy
tcp6 0 0 :::8045 :::* LISTEN 25221/docker-proxy
tcp6 0 0 :::8046 :::* LISTEN 25201/docker-proxy
tcp6 0 0 :::8040 :::* LISTEN 25241/docker-proxy
tcp6 0 0 :::8036 :::* LISTEN 25264/docker-proxy
tcp6 0 0 :::8035 :::* LISTEN 25284/docker-proxy
tcp6 0 0 :::8030 :::* LISTEN 25307/docker-proxy
tcp6 0 0 :::8025 :::* LISTEN 25350/docker-proxy
tcp6 0 0 :::8026 :::* LISTEN 25328/docker-proxy
tcp6 0 0 :::8020 :::* LISTEN 25371/docker-proxy
tcp6 0 0 :::8016 :::* LISTEN 25390/docker-proxy
tcp6 0 0 :::8015 :::* LISTEN 25411/docker-proxy
tcp6 0 0 :::8010 :::* LISTEN 25432/docker-proxy
tcp6 0 0 :::8005 :::* LISTEN 25476/docker-proxy
tcp6 0 0 :::8006 :::* LISTEN 25451/docker-proxy
tcp6 0 0 :::8000 :::* LISTEN 25496/docker-proxy

Docker is used with Azuracast.

And what is the HTTP and HTTPS traffic flow that you want?

Because you have nginx trying to use port 443 but that is already in use by docker / Azuracast

Again, what Certbot command did you run?

3 Likes

I used this command to install certbot:

sudo apt-get install certbot python3-certbot-nginx -y

Then:

sudo certbot --nginx -www.ecouteancienne.fr

I don't know which feed to use. In fact, I think I don't really understand your question (it seems to me).

I explain: Nginx is the server for my website, Azuracast is the broadcaster of the stream. Both need SSL. I would not have needed to install an nginx server to host my site if I had not initially had a problem with the SSL connection, because if I did it it was after having thought that by grouping all (domain name, website and stream) the browser security alert would stop.

I don't know if my answers will answer your question. If this is not the case, I am at your disposal to clarify your misunderstanding.

Then I think you should probably uninstall nginx. I just read the Azuracast docs and it should handle getting a cert for you. It needs access to ports 80 and 443 directly. It doesn't describe using Certbot. It says the support is built-in.

You should just follow their instructions. And you may get better answers on their support forum. Streaming services sometimes need special configuration and they will know best how to guide you.

4 Likes

Well..What should I do with my SSL certificate created with Certbot? revoke it? It exists in my system.

1 Like

If you won't need it you should delete it. No hurry in case you later learn you do need it for something.

Run this to find the "certificate name"

sudo certbot certificates

Then run this to delete it

sudo certbot delete --cert-name (NAME)

I think you can just do this and it will prompt you

sudo certbot delete

You should delete unused certs in this manner otherwise Certbot will try to renew it every 60 days

3 Likes

I don't know what decision to make. I think I will remove azuracast from the server and install it elsewhere. Maybe that will allow me to keep this SSL certificate on my current server where my domain name is also installed.

You might be able to use nginx as a proxy to Azuracast. But, this is advanced and you'd need to ask Azuracast how that could work. Streaming services often need special proxy statements. You wouldn't need a cert in Azuracast then if nginx and it were on same local network. You also want a strategy that is easy for you to maintain. So, using standard Azuracast setup might be best anyway.

Sounds like you have some design decisions to make. Let us know if you need help with something specific.

3 Likes

What would be the purpose of the SSL certificate without Azuracast? Is the main purpose of that server running nginx?

You probably can make Docker listen on a different port than 443 for Azuracast, so it can be used by nginx. But Docker configuration is not the scope of this Community.

Using nginx as proxy it seems possible or maybe I'm wrong. Look :
https://www.azuracast.com/docs/administration/multi-site-installation/#nginx-proxy-manager

No, I believe that azuracast can only be on port 443 for ssl.

I understand about Docker and this Community. Thank you.

nginx can be used as a reverse proxy, in general. Proxy for streaming services is a little different than typical HTTP(S) traffic though. Or, at least it might be. And, nginx could probably even work for that. But it is an advanced topic (and a bit outside our scope here).

Many of us on this forum do not like the Nginx Proxy Manager (NPM) system. That is a management system on top of nginx itself. It can be very difficult to debug. I do not recommend it.

Using nginx is pretty easy and it is commonly used.

2 Likes

But can't Docker do some mapping? From something else externally to 443 internally? I'm personally not very familiar with Docker, but I thought it could do something like that.

Finally I decided to remove nginx. Now, I want to delete my certificate (I think I need to do this since my domain name is currently associated with my public IP and then I'm going to re-point my domain name to my host).
I wanted to proceed with the command indicated above by MikeMcQ but I got the following feedback:

No certificate found with name ecouteancienne.fr (expected /etc/letsencrypt/renewal/ecouteancienne.fr.conf)

Very curious response because previously I had positive feedback after doing

sudo certbot certificates

1 Like

I'm not sure what you mean by this, but just to be sure: certificates are not connected to any IP address, only to the hostnames. So if the hostname stays the same, you could re-use an existing certificate.

You can run the command again to see what Certbot currently finds.

1 Like

I didn't believe this at all about the IP. Thank you for your clarification.

Well, I have to redo everything on my current PC, so is there anything special I need to do with fullchain.pem and privkey.pem currently on my system
?

1 Like