Error renewing my certificate: problem binding port 443

#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:italiancrypto.it

I ran this command:sudo certbot renew

It produced this output: Attempting to renew cert (italiancrypto.it) from /etc/letsencrypt/renewal/italiancrypto.it.conf produced an unexpected error: Problem binding to port 443: Could not bind to IPv4 or IPv6… Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/italiancrypto.it/fullchain.pem (failure)

The operating system my web server runs on is (include version): Ubuntu

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.21.1

#2

Hi @Finar76

looks like you use the standalone authenticator, then Certbot starts a new webserver. That’s possible, but you have to stop your running webserver.

Your website looks ok ( https://check-your-website.server-daten.de/?q=italiancrypto.it ):

Port 80 is open, redirects http -> https, then the expected http status 404 - not found. Letsencrypt follows redirects, the expired certificate isn’t a problem (uh, 2018-12-17 expired).

And you have an Apache. So use this running webserver.

certbot renew --apache

PS: Your certbot is very old.

#3

What was the rest of Certbot’s output?

What does /etc/letsencrypt/renewal/italiancrypto.it.conf contain?

What version of Ubuntu?

#4

And also the client is trying to use port 443.
Even if you get this to bind to that port, it will most likely fail; as 443 is not enough.
You will need to (at least) put something at port 80 to redirect to 443 in order to give this a fighting chance.
A better option might be to try to use http instead (with or without --standalone).

#5
bitnami@ip-172-31-42-245:~$ sudo certbot renew --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/italiancrypto.it.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.italiancrypto.it
http-01 challenge for italiancrypto.it
Enabled Apache rewrite module
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Unable to restart apache using ['apache2ctl', 'graceful']
Cleaning up challenges
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Unable to restart apache using ['apache2ctl', 'graceful']
Encountered exception during recovery:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2184, in _reload
    util.run_script(self.option("restart_cmd"))
  File "/usr/lib/python3/dist-packages/certbot/util.py", line 86, in run_script
    raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs


During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 75, in handle_authorizations
    resp = self._solve_challenges(aauthzrs)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 132, in _solve_challenges
    resp = self.auth.perform(all_achalls)
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2286, in perform
    self.restart()
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2174, in restart
    self._reload()
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2202, in _reload
    raise errors.MisconfigurationError(error)
certbot.errors.MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs


During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2184, in _reload
    util.run_script(self.option("restart_cmd"))
  File "/usr/lib/python3/dist-packages/certbot/util.py", line 86, in run_script
    raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs


During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/error_handler.py", line 108, in _call_registered
    self.funcs[-1]()
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 316, in _cleanup_challenges
    self.auth.cleanup(achalls)
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2311, in cleanup
    self.restart()
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2174, in restart
    self._reload()
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2202, in _reload
    raise errors.MisconfigurationError(error)
certbot.errors.MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Attempting to renew cert (italiancrypto.it) from /etc/letsencrypt/renewal/italiancrypto.it.conf produced an unexpected error: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/italiancrypto.it/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/italiancrypto.it/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
bitnami@ip-172-31-42-245:~$

how do I update it?

I cannot find this directory… can anyone help me on this?

14.04

I an not that techy… what do you mean?

I am happy to reset everything if this is necessarily :slight_smile:

Thank you all

#6

While trying to use the Apache plugin:

Cerbot will add some content to the config to enable it to determine exactly where the /.well-known/acme-challenge/ requests will go.
Having made those changes it need to reload Apache.
It seems at this point Apache fails to reload:

Step #1 update cerbot
[then retest: sudo certbot renew --apache]

#7

silly question… how do I update certbot? when I google it, I find how to update the certificate, not the application :stuck_out_tongue:

thank you

#8

You can start here: https://certbot.eff.org/all-instructions/

#9

thanks everybody…

I manged to fox my problem with the following code:

sudo /opt/bitnami/ctlscript.sh stop apache
sudo certbot renew
sudo /opt/bitnami/ctlscript.sh start apache

my question is: how can I set the “auto-renewal”?

I am not a linux expert, therefore I am not sure why, in order to stop apache, I had to specify the path… anyone can suggest/help?

Thank you all :slight_smile:

1 Like
#10

It might already be set for you.
Show:
crontab -l
systemctl list-timers --all | grep -Ei 'certbot|letsencrypt'

Sly like a:

LOL

#11

result:

Edit this file to introduce tasks to be run by cron.

Each task to run has to be defined through a single line

indicating with different fields when the task will be run

and what command to run for the task

To define the time you can provide concrete values for

minute (m), hour (h), day of month (dom), month (mon),

and day of week (dow) or use ‘*’ in these fields (for ‘any’).#

Notice that tasks will be started based on the cron’s system

daemon’s notion of time and timezones.

Output of the crontab jobs (including errors) is sent through

email to the user the crontab file belongs to (unless redirected).

For example, you can run a backup of all your user accounts

at 5 a.m every week with:

0 5 * * 1 tar -zcf /var/backups/home.tgz /home/

For more information see the manual pages of crontab(5) and cron(8)

m h dom mon dow command

24 0 * * * certbot renew
16 12 * * * certbot renew
bitnami@ip-172-31-42-245:~$

what does it mean? sorry but not techy at all :stuck_out_tongue:

#12

It is already running “certbot renew” twice a day.
Check the /etc/letsencrypt/letsencrypt.log file to verify log entries around those times:
00:24
12:16
[every day]

#13

unfortunately it does not auto-update and I would need to manually do it…

how can I change this?

this would be a good idea… unfortunately I cannot fin the /etc directory… where should it be? I have a WordPress site

#14

Then using “certbot renew” in cron doesn’t work.
Whoever set that up didn’t follow the recommended directions.

Try changing it to a more specific path/location:
which certbot
find / -name certbot

Try:
find / -name letsencrypt.log

#15

Recent versions of Bitnami have a built-in tool to obtain Let’s Encrypt certificates that might be easier than running certbot or lego yourself.

In case that doesn’t help…

If this works, and you already have a certbot renew command in your crontab, then you can probably make automated renewals work by doing the following:

sudo certbot renew --force-renewal --pre-hook "/opt/bitnami/ctlscript.sh stop apache" --post-hook "/opt/bitnami/ctlscript.sh start apache"

This will force one more immediate renewal (so be careful if you’re already close to the rate limit), running the commands to stop and start apache before and after the renewal attempt, and if it succeeds, it will also store these commands in a renewal configuration file so that they run again automatically the next time you run certbot renew (whether manually or from cron).

1 Like
#16

thank you for your suggestion, this seems to have an issue:

bitnami@ip-172-31-42-245:~$ sudo certbot renew --force-renewal --pre-hook “/opt/bitnami/ctlscript.sh stop apache” --post-hook “/opt/bitnami/ctlscript.shstart apache”
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/italiancrypto.it.conf


Plugins selected: Authenticator standalone, Installer None
Running pre-hook command: /opt/bitnami/ctlscript.sh stop apache
Output from ctlscript.sh:
Unmonitored apache
/opt/bitnami/apache2/scripts/ctl.sh : httpd stopped

Error output from ctlscript.sh:
Syntax OK

Renewing an existing certificate
Performing the following challenges:
http-01 challenge for italiancrypto.it
http-01 challenge for www.italiancrypto.it
Waiting for verification…
Cleaning up challenges


new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/italiancrypto.it/fullchain.pem



Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/italiancrypto.it/fullchain.pem (success)


Running post-hook command: /opt/bitnami/ctlscript.sh start apache
Output from ctlscript.sh:
/opt/bitnami/apache2/scripts/ctl.sh : httpd started at port 80
Monitored apache

Error output from ctlscript.sh:
Syntax OK

bitnami@ip-172-31-42-245:~$

what could be an error output?

#17

It looks like Bitnami’s ctlscript.sh is invoking Apache in a way that causes it to check its configuration syntax and write the result to the standard error stream, even if the result is that there is no error (“Syntax OK”).

It’s annoying but I don’t think it should cause any real problem. Just to be doubly sure though, can you post the contents of the renewal configuration file?

/etc/letsencrypt/renewal/italiancrypto.it.conf

#18

Interesting…
It does manage to stop and start apache.
But seems to fail at something else in the script.
Can you try running the script on its’ own?:
/opt/bitnami/ctlscript.sh stop apache
/opt/bitnami/ctlscript.sh start apache

closed #19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.