Error running command ['apache2ctl'

gmgj · July 16, 2019, 2:47pm

My server: Ubuntu 18.04 LTS Apache/2.4.29 (Ubuntu)
Rackspace: shell access

Test Command I ran - an cerbot --apache generated certificate
certbot --dry-run --force-renewal renew --cert-name drjosephpengecir.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/drjosephpengecir.com.conf

Error running command [‘apache2ctl’, ‘-t’, ‘-D’, ‘DUMP_INCLUDES’] for runtime parameters!

I believe the apache plugin is having a problem with my 490 domains.
apache2ctl -t -D DUMP_INCLUDES | wc -c
shows this
AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 2001:4801:7820:75:be76:4eff:fe10:489f. Set the ‘ServerName’ directive globally to suppress this message
91738

is the word count, it is large

The cert I am testing with is /etc/letsencrypt/renewal/

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/drjosephpengecir.com
cert = /etc/letsencrypt/live/drjosephpengecir.com/cert.pem
privkey = /etc/letsencrypt/live/drjosephpengecir.com/privkey.pem
chain = /etc/letsencrypt/live/drjosephpengecir.com/chain.pem
fullchain = /etc/letsencrypt/live/drjosephpengecir.com/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 51759ba3dccb8494b190da63f954a1f3
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory

Note - I had issues with the apache plugin after requesting 250 certificates
So I switched to the webroot plugin

I tested a cert generated with the webroot plugin
certbot --dry-run --force-renewal renew --cert-name drlawrencedavisonline.com

DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/drlawrencedavisonline.com
cert = /etc/letsencrypt/live/drlawrencedavisonline.com/cert.pem
privkey = /etc/letsencrypt/live/drlawrencedavisonline.com/privkey.pem
chain = /etc/letsencrypt/live/drlawrencedavisonline.com/chain.pem
fullchain = /etc/letsencrypt/live/drlawrencedavisonline.com/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 51759ba3dccb8494b190da63f954a1f3
authenticator = webroot
webroot_path = /var/www/html,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
drlawrencedavisonline.com = /var/www/html
www.drlawrencedavisonline.com = /var/www/html

Does anybody see a problem if I change the renewal files under /etc/letsencrypt/renewal/ and switch the failing apache ones to the same format as the succeeding webroot ones? The documentation basically says, do not change anything. Certbot expects things to be like it created them. Or in other words, are there dependencies in the renewal process that rely on data saved by the certbot plugin used for the request?

Phil · July 16, 2019, 3:00pm

Hi @gmgj,

Sounds like you've got a large webhost to control. You could always take a backup of the /etc/letsencrypt folder before trying to edit the renewal files. According to User Guide — Certbot 2.7.0.dev0 documentation

For advanced certificate management tasks, it is possible to manually modify the certificate’s renewal configuration file, but this is discouraged since it can easily break Certbot’s ability to renew your certificates. If you choose to modify the renewal configuration file we advise you to test its validity with the certbot renew --dry-run command.

gmgj · July 16, 2019, 5:02pm

Thank you. I am a little ashamed I did not find that myself. Another question, Can I write a pre or post hook in php and invocate in a BasH srcipt
#!/bin/bash

/etc/cron.daily/example

echo "$0 # $PWD # `date` # whoami :`whoami` "

php /var/www/html/wip/certs/GenURLList1.php

gmgj · July 16, 2019, 5:16pm

In my case, I changed the apache generated conf file in /etc/letsencrypt/renewal/
to be in the same format as the webroot one, and it worked.

The line changed were
authenticator = webroot
webroot_path = /var/www/html,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
domain name .com = /var/www/html
www.*domain name.*com = /var/www/html

It was generated with certbot -n –apache –agree-tos –redirect -d ‘ . $ourhost . ‘ -d ‘ . $ourhostwww;

were outhost and ourhostwww correspond to the domain name and www. domain name

Phil · July 16, 2019, 6:11pm

You can write the hooks in any language you prefer!

schoen · July 16, 2019, 11:44pm

Indeed, if you start them with something like

#!/usr/bin/php

or whatever the appropriate version is for your system and interpreter, the operating system will automatically run that interpreter (instead of bash) to interpret the script. For example, Python scripts often start with

#!/usr/bin/python

or

#!/usr/bin/env python

and they could be run directly as hooks without having a shell script in between.

system · August 15, 2019, 11:44pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Error running command Help	9	2204	March 23, 2018
Fail to Run Certbot on Apache Help	6	674	October 21, 2021
Certbot failing to restart Apache after renew Server	15	15923	September 14, 2018
Run install certbot in Google Cloud Apache Debian 8 . Errors Server	4	2164	January 4, 2017
Certbot renew fails during apache2ctl configtest Help	7	1744	April 30, 2020

Error running command ['apache2ctl'

renew_before_expiry = 30 days

Options used in the renewal process

renew_before_expiry = 30 days

Options used in the renewal process

/etc/cron.daily/example

echo "$0 # $PWD # date # whoami :whoami "

Related topics

echo "$0 # $PWD # `date` # whoami :`whoami` "