Failed renewing cert on Apache/Debian


#1

Hi!

About 3 months ago I installed certbot on my Debian 7 server and successfully installed certs for my Apache2 webserver. I cheked out, that automatic renewal should work fine, because in /etc/cron.d/ appeared certbot script.

Today accidentally my site was down, from logs I noticed, that reason was that something went wrong with certs renewal:

[Wed Apr 26 12:43:43.680015 2017] [mpm_worker:notice] [pid 32642:tid 3074111296] AH00297: SIGUSR1 received.  Doing graceful restart
[Wed Apr 26 12:43:43.818140 2017] [cgid:error] [pid 28905:tid 2839460672] (2)No such file or directory: [client 144.76.8.231:49522] AH01257: unable to connect to cgi daemon after multiple tries: /var/www/cgi/raamat
[Wed Apr 26 12:43:43.869213 2017] [cgid:error] [pid 28905:tid 3007298368] (2)No such file or directory: [client 46.229.168.74:27474] AH01257: unable to connect to cgi daemon after multiple tries: /var/www/cgi/raamat
[Wed Apr 26 12:43:46.530650 2017] [cgid:error] [pid 28905:tid 2828970816] (2)No such file or directory: [client 46.229.168.74:2892] AH01257: unable to connect to cgi daemon after multiple tries: /var/www/cgi/raamat
AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist
AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist
[Wed Apr 26 12:43:46.737807 2017] [ssl:warn] [pid 32642:tid 3074111296] AH01906: 96299ad5b7a3be517ea2f6ddd5b5a534.26ded195af47fd5e8c63c696db27d09f.acme.invalid:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Apr 26 12:43:46.738644 2017] [ssl:warn] [pid 32642:tid 3074111296] AH01906: 447c31eba601309fb87e9f3b3b91105f.0aa459c14f28101525aeb09093c12b16.acme.invalid:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Apr 26 12:43:46.751141 2017] [mpm_worker:notice] [pid 32642:tid 3074111296] AH00292: Apache/2.4.10 (Debian) mod_fcgid/2.3.9 OpenSSL/1.0.1t mod_perl/2.0.9dev Perl/v5.20.2 configured -- resuming normal operations
[Wed Apr 26 12:43:46.751161 2017] [core:notice] [pid 32642:tid 3074111296] AH00094: Command line: '/usr/sbin/apache2'
[Wed Apr 26 12:43:50.813134 2017] [mpm_worker:notice] [pid 32642:tid 3074111296] AH00297: SIGUSR1 received.  Doing graceful restart
[Wed Apr 26 12:43:53.017232 2017] [cgid:error] [pid 14557:tid 2954849088] (2)No such file or directory: [client 144.76.8.231:54916] AH01257: unable to connect to cgi daemon after multiple tries: /var/www/cgi/raamat
[Wed Apr 26 12:43:53.111615 2017] [core:notice] [pid 32642] AH00060: seg fault or similar nasty error detected in the parent process
[Wed Apr 26 12:43:55.036832 2017] [ssl:warn] [pid 14646:tid 3073574720] AH01906: 96299ad5b7a3be517ea2f6ddd5b5a534.26ded195af47fd5e8c63c696db27d09f.acme.invalid:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Apr 26 12:43:55.066936 2017] [ssl:warn] [pid 14647:tid 3073574720] AH01906: 96299ad5b7a3be517ea2f6ddd5b5a534.26ded195af47fd5e8c63c696db27d09f.acme.invalid:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Apr 26 12:43:55.070464 2017] [core:warn] [pid 14647:tid 3073574720] AH00098: pid file /var/run/apache2.pid overwritten -- Unclean shutdown of previous Apache run?
[Wed Apr 26 12:43:55.071396 2017] [mpm_worker:notice] [pid 14647:tid 3073574720] AH00292: Apache/2.4.10 (Debian) mod_fcgid/2.3.9 OpenSSL/1.0.1t mod_perl/2.0.9dev Perl/v5.20.2 configured -- resuming normal operations
[Wed Apr 26 12:43:55.071418 2017] [core:notice] [pid 14647:tid 3073574720] AH00094: Command line: '/usr/sbin/apache2'2 at /var/www/adm/raamatuinfo line 78.
[Wed Apr 26 12:44:01.680010 2017] [mpm_worker:notice] [pid 14647:tid 3073574720] AH00297: SIGUSR1 received.  Doing graceful restart
[Wed Apr 26 12:44:02.068367 2017] [cgid:error] [pid 14650:tid 2911841088] (2)No such file or directory: [client 144.76.8.231:58572] AH01257: unable to connect to cgi daemon after multiple tries: /var/www/cgi/raamat
[Wed Apr 26 12:44:04.387721 2017] [core:notice] [pid 14647] AH00060: seg fault or similar nasty error detected in the parent process

Trying start Apache over failed.

After trying understand, what’s wrong I just run from command line:

$ certbot -q renew

And after that I was able to start Apache again.

Most suspicious from log above was line:

AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist

Why this temp site was not created?

In cron-script is this command:

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew

What may gone wrong? Should I be extra on the alert on next renewal?

tia and wbr,

Gunnar


#2

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.