Failed to start Apache2 after renewal

Hello,

on one of my Debian 10 system I have to start Apache manually after a renewal of a certificate. It seems that the apache plugin is still running, when certbot tries to restart Apache with the post-hook command.

certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Running pre-hook command: systemctl stop apache2
Renewing an existing certificate
[…]
Running post-hook command: systemctl start apache2

Despite the post-hook command there is no apache process.
In the syslog I can read “httpd (pid 11348) already running”

Mar 16 11:51:13 openstats systemd[1]: Stopping The Apache HTTP Server…
Mar 16 11:51:13 openstats systemd[1]: apache2.service: Succeeded.
Mar 16 11:51:13 openstats systemd[1]: Stopped The Apache HTTP Server.
Mar 16 11:51:16 openstats systemd[1]: Starting The Apache HTTP Server…
Mar 16 11:51:16 openstats apachectl[11351]: httpd (pid 11348) already running
Mar 16 11:51:16 openstats systemd[1]: apache2.service: Succeeded.
Mar 16 11:51:16 openstats systemd[1]: Started The Apache HTTP Server.

The reneval params with pre and post hook are:

[renewalparams]
account = …
pre_hook = systemctl stop apache2
post_hook = systemctl start apache2
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory

I tried “sleep 2 && systemctl start apache2” to delay the post-hook command but this doesnt help. Any idea how to get Apache started again automatically?

check if apache is indeed serving your websites.

the apache authenticator will not work if apache is stopped.

it’s the authenticator itself that starts apache, probably.

why are you stopping apache to renew your certificates?

When I created the certificate on this system for the first time I used the command:
certbot --apache --pre-hook “systemctl stop apache2” --post-hook “systemctl start apache2” -d openstats…

Certbot added the pre/post-hook command to the renewalparams. Was this my mistake? I’m probably getting a little confused here because I’ve also used standalone in the past. I always thought Apache needs to get restarted to load the new certificates.

Today there was a real renewal. certbot stopped Apache due to the pre-hook command and it was able to renew the certificates. But it could not start Apache again. The website was not served.

So I dont need the pre and post hook command here, do I?

It’s all unneeded.

If you use --apache certbot will take care of reloading apache appropriately and automatically.

if you use --standalone you should add --post-hook "systemctl reload apache2" to renewals (assuming you installed your certs manually using the symlinks in /etc/letsencrypt/live)

Ok, thank you for helping. I ve adjusted the configuration accordingly.

wait. in your case it’s better to use --deploy-hook (if you use --standalone): https://certbot.eff.org/docs/using.html#renewing-certificates

  --deploy-hook DEPLOY_HOOK
                        Command to be run in a shell once for each
                        successfully issued certificate. For this command, the
                        shell variable $RENEWED_LINEAGE will point to the
                        config live subdirectory (for example,
                        "/etc/letsencrypt/live/example.com") containing the
                        new certificates and keys; the shell variable
                        $RENEWED_DOMAINS will contain a space-delimited list
                        of renewed certificate domains (for example,
                        "example.com www.example.com" (default: None)