on one of my Debian 10 system I have to start Apache manually after a renewal of a certificate. It seems that the apache plugin is still running, when certbot tries to restart Apache with the post-hook command.
certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Running pre-hook command: systemctl stop apache2
Renewing an existing certificate
[…]
Running post-hook command: systemctl start apache2
Despite the post-hook command there is no apache process.
In the syslog I can read “httpd (pid 11348) already running”
Mar 16 11:51:13 openstats systemd[1]: Stopping The Apache HTTP Server…
Mar 16 11:51:13 openstats systemd[1]: apache2.service: Succeeded.
Mar 16 11:51:13 openstats systemd[1]: Stopped The Apache HTTP Server.
Mar 16 11:51:16 openstats systemd[1]: Starting The Apache HTTP Server…
Mar 16 11:51:16 openstats apachectl[11351]: httpd (pid 11348) already running
Mar 16 11:51:16 openstats systemd[1]: apache2.service: Succeeded.
Mar 16 11:51:16 openstats systemd[1]: Started The Apache HTTP Server.
I tried “sleep 2 && systemctl start apache2” to delay the post-hook command but this doesnt help. Any idea how to get Apache started again automatically?
When I created the certificate on this system for the first time I used the command:
certbot --apache --pre-hook “systemctl stop apache2” --post-hook “systemctl start apache2” -d openstats…
Certbot added the pre/post-hook command to the renewalparams. Was this my mistake? I’m probably getting a little confused here because I’ve also used standalone in the past. I always thought Apache needs to get restarted to load the new certificates.
Today there was a real renewal. certbot stopped Apache due to the pre-hook command and it was able to renew the certificates. But it could not start Apache again. The website was not served.
So I dont need the pre and post hook command here, do I?
If you use --apache certbot will take care of reloading apache appropriately and automatically.
if you use --standalone you should add --post-hook "systemctl reload apache2" to renewals (assuming you installed your certs manually using the symlinks in /etc/letsencrypt/live)
--deploy-hook DEPLOY_HOOK
Command to be run in a shell once for each
successfully issued certificate. For this command, the
shell variable $RENEWED_LINEAGE will point to the
config live subdirectory (for example,
"/etc/letsencrypt/live/example.com") containing the
new certificates and keys; the shell variable
$RENEWED_DOMAINS will contain a space-delimited list
of renewed certificate domains (for example,
"example.com www.example.com" (default: None)