Failed to start Certbot


My domain is:

I ran this command: sudo certbot --apache

It produced this output:

Failed to find executable /usr/sbin/ipsec in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
Unable to find renew-hook command /usr/sbin/ipsec in the PATH.
(PATH is /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin)

My web server is (include version):

Server version: Apache/2.4.29 (Ubuntu)
Server built: 2018-10-03T14:41:08
Server’s Module Magic Number: 20120211:68
Server loaded: APR 1.6.3, APR-UTIL 1.6.1
Compiled using: APR 1.6.3, APR-UTIL 1.6.1
Architecture: 64-bit

The operating system my web server runs on is (include version):

Distributor ID: Ubuntu
Description: Ubuntu 18.04.1 LTS
Release: 18.04
Codename: bionic

My hosting provider, if applicable, is: Hetzner

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


Hi @standior,

It looks like you’re trying to renew a certificate and that you have a renewal hook script configured to run /usr/sbin/ipsec, which doesn’t exist. Do you know how this could have happened? Did you follow some kind of recipe when setting up the certificate previously that would have created this hook script? Or did someone at your hosting provider create it for you?

You can probably find out more about which script this is by running something like

sudo grep -r ipsec /etc/letsencrypt


Hey @schoen!

I followed the basic instruction on for installing it on Ubuntu with Apache. I also got two certificates for the domains and which are working perfectly! I wanted to obtain a new one for but when i try to start the bot, the error appears.

sudo grep -r ipsec /etc/letsencrypt
/etc/letsencrypt/cli.ini:renew-hook = /usr/sbin/ipsec reload && /usr/sbin/ipsec secrets


Interesting! That line is never present in the default Certbot release. Do you have any idea what might have added it?

You should be able to comment it out with a # at the beginning of that line in order to inhibit this behavior. (However, perhaps someone or something has put it there for a reason.)


Thank’s! It’s working now :slight_smile:
I think it was the Installation and the Purge of a StrongSwan VPN Server…

For anyone with similar problems, my cli.ini now looks like this

rsa-key-size = 4096
pre-hook = /sbin/iptables -I INPUT -p tcp --dport 80 -j ACCEPT
post-hook = /sbin/iptables -D INPUT -p tcp --dport 80 -j ACCEPT
#renew-hook = /usr/sbin/ipsec reload && /usr/sbin/ipsec secrets


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.