Hello all,
Thanks to the people at Let’s Encrypt for the free certificates and certbot for making it simple to setup.
Not realizing I had entered the 30-days-before-expiry period for the four domains I have Let’s Encrypt certificates for, I noticed a few days ago that my self-hosted websites were all offline. I logged into my server and noticed that the httpd service was not running, so I started it manually.
When I noticed the websites were all offline again this evening, I logged into the server once more and started the httpd service. I happened to notice that it was almost time for my twice-daily certbot cron job to run. I had just checked that the websites were back up and running and decided to check them again after my certbot cron job had run. Sure enough the httpd service had stopped again. I checked the httpd logs for each of the sites and they each contain gaps where the last access was shortly before the time the certbot cron job was scheduled to run.
I ran ‘certbot renew’ (as root) from the command line to see what was the matter, but the certificates renewed successfully.
My hunch is that SELinux is the responsible as these denials started appearing in the audit log at the same time the first gaps in the httpd logs appear (and the certbot cron job was scheduled to run):
type=AVC msg=audit(1524976981.708:16075): avc: denied { write } for pid=7556 comm=“httpd” path="/var/lib/letsencrypt/.certbot.lock" dev=“dm-0” ino=54526412 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cron_var_lib_t:s0 tclass=file
type=AVC msg=audit(1524976981.708:16075): avc: denied { write } for pid=7556 comm=“httpd” path="/var/log/letsencrypt/.certbot.lock" dev=“dm-0” ino=54526085 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cron_log_t:s0 tclass=file
type=AVC msg=audit(1524976981.708:16075): avc: denied { write } for pid=7556 comm=“httpd” path="/etc/letsencrypt/.certbot.lock" dev=“dm-0” ino=3932467 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
Thanks for reading my post. If anyone has suggestions for how I might make the next renewal go smoother, I’d appreciate them.
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command: certbot renew (from cron)
It produced this output: excerpt from /var/log/messages:
May 8 00:43:01 server3 systemd: Created slice User Slice of root.
May 8 00:43:01 server3 systemd: Starting User Slice of root.
May 8 00:43:01 server3 systemd: Started Session 572 of user root.
May 8 00:43:01 server3 systemd: Starting Session 572 of user root.
May 8 00:43:04 server3 httpd: AH00526: Syntax error on line 10 of /etc/httpd/conf.d/le_tls_sni_01_cert_challenge.conf:
May 8 00:43:04 server3 httpd: SSLCertificateFile: file ‘/var/lib/letsencrypt/vGUiLNHXgx0Rd6Ek2XiGJB_mnRX1pP7OVteVIyfnW0E.crt’ does not exist or is empty
May 8 00:43:04 server3 systemd: httpd.service: control process exited, code=exited status=1
May 8 00:43:04 server3 systemd: Reload failed for The Apache HTTP Server.
May 8 00:43:04 server3 systemd: Stopping The Apache HTTP Server…
May 8 00:43:05 server3 systemd: Unit httpd.service entered failed state.
May 8 00:43:05 server3 systemd: httpd.service failed.
May 8 00:43:05 server3 systemd: Starting The Apache HTTP Server…
May 8 00:43:05 server3 httpd: AH00526: Syntax error on line 10 of /etc/httpd/conf.d/le_tls_sni_01_cert_challenge.conf:
May 8 00:43:05 server3 httpd: SSLCertificateFile: file ‘/var/lib/letsencrypt/vGUiLNHXgx0Rd6Ek2XiGJB_mnRX1pP7OVteVIyfnW0E.crt’ does not exist or is empty
May 8 00:43:05 server3 systemd: httpd.service: main process exited, code=exited, status=1/FAILURE
May 8 00:43:05 server3 kill: kill: cannot find process “”
May 8 00:43:05 server3 systemd: httpd.service: control process exited, code=exited status=1
May 8 00:43:05 server3 systemd: Failed to start The Apache HTTP Server.
May 8 00:43:05 server3 systemd: Unit httpd.service entered failed state.
May 8 00:43:05 server3 systemd: httpd.service failed.
May 8 00:43:05 server3 systemd: Unit httpd.service cannot be reloaded because it is inactive.
May 8 00:43:05 server3 systemd: Starting The Apache HTTP Server…
May 8 00:43:05 server3 systemd: Started The Apache HTTP Server.
May 8 00:43:07 server3 httpd: AH00526: Syntax error on line 10 of /etc/httpd/conf.d/le_tls_sni_01_cert_challenge.conf:
May 8 00:43:07 server3 httpd: SSLCertificateFile: file ‘/var/lib/letsencrypt/20N6Yuxa165aBWVHu_mSCPME_uCGmvzKhYnzoGHU7ZY.crt’ does not exist or is empty
May 8 00:43:07 server3 systemd: httpd.service: control process exited, code=exited status=1
May 8 00:43:07 server3 systemd: Reload failed for The Apache HTTP Server.
May 8 00:43:07 server3 systemd: Stopping The Apache HTTP Server…
May 8 00:43:08 server3 systemd: Unit httpd.service entered failed state.
May 8 00:43:08 server3 systemd: httpd.service failed.
May 8 00:43:08 server3 systemd: Starting The Apache HTTP Server…
May 8 00:43:08 server3 httpd: AH00526: Syntax error on line 10 of /etc/httpd/conf.d/le_tls_sni_01_cert_challenge.conf:
May 8 00:43:08 server3 httpd: SSLCertificateFile: file ‘/var/lib/letsencrypt/20N6Yuxa165aBWVHu_mSCPME_uCGmvzKhYnzoGHU7ZY.crt’ does not exist or is empty
May 8 00:43:08 server3 systemd: httpd.service: main process exited, code=exited, status=1/FAILURE
May 8 00:43:08 server3 kill: kill: cannot find process “”
May 8 00:43:08 server3 systemd: httpd.service: control process exited, code=exited status=1
May 8 00:43:08 server3 systemd: Failed to start The Apache HTTP Server.
May 8 00:43:08 server3 systemd: Unit httpd.service entered failed state.
May 8 00:43:08 server3 systemd: httpd.service failed.
May 8 00:43:08 server3 systemd: Unit httpd.service cannot be reloaded because it is inactive.
May 8 00:43:08 server3 systemd: Starting The Apache HTTP Server…
May 8 00:43:08 server3 systemd: Started The Apache HTTP Server.
May 8 00:43:11 server3 httpd: AH00526: Syntax error on line 10 of /etc/httpd/conf.d/le_tls_sni_01_cert_challenge.conf:
May 8 00:43:11 server3 httpd: SSLCertificateFile: file ‘/var/lib/letsencrypt/12BtcgE5wEH9uWXJQgbYqvJT8zaMGCCnQ_ZVNUW_XF0.crt’ does not exist or is empty
May 8 00:43:11 server3 systemd: httpd.service: control process exited, code=exited status=1
May 8 00:43:11 server3 systemd: Reload failed for The Apache HTTP Server.
May 8 00:43:11 server3 systemd: Stopping The Apache HTTP Server…
May 8 00:43:12 server3 systemd: Unit httpd.service entered failed state.
May 8 00:43:12 server3 systemd: httpd.service failed.
May 8 00:43:12 server3 systemd: Starting The Apache HTTP Server…
May 8 00:43:12 server3 httpd: AH00526: Syntax error on line 10 of /etc/httpd/conf.d/le_tls_sni_01_cert_challenge.conf:
May 8 00:43:12 server3 httpd: SSLCertificateFile: file ‘/var/lib/letsencrypt/12BtcgE5wEH9uWXJQgbYqvJT8zaMGCCnQ_ZVNUW_XF0.crt’ does not exist or is empty
May 8 00:43:12 server3 systemd: httpd.service: main process exited, code=exited, status=1/FAILURE
May 8 00:43:12 server3 kill: kill: cannot find process “”
May 8 00:43:12 server3 systemd: httpd.service: control process exited, code=exited status=1
May 8 00:43:12 server3 systemd: Failed to start The Apache HTTP Server.
May 8 00:43:12 server3 systemd: Unit httpd.service entered failed state.
May 8 00:43:12 server3 systemd: httpd.service failed.
May 8 00:43:12 server3 systemd: Unit httpd.service cannot be reloaded because it is inactive.
May 8 00:43:12 server3 systemd: start request repeated too quickly for httpd.service
May 8 00:43:12 server3 systemd: Failed to start The Apache HTTP Server.
May 8 00:43:12 server3 systemd: httpd.service failed.
May 8 00:43:14 server3 systemd: Unit httpd.service cannot be reloaded because it is inactive.
May 8 00:43:14 server3 systemd: start request repeated too quickly for httpd.service
May 8 00:43:14 server3 systemd: Failed to start The Apache HTTP Server.
May 8 00:43:14 server3 systemd: httpd.service failed.
May 8 00:43:14 server3 systemd: Unit httpd.service cannot be reloaded because it is inactive.
May 8 00:43:14 server3 systemd: start request repeated too quickly for httpd.service
May 8 00:43:14 server3 systemd: Failed to start The Apache HTTP Server.
May 8 00:43:14 server3 systemd: httpd.service failed.
My web server is (include version): Apache 2.4.6
The operating system my web server runs on is (include version): CentOS 7.4.1708
My hosting provider, if applicable, is: self-hosted
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no