How to renew Cert in Ubuntu 16.04


#1

Hello,

In my server (Ubuntu 16.04) I had installed Let’e Encrypt certs for my domain name using this guide.

Every month I had a problem, where my site wasn’t accessible (a simple restart of the server was solving the problem). Today I figured out that there is a job in the cron

12 0 * * * /usr/bin/certbot renew --quiet

I read that this is an old command of the renew process. What should I add to my cron in order to update normally my certs? Thank you!


#2

There’s nothing wrong with the cron.

You will find the renewal parameters for your domain(s) in the /etc/letsencrypt/renewal directory.

Show us the contents of those files. They will probably reveal what you need to do in order to automatically reload your web server.


#3

Ok I have 3 domains:

1st domain

# renew_before_expiry = 30 days
version = 0.17.0
archive_dir = /etc/letsencrypt/archive/kotronis-plastics.gr
cert = /etc/letsencrypt/live/kotronis-plastics.gr/cert.pem
privkey = /etc/letsencrypt/live/kotronis-plastics.gr/privkey.pem
chain = /etc/letsencrypt/live/kotronis-plastics.gr/chain.pem
fullchain = /etc/letsencrypt/live/kotronis-plastics.gr/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = apache
account = account_Id...
[[webroot_map]]
www.kotronis-plastics.gr = /var/www/html/mysite
kotronis-plastics.gr = /var/www/html/mysite

2nd domain

# renew_before_expiry = 30 days
version = 0.17.0
archive_dir = /etc/letsencrypt/archive/scti.gr
cert = /etc/letsencrypt/live/scti.gr/cert.pem
privkey = /etc/letsencrypt/live/scti.gr/privkey.pem
chain = /etc/letsencrypt/live/scti.gr/chain.pem
fullchain = /etc/letsencrypt/live/scti.gr/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = standalone
installer = apache
account = account_Id...
pre_hook = apachectl -k stop
post_hook = apachectl -k start

3rd domain. This is an old domain. Can I just delete the configuration file?

# renew_before_expiry = 30 days
version = 0.17.0
archive_dir = /etc/letsencrypt/archive/mycloud.kotronis-plastics.com
cert = /etc/letsencrypt/live/mycloud.kotronis-plastics.com/cert.pem
privkey = /etc/letsencrypt/live/mycloud.kotronis-plastics.com/privkey.pem
chain = /etc/letsencrypt/live/mycloud.kotronis-plastics.com/chain.pem
fullchain = /etc/letsencrypt/live/mycloud.kotronis-plastics.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = apache
installer = apache
account = account_Id...

#4

So, with this configuration, Certbot should be reloading your web server automatically every ~60 days (or more often, depending how your 3 domains line up) - which is fine.

In what way was the site inaccessible? Was there a specific error message or condition?

What lead to you believe that this is a problem with SSL/Let’s Encrypt?

You can review previous renewal attempts by looking at old log files in /var/log/letsencrypt/ and seeing if the times of your troubles line up with the renewal attempts by Certbot.


#5

Thanks for your reply…

I assumed that the root of the problem is the renew process because both my 2 sites (these have SSL cet) at 27/05 were refused to connect. Similar behavior happened at 27/04.

I looked the last log file in /var/log/letsencrypt/ and there are these lines (I hope I copied the right ones)

2018-05-27 12:49:14,027:ERROR:certbot.util:Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

2018-05-27 12:49:14,028:WARNING:certbot.renewal:Attempting to renew cert (scti.gr) from /etc/letsencrypt/renewal/scti.gr.conf produced an unexpected error: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
. Skipping.
2018-05-27 12:49:14,031:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 421, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 660, in renew_cert
    installer.restart()
  File "/usr/lib/python2.7/dist-packages/certbot_apache/configurator.py", line 1799, in restart
    self._reload()
  File "/usr/lib/python2.7/dist-packages/certbot_apache/configurator.py", line 1810, in _reload
    raise errors.MisconfigurationError(str(err))
MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.

The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

2018-05-27 12:49:14,036:INFO:certbot.renewal:Cert not yet due for renewal
2018-05-27 12:49:14,040:INFO:certbot.renewal:Cert not yet due for renewal
2018-05-27 12:49:14,041:INFO:certbot.hooks:Running post-hook command: apachectl -k start
2018-05-27 12:49:14,102:INFO:certbot.hooks:Output from apachectl:
Action '-k start' failed.
The Apache error log may have more information.

2018-05-27 12:49:14,103:ERROR:certbot.hooks:Hook command "apachectl -k start" returned error code 1
2018-05-27 12:49:14,103:ERROR:certbot.hooks:Error output from apachectl:
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

2018-05-27 12:49:14,103:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.17.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 753, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 703, in renew
    renewal.handle_renewal_request(config)
File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 439, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

Edit renewal parameters of certificate
#6

OK, here is my theory:

--pre-hook causes Certbot to stop your Apache server before renewing any of your domains.

However, the renewal parameters for two of your domains rely on Apache still running:

I think these may not be mixing so well in combination with the pre and post hooks.

I would suspect that if you changed each domain to use the apache or webroot authenticator and remove the stop/start hooks, Certbot would not cause Apache to crash.

Someone with better understanding of Certbot may be able to chime in.


#7

Yes, I was focusing also in [renewalparams] .

Should I edit the [renewalparams] of the 2nd domain, and paste the same settings as the 1st domain.

Also, the 3rd domain doesn’t exist anymore. If I remove the file /etc/letsencrypt/renewal/mycloud.kotronis-plastics.com.conf will I mess my system?


#8

You should probably not try to manually remove it, but instead:

certbot certificates

then

certbot delete --cert-name mycloud.kotronis-plastics.com

(subject to what’s listed in the first command).

Yeah I guess you could (the 1st one is using webroot). The simplest configuration is actually that of your third domain:

Whichever way you go, you can test out whether it works with:

certbot renew --dry-run

#9

Thanks for your help.
I will run the commands later in the afternoon and I will come back for feedback!


#10

Before you do that, double check your apache configuration to make sure it’s not using that certificate anymore, as it could prevent apache from restarting if you delete a cert that’s still in use (even if the domain no longer exists in DNS).


#11

Thanks for the tip, but how do I check this?

In the folder /etc/apache2/sites-enabled there isn’t any ssl configuration file for this domain.
It has only the kotronis-plastics.com.conf which simply redirects the user to the .gr site.

Is this the check you mean?


#12

That right. Based on your check and how your server is responding, I think you’re safe.

You could also double check by making sure it doesn’t appear in any usages of certificates e.g.

grep -REi "sslcertificatefile " /etc/apache2/sites-*

#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.