Hello,
In my server (Ubuntu 16.04) I had installed Let’e Encrypt certs for my domain name using this guide.
Every month I had a problem, where my site wasn’t accessible (a simple restart of the server was solving the problem). Today I figured out that there is a job in the cron
12 0 * * * /usr/bin/certbot renew --quiet
I read that this is an old command of the renew process. What should I add to my cron in order to update normally my certs? Thank you!
There’s nothing wrong with the cron.
You will find the renewal parameters for your domain(s) in the /etc/letsencrypt/renewal directory.
Show us the contents of those files. They will probably reveal what you need to do in order to automatically reload your web server.
Ok I have 3 domains:
1st domain
# renew_before_expiry = 30 days
version = 0.17.0
archive_dir = /etc/letsencrypt/archive/kotronis-plastics.gr
cert = /etc/letsencrypt/live/kotronis-plastics.gr/cert.pem
privkey = /etc/letsencrypt/live/kotronis-plastics.gr/privkey.pem
chain = /etc/letsencrypt/live/kotronis-plastics.gr/chain.pem
fullchain = /etc/letsencrypt/live/kotronis-plastics.gr/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = apache
account = account_Id...
[[webroot_map]]
www.kotronis-plastics.gr = /var/www/html/mysite
kotronis-plastics.gr = /var/www/html/mysite
2nd domain
# renew_before_expiry = 30 days
version = 0.17.0
archive_dir = /etc/letsencrypt/archive/scti.gr
cert = /etc/letsencrypt/live/scti.gr/cert.pem
privkey = /etc/letsencrypt/live/scti.gr/privkey.pem
chain = /etc/letsencrypt/live/scti.gr/chain.pem
fullchain = /etc/letsencrypt/live/scti.gr/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = standalone
installer = apache
account = account_Id...
pre_hook = apachectl -k stop
post_hook = apachectl -k start
3rd domain. This is an old domain. Can I just delete the configuration file?
# renew_before_expiry = 30 days
version = 0.17.0
archive_dir = /etc/letsencrypt/archive/mycloud.kotronis-plastics.com
cert = /etc/letsencrypt/live/mycloud.kotronis-plastics.com/cert.pem
privkey = /etc/letsencrypt/live/mycloud.kotronis-plastics.com/privkey.pem
chain = /etc/letsencrypt/live/mycloud.kotronis-plastics.com/chain.pem
fullchain = /etc/letsencrypt/live/mycloud.kotronis-plastics.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = apache
installer = apache
account = account_Id...So, with this configuration, Certbot should be reloading your web server automatically every ~60 days (or more often, depending how your 3 domains line up) - which is fine.
In what way was the site inaccessible? Was there a specific error message or condition?
What lead to you believe that this is a problem with SSL/Let's Encrypt?
You can review previous renewal attempts by looking at old log files in /var/log/letsencrypt/ and seeing if the times of your troubles line up with the renewal attempts by Certbot.
Thanks for your reply…
I assumed that the root of the problem is the renew process because both my 2 sites (these have SSL cet) at 27/05 were refused to connect. Similar behavior happened at 27/04.
I looked the last log file in /var/log/letsencrypt/ and there are these lines (I hope I copied the right ones)
2018-05-27 12:49:14,027:ERROR:certbot.util:Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
2018-05-27 12:49:14,028:WARNING:certbot.renewal:Attempting to renew cert (scti.gr) from /etc/letsencrypt/renewal/scti.gr.conf produced an unexpected error: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
. Skipping.
2018-05-27 12:49:14,031:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 421, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 660, in renew_cert
installer.restart()
File "/usr/lib/python2.7/dist-packages/certbot_apache/configurator.py", line 1799, in restart
self._reload()
File "/usr/lib/python2.7/dist-packages/certbot_apache/configurator.py", line 1810, in _reload
raise errors.MisconfigurationError(str(err))
MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
2018-05-27 12:49:14,036:INFO:certbot.renewal:Cert not yet due for renewal
2018-05-27 12:49:14,040:INFO:certbot.renewal:Cert not yet due for renewal
2018-05-27 12:49:14,041:INFO:certbot.hooks:Running post-hook command: apachectl -k start
2018-05-27 12:49:14,102:INFO:certbot.hooks:Output from apachectl:
Action '-k start' failed.
The Apache error log may have more information.
2018-05-27 12:49:14,103:ERROR:certbot.hooks:Hook command "apachectl -k start" returned error code 1
2018-05-27 12:49:14,103:ERROR:certbot.hooks:Error output from apachectl:
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
2018-05-27 12:49:14,103:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in <module>
load_entry_point('certbot==0.17.0', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 753, in main
return config.func(config, plugins)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 703, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 439, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)OK, here is my theory:
--pre-hook causes Certbot to stop your Apache server before renewing any of your domains.
However, the renewal parameters for two of your domains rely on Apache still running:
I think these may not be mixing so well in combination with the pre and post hooks.
I would suspect that if you changed each domain to use the apache or webroot authenticator and remove the stop/start hooks, Certbot would not cause Apache to crash.
Someone with better understanding of Certbot may be able to chime in.
Yes, I was focusing also in [renewalparams] .
Should I edit the [renewalparams] of the 2nd domain, and paste the same settings as the 1st domain.
Also, the 3rd domain doesn’t exist anymore. If I remove the file /etc/letsencrypt/renewal/mycloud.kotronis-plastics.com.conf will I mess my system?
You should probably not try to manually remove it, but instead:
certbot certificates
then
certbot delete --cert-name mycloud.kotronis-plastics.com
(subject to what's listed in the first command).
Yeah I guess you could (the 1st one is using webroot). The simplest configuration is actually that of your third domain:
Whichever way you go, you can test out whether it works with:
certbot renew --dry-run
Thanks for your help.
I will run the commands later in the afternoon and I will come back for feedback!
Before you do that, double check your apache configuration to make sure it's not using that certificate anymore, as it could prevent apache from restarting if you delete a cert that's still in use (even if the domain no longer exists in DNS).
Thanks for the tip, but how do I check this?
In the folder /etc/apache2/sites-enabled there isn’t any ssl configuration file for this domain.
It has only the kotronis-plastics.com.conf which simply redirects the user to the .gr site.
Is this the check you mean?
That right. Based on your check and how your server is responding, I think you’re safe.
You could also double check by making sure it doesn’t appear in any usages of certificates e.g.
grep -REi "sslcertificatefile " /etc/apache2/sites-*This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.